Configuration Guide
Configuring Group Bandwidth Management with IPSec Easy VPN
Figure 1
Network Diagram
Introduction
This document describes the Group Bandwidth Management configuration, which demonstrates how a system administrator sets a QoS service policy for groups. The system administrator specifies QoS parameters that are available for a group. Examples of the parameters are minimum bandwidth, traffic shaping, and the number of users admitted in a group. The system administrator administers the IP addresses allocated in the dynamic address pool, and then manages QoS for the group with a service policy. This scenario is applicable to the IPsec configuration with Easy VPN.
Prerequisites
The sample configuration is based on the following assumptions:
Components Used
The sample configuration uses the following release of the software and hardware:
Figure 1 illustrates the network for the sample configuration.
The information presented in this document was created from devices in a specific lab environment. All of the devices started with a cleared (default) configuration. If you are working in a live network, it is imperative to understand the potential impact of any command before implementing it.
Group Bandwidth Configurations
The bandwidth policy is applied to each group, and users within a group share the service policy applied to the group. The sample configuration uses the service policy on the outbound of the interface.
Identify Users
Users are identified by their IP addresses. In an Easy VPN configuration, the addresses are dynamically allocated from an address pool. Each group needs to have a different address pool. The address range in the address pool identifies which group members have an ACL.
Forwarding QoS
Using policy-maps, the administrator can set the forwarding characteristics. The QoS policy supports configuring minimum bandwidth, policing, traffic shaping, weighted random early detection (WRED), low latency queuing, and marking of the packets. Users within a group share a specific service policy map. The sample configuration enables specific minimum bandwidth and traffic shaping for the groups.
Maximum Users in a Group
To limit the maximum number of connections in each group, configure the IP address pool with the required number of IP addresses. When all of the address pool is reserved, the connection to the Easy VPN Server fails during security policy negotiations, causing the Easy VPN client connection to fail or to try another Easy VPN Server if it is configured to do so.
Access Hours
Using the time range command option in the ACL, the router can activate a time range during which the Bandwidth management is allowed for a particular group. Based on the time of the day, ACLs get applied and a group member is allowed with the desired QoS.
Cisco 7200 Easy VPN Router Configuration
Verifying the Results
This section provides information you can use to confirm that your configuration is working properly.
permit ip any 10.0.149.232 0.0.0.3 (2422 matches)
permit ip any 10.0.149.236 0.0.0.3 (1023 matches)
permit ip any 10.0.149.240 0.0.0.3 time-range timename (active)
To verify the actual traffic withing each pool, use the following command
7200-3#sh policy-map int ether 3/4
Service-policy output: groupbwm
30 second offered rate 395000 bps, drop rate 0 bps
Output Queue: Conversation 265
Bandwidth 100 (kbps) Max Threshold 64 (packets)
(pkts matched/bytes matched) 2323/2852226
(depth/total drops/no-buffer drops) 0/0/0
Target/Average Byte Sustain Excess Interval Increment
Rate Limit bits/int bits/int (ms) (bytes)
2000000/1000000 6250 25000 25000 25 6250
Adapt Queue Packets Bytes Packets Bytes Shaping
Active Depth Delayed Delayed Active
- 0 7584 9151836 2311 2842050 no
30 second offered rate 0 bps, drop rate 0 bps
Output Queue: Conversation 266
Bandwidth 100 (kbps) Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
Target/Average Byte Sustain Excess Interval Increment
Rate Limit bits/int bits/int (ms) (bytes)
2000000/1000000 6250 25000 25000 25 6250
Adapt Queue Packets Bytes Packets Bytes Shaping
Active Depth Delayed Delayed Active
30 second offered rate 0 bps, drop rate 0 bps
Output Queue: Conversation 267
Bandwidth 100 (kbps) Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
Target/Average Byte Sustain Excess Interval Increment
Rate Limit bits/int bits/int (ms) (bytes)
2000000/1000000 6250 25000 25000 25 6250
Adapt Queue Packets Bytes Packets Bytes Shaping
Active Depth Delayed Delayed Active
Class-map: class-default (match-any)
30 second offered rate 0 bps, drop rate 0 bps
Match: any 476 packets, 382748 bytes
30 second offered rate 0 bps, drop rate 0 bps
Troubleshooting the Configuration
Certain show commands are supported by the Output Interpreter Tool (registered customers only), which analyzes show command output.
Note: Before issuing debug commands, see Important Information about Debug Commands .
- debug crypto isakmp—Displays errors during Phase 1.
- debug crypto ipsec—Displays errors during Phase 2.
- debug crypto engine—Displays information from the crypto engine.
- debug ip your routing protocol—Displays information about routing transactions of your routing protocol.
- clear crypto connection connection-id [slot | rsm | vip]—Terminates an encrypted session currently in progress. Encrypted sessions normally terminate when the session times out. Use the show crypto cisco connections command to see the connection-id value.
- clear crypto isakmp—Clears the Phase 1 security associations.
- clear crypto sa—Clears the Phase 2 security associations.
Related Information
An Introduction to IP Security (IPsec) Encryption
QoS for Virtual Private Networks
Configuring IPsec Network Security
Configuring Internet Key Exchange Security Protocol
Command Lookup Tool (registered customers only)
Technical Support - Cisco Systems