[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Bandwidth Throttling over Site-to-Site VPN

Posted on 2014-12-23
7
Medium Priority
?
231 Views
Last Modified: 2015-01-12
I have two office's, and both offices have a 100M internet circuit.  The topology of both networks are identical, and I attached a network diagram.  I want to use 50M of each circuit for transferring some SQL backups from office 1 to office 2. These two offices do have a site to site VPN configured between them on the ASA5520's.  How would I limit the VPN traffic between these two sites to ensure I never went over 50M when transferring these SQL backups ?  Would these be done on the ASA or my Cisco Router that connects to the ISP?  Thanks.

Network Diagram
0
Comment
Question by:denver218
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 11

Expert Comment

by:rharland2009
ID: 40514907
The ASAs support traffic shaping/LLQ/policing, so you can do it there.
I believe policing will be the option you want (to ensure that the VPN pipe never exceeds a certain amount of BW).


Check this out:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_qos.html
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 2000 total points
ID: 40515602
Yes its pretty simple, heres me doing the same for public traffic, you would just specify the source and destination IP in the ACL you use in your class-map
Cisco ASA 5500 - Throttling (Rate Limiting) Traffic



Pete
0
 
LVL 4

Author Comment

by:denver218
ID: 40533696
Thanks.  Sorry I didn't reply sooner, I've been pulled away working on other things.  So I would configure rate-limiting on both sides on the ASA firewalls correct?  What I wasn't sure about, was if I should configure rate limiting on the 3750-12G, which is my core switch and has all VLANs configure on.   In my diagram above, where you see the three 3560G-48 LAN switches, one of those is on VLAN 30.  VLAN 30 traffic is where the SQL dumps are, that will be transferred over the VPN to the other location.  Do I need to configure rate-limiting here as well, or just the ASA?
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 57

Expert Comment

by:Pete Long
ID: 40533716
Just the ASA on both sides :)
0
 
LVL 1

Expert Comment

by:skipskip
ID: 40543830
Completely off topic, but there is absolutely no redundancy with single point of failures on every link in your network!

Have a read of this
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/campover.html
0
 
LVL 4

Author Comment

by:denver218
ID: 40544533
skipskip - Yes your comment was completely off topic.  Thanks for pointing out the obvious:)  It was designed like this on purpose, and there are procedures in place for link failure.   If zero downtime was absolute critical at these locations, well a different design approach would of been taken.  Please stay on topic next time.
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 40544534
Thanks.  This  was the solution I used.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question