traffic shapping problem

Discussion in 'Cisco' started by jcharth, Apr 6, 2005.

  1. jcharth

    jcharth Guest

    Hello It is being a few weeks since I started playing with our
    companies cisco routers. we have a t1 router, then a pix, and then an
    internal router. the pix is doing the tunnels for remote locations. I
    put some traffic shaping rules on the internal router and they seem to
    be working fine. I added a www traffic shaping rules to the t1 router
    and I get very little hits to the www accesslist. I believe the traffic
    comes in the tunels and vpn of the pix and then it comes out again.
    from the pix thourgh the t1 router to the internet as www traffic. but
    the access list hits are very little. and no traffic shaping happens.
    any ideas on how to limit the www traffic?
     
    jcharth, Apr 6, 2005
    #1
    1. Advertisements

  2. :Hello It is being a few weeks since I started playing with our
    :companies cisco routers. we have a t1 router, then a pix, and then an
    :internal router. the pix is doing the tunnels for remote locations. I
    :put some traffic shaping rules on the internal router and they seem to
    :be working fine. I added a www traffic shaping rules to the t1 router
    :and I get very little hits to the www accesslist. I believe the traffic
    :comes in the tunels and vpn of the pix and then it comes out again.
    :from the pix thourgh the t1 router to the internet as www traffic.

    That is possible, but not common.

    The PIX through 6.x software (but not the just-just released 7.0
    software) has a limitation that disallows traffic going back out
    the same [logical] interface it came in on. Thus if the remote
    sites are requesting www traffic and those requests are travelling
    via VPN over the T1 to the PIX and being decapsulated there on
    the outside interface, then the PIX would refuse to forward those
    decapsulated packets to the outside interface towards the external
    WWW sites -- on the grounds that it was the same interface in
    both cases.

    There are ways around this which are sometimes implimented. One
    of the ways is to have the VPN tunnels terminate on a -different-
    interface of the PIX that is also connected to the T1 router;
    you would see multiple physical connections between the PIX and
    the router in such a case (unless T1 is connected to a switch
    which then has multiple connections to the PIX.)

    One of the other ways around it is to use PIX 6.3 and have the
    VPN tunnels terminate on a different "logical" interface than the
    default route. A "logical" interface in PIX terms is distinguished
    by an 802.1Q VLAN tag, but can use the same physical interface
    as another "logical" interface. If this work-around is used, then
    there might only be one physical connection to the T1 router, but
    the T1 router side would be configured with various "subinterfaces"
    of the physical interface, each "subinterface" placed in a different
    VLAN.
     
    Walter Roberson, Apr 6, 2005
    #2
    1. Advertisements

  3. jcharth

    jcharth Guest

    Thanks Walter, I think I got around the problem I enable traffic
    shapping in all remote routers, i have a few more to go, so far seems
    to be doing the job.
     
    jcharth, Apr 7, 2005
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.