traffic shapping problem

Hello It is being a few weeks since I started playing with our companies cisco routers. we have a t1 router, then a pix, and then an internal router. the pix is doing the tunnels for remote locations. I put some traffic shaping rules on the internal router and they seem to be working fine. I added a www traffic shaping rules to the t1 router and I get very little hits to the www accesslist. I believe the traffic comes in the tunels and vpn of the pix and then it comes out again. from the pix thourgh the t1 router to the internet as www traffic. but the access list hits are very little. and no traffic shaping happens. any ideas on how to limit the www traffic?

Reply to
jcharth
Loading thread data ...

In article , wrote: :Hello It is being a few weeks since I started playing with our :companies cisco routers. we have a t1 router, then a pix, and then an :internal router. the pix is doing the tunnels for remote locations. I :put some traffic shaping rules on the internal router and they seem to :be working fine. I added a www traffic shaping rules to the t1 router :and I get very little hits to the www accesslist. I believe the traffic :comes in the tunels and vpn of the pix and then it comes out again. :from the pix thourgh the t1 router to the internet as www traffic.

That is possible, but not common.

The PIX through 6.x software (but not the just-just released 7.0 software) has a limitation that disallows traffic going back out the same [logical] interface it came in on. Thus if the remote sites are requesting www traffic and those requests are travelling via VPN over the T1 to the PIX and being decapsulated there on the outside interface, then the PIX would refuse to forward those decapsulated packets to the outside interface towards the external WWW sites -- on the grounds that it was the same interface in both cases.

There are ways around this which are sometimes implimented. One of the ways is to have the VPN tunnels terminate on a -different- interface of the PIX that is also connected to the T1 router; you would see multiple physical connections between the PIX and the router in such a case (unless T1 is connected to a switch which then has multiple connections to the PIX.)

One of the other ways around it is to use PIX 6.3 and have the VPN tunnels terminate on a different "logical" interface than the default route. A "logical" interface in PIX terms is distinguished by an 802.1Q VLAN tag, but can use the same physical interface as another "logical" interface. If this work-around is used, then there might only be one physical connection to the T1 router, but the T1 router side would be configured with various "subinterfaces" of the physical interface, each "subinterface" placed in a different VLAN.

Reply to
Walter Roberson

Thanks Walter, I think I got around the problem I enable traffic shapping in all remote routers, i have a few more to go, so far seems to be doing the job.

Reply to
jcharth

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.