Rate limit on a IPSEc Tunnel

Answered Question

HI, Is it possible to limit traffic in a IPSec Point tto Point tunnel, I have 4Mbps link and I want to limit 2Mbps to VPN tunnel and other 2Mbps for general Internet traffic, can it be done pls give me some examples.

Correct Answer by paolo bevilacqua about 7 years 7 months ago

I think that rate-limit (policing) will have an adverse effect as it do not buffer.

You may want to look into traffic shaping with modular qos cli instead.

Correct Answer by Eugene Khabarov about 7 years 8 months ago

Something like this:


Interface

rate-limit input access-group 100 2000000 2400 2400 conform-action transmit exceed-action drop

rate-limit output access-group 200 2000000 2400 2400 conform-action transmit exceed-action drop


ip access-list extended 100
permit esp host host
permit ahp host host

ip access-list extended 200
permit esp host host
permit ahp host host

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Sat, 11/28/2009 - 11:25
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Correct Answer
Eugene Khabarov Sun, 11/29/2009 - 02:46
User Badges:
  • Silver, 250 points or more

Something like this:


Interface

rate-limit input access-group 100 2000000 2400 2400 conform-action transmit exceed-action drop

rate-limit output access-group 200 2000000 2400 2400 conform-action transmit exceed-action drop


ip access-list extended 100
permit esp host host
permit ahp host host

ip access-list extended 200
permit esp host host
permit ahp host host

Thanks for your input, Few questions though,


IN this method you need to apply in both direction isnt it, but I feel like applying that to two different interfaces,


rate-limit input to inside interface

rate-limit output to outside interface


Otherwise packet enter the router and then drop at inside interface isn't it


And, in this method I can rate limit the, let say, Internet bound traffic to 3Mbps and then automaticaly I have reserved 1Mbps to VPN tunnel traffic, is it correct ??


Regards

Correct Answer
paolo bevilacqua Fri, 12/11/2009 - 03:09
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

I think that rate-limit (policing) will have an adverse effect as it do not buffer.

You may want to look into traffic shaping with modular qos cli instead.

paolo bevilacqua Fri, 12/11/2009 - 03:18
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Nat traffic have private address that you can identify with a three lines ACL.

NAT also provides a virtual interface of optional use.


Alls these things are easier for a certified professional that I would recommend to engage for best results.

Eugene Khabarov Fri, 12/11/2009 - 03:30
User Badges:
  • Silver, 250 points or more

IN this method you need to apply in both direction isnt it, but I feel like applying that to two different interfaces,


rate-limit input to inside interface

rate-limit output to outside interface


Yes, it is good idea. This should slightly reduce the CPU load


And, in this method I can rate limit the, let say, Internet bound traffic to 3Mbps and then automaticaly I have reserved 1Mbps to VPN tunnel traffic, is it correct ??


This is correct if your ISP guarantees you 4 Mbps bandwidth. For the best result you can use shapers instead of rate-limit.

http://www.cisco.com/en/US/docs/ios/12_0/qos/configuration/guide/qcgts.html

Actions

This Discussion