Rate limit on a IPSEc Tunnel

Answered Question

HI, Is it possible to limit traffic in a IPSec Point tto Point tunnel, I have 4Mbps link and I want to limit 2Mbps to VPN tunnel and other 2Mbps for general Internet traffic, can it be done pls give me some examples.

I have this problem too.
0 votes
Correct Answer by Paolo Bevilacqua about 6 years 12 months ago

I think that rate-limit (policing) will have an adverse effect as it do not buffer.

You may want to look into traffic shaping with modular qos cli instead.

Correct Answer by Eugene Khabarov about 7 years 1 week ago

Something like this:

Interface

rate-limit input access-group 100 2000000 2400 2400 conform-action transmit exceed-action drop

rate-limit output access-group 200 2000000 2400 2400 conform-action transmit exceed-action drop

ip access-list extended 100
permit esp host host
permit ahp host host

ip access-list extended 200
permit esp host host
permit ahp host host

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Eugene Khabarov Sun, 11/29/2009 - 02:46

Something like this:

Interface

rate-limit input access-group 100 2000000 2400 2400 conform-action transmit exceed-action drop

rate-limit output access-group 200 2000000 2400 2400 conform-action transmit exceed-action drop

ip access-list extended 100
permit esp host host
permit ahp host host

ip access-list extended 200
permit esp host host
permit ahp host host

Thanks for your input, Few questions though,

IN this method you need to apply in both direction isnt it, but I feel like applying that to two different interfaces,

rate-limit input to inside interface

rate-limit output to outside interface

Otherwise packet enter the router and then drop at inside interface isn't it

And, in this method I can rate limit the, let say, Internet bound traffic to 3Mbps and then automaticaly I have reserved 1Mbps to VPN tunnel traffic, is it correct ??

Regards

Correct Answer
Paolo Bevilacqua Fri, 12/11/2009 - 03:09

I think that rate-limit (policing) will have an adverse effect as it do not buffer.

You may want to look into traffic shaping with modular qos cli instead.

Paolo Bevilacqua Fri, 12/11/2009 - 03:18

Nat traffic have private address that you can identify with a three lines ACL.

NAT also provides a virtual interface of optional use.

Alls these things are easier for a certified professional that I would recommend to engage for best results.

Eugene Khabarov Fri, 12/11/2009 - 03:30

IN this method you need to apply in both direction isnt it, but I feel like applying that to two different interfaces,

rate-limit input to inside interface

rate-limit output to outside interface

Yes, it is good idea. This should slightly reduce the CPU load

And, in this method I can rate limit the, let say, Internet bound traffic to 3Mbps and then automaticaly I have reserved 1Mbps to VPN tunnel traffic, is it correct ??

This is correct if your ISP guarantees you 4 Mbps bandwidth. For the best result you can use shapers instead of rate-limit.

http://www.cisco.com/en/US/docs/ios/12_0/qos/configuration/guide/qcgts.html

Actions

This Discussion