cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7729
Views
0
Helpful
9
Replies

Rate limit on a IPSEc Tunnel

asoka
Level 1
Level 1

HI, Is it possible to limit traffic in a IPSec Point tto Point tunnel, I have 4Mbps link and I want to limit 2Mbps to VPN tunnel and other 2Mbps for general Internet traffic, can it be done pls give me some examples.

2 Accepted Solutions

Accepted Solutions

Eugene Khabarov
Level 7
Level 7

Something like this:

Interface

rate-limit input access-group 100 2000000 2400 2400 conform-action transmit exceed-action drop

rate-limit output access-group 200 2000000 2400 2400 conform-action transmit exceed-action drop

ip access-list extended 100
permit esp host host
permit ahp host host

ip access-list extended 200
permit esp host host
permit ahp host host

View solution in original post

I think that rate-limit (policing) will have an adverse effect as it do not buffer.

You may want to look into traffic shaping with modular qos cli instead.

View solution in original post

9 Replies 9

Jon Marshall
Hall of Fame
Hall of Fame

asoka@people.net.au

HI, Is it possible to limit traffic in a IPSec Point tto Point tunnel, I have 4Mbps link and I want to limit 2Mbps to VPN tunnel and other 2Mbps for general Internet traffic, can it be done pls give me some examples.

Which device and IOS ?

Jon

This is a 1760 router, IOS 12.4, running

c1700-advipservicesk9-mz.124-13b.bin

Eugene Khabarov
Level 7
Level 7

Something like this:

Interface

rate-limit input access-group 100 2000000 2400 2400 conform-action transmit exceed-action drop

rate-limit output access-group 200 2000000 2400 2400 conform-action transmit exceed-action drop

ip access-list extended 100
permit esp host host
permit ahp host host

ip access-list extended 200
permit esp host host
permit ahp host host

Thanks for your input, Few questions though,

IN this method you need to apply in both direction isnt it, but I feel like applying that to two different interfaces,

rate-limit input to inside interface

rate-limit output to outside interface

Otherwise packet enter the router and then drop at inside interface isn't it

And, in this method I can rate limit the, let say, Internet bound traffic to 3Mbps and then automaticaly I have reserved 1Mbps to VPN tunnel traffic, is it correct ??

Regards

I think that rate-limit (policing) will have an adverse effect as it do not buffer.

You may want to look into traffic shaping with modular qos cli instead.

Thanks,

And if you could give me some guidence in that direction pls

Hi, I just realised that will be bit difficult with NATing , isn't it

How can you differenciate traffic before NATing interface

Or what is the best method to limit traffic to and from Internet to users,

Regards

Nat traffic have private address that you can identify with a three lines ACL.

NAT also provides a virtual interface of optional use.

Alls these things are easier for a certified professional that I would recommend to engage for best results.

IN this method you need to apply in both direction isnt it, but I feel like applying that to two different interfaces,

rate-limit input to inside interface

rate-limit output to outside interface

Yes, it is good idea. This should slightly reduce the CPU load

And, in this method I can rate limit the, let say, Internet bound traffic to 3Mbps and then automaticaly I have reserved 1Mbps to VPN tunnel traffic, is it correct ??

This is correct if your ISP guarantees you 4 Mbps bandwidth. For the best result you can use shapers instead of rate-limit.

http://www.cisco.com/en/US/docs/ios/12_0/qos/configuration/guide/qcgts.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco