11-28-2009 09:41 AM - edited 03-04-2019 06:49 AM
HI, Is it possible to limit traffic in a IPSec Point tto Point tunnel, I have 4Mbps link and I want to limit 2Mbps to VPN tunnel and other 2Mbps for general Internet traffic, can it be done pls give me some examples.
Solved! Go to Solution.
11-29-2009 02:46 AM
Something like this:
Interface
rate-limit input access-group 100 2000000 2400 2400 conform-action transmit exceed-action drop
rate-limit output access-group 200 2000000 2400 2400 conform-action transmit exceed-action drop
ip access-list extended 100
permit esp host
permit ahp host
ip access-list extended 200
permit esp host
permit ahp host
12-11-2009 03:09 AM
I think that rate-limit (policing) will have an adverse effect as it do not buffer.
You may want to look into traffic shaping with modular qos cli instead.
11-28-2009 11:25 AM
HI, Is it possible to limit traffic in a IPSec Point tto Point tunnel, I have 4Mbps link and I want to limit 2Mbps to VPN tunnel and other 2Mbps for general Internet traffic, can it be done pls give me some examples.
Which device and IOS ?
Jon
11-28-2009 06:18 PM
This is a 1760 router, IOS 12.4, running
c1700-advipservicesk9-mz.124-13b.bin
11-29-2009 02:46 AM
Something like this:
Interface
rate-limit input access-group 100 2000000 2400 2400 conform-action transmit exceed-action drop
rate-limit output access-group 200 2000000 2400 2400 conform-action transmit exceed-action drop
ip access-list extended 100
permit esp host
permit ahp host
ip access-list extended 200
permit esp host
permit ahp host
12-11-2009 03:05 AM
Thanks for your input, Few questions though,
IN this method you need to apply in both direction isnt it, but I feel like applying that to two different interfaces,
rate-limit input to inside interface
rate-limit output to outside interface
Otherwise packet enter the router and then drop at inside interface isn't it
And, in this method I can rate limit the, let say, Internet bound traffic to 3Mbps and then automaticaly I have reserved 1Mbps to VPN tunnel traffic, is it correct ??
Regards
12-11-2009 03:09 AM
I think that rate-limit (policing) will have an adverse effect as it do not buffer.
You may want to look into traffic shaping with modular qos cli instead.
12-11-2009 03:19 AM
Thanks,
And if you could give me some guidence in that direction pls
12-11-2009 03:15 AM
Hi, I just realised that will be bit difficult with NATing , isn't it
How can you differenciate traffic before NATing interface
Or what is the best method to limit traffic to and from Internet to users,
Regards
12-11-2009 03:18 AM
Nat traffic have private address that you can identify with a three lines ACL.
NAT also provides a virtual interface of optional use.
Alls these things are easier for a certified professional that I would recommend to engage for best results.
12-11-2009 03:30 AM
IN this method you need to apply in both direction isnt it, but I feel like applying that to two different interfaces,
rate-limit input to inside interface
rate-limit output to outside interface
Yes, it is good idea. This should slightly reduce the CPU load
And, in this method I can rate limit the, let say, Internet bound traffic to 3Mbps and then automaticaly I have reserved 1Mbps to VPN tunnel traffic, is it correct ??
This is correct if your ISP guarantees you 4 Mbps bandwidth. For the best result you can use shapers instead of rate-limit.
http://www.cisco.com/en/US/docs/ios/12_0/qos/configuration/guide/qcgts.html
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: