×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

MPLS VPN and Policing

Unanswered Question
Feb 6th, 2003
User Badges:
  • Green, 3000 points or more

Hi there, I have a question regarding MPLS VPN and Policing. Assume you have a RFC2547 VPN for a customer with 3 locations. Lets assume Central location has a 100 MBit connection to the PE and the two other locations (loc1 and loc2) have an E3 each. We are running eBGP between all PE and CEs. So far so good, but how can you ratelimit the input from the Central site at the connected PE towards loc1 and loc2 to 45 MBit each? CAR and MQC only allow to my knowledge rate limitting for traffic described by access-lists. However that is not sufficient, as the destination networks might change at any time (dynamic routing inside the VPN). Any ideas?

Would Policy propagation through BGP solve that? If so how?


Kind regards


Martin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mazhar71 Sun, 02/16/2003 - 23:14
User Badges:

Hi,

Considering that you have only 3 sites , may be you can use GRE Tunnel interface. Between spoke sites configure tunnel interface to hub router. Then configure so that all packets flows through the tunnel interface while going to spoke sites. You can use a routing protocol for this. Then put "rate limit " into this tunnel interfaces. In this way you can limit the traffic to 45Mb/each.

Regards


Mazhar

I've never had the opportunity to implement QPPB for policing (yet!) but I've done similar things with MPLS-VPNs and BGP. If you're using BGP then could you use an inbound route-map on the neighbour statement (within the vrf) to tag all incoming routes with a "Site of Origin" SoO community. The SoO would be different for each remote location and could be used by QPPB at the central location's PE router to mark incoming packets from the CE in QoS groups or IP precedence levels. It should be straightforward to rate-limit these appropriately.....

ipotts Fri, 05/23/2003 - 00:13
User Badges:

Hello,


Could you please clarify the statement "However that is not sufficient, as the destination networks might change at any time (dynamic routing inside the VPN)." I can't see how destination networks can change, they should remain constant?


Regards

Ian

Actions

This Discussion