CAR and VPN

infomil · ‎05-18-2006

Hello,

I try to implement CAR for limiting bandwidth used by specific trafic under an IPSec Tunnel between 2 878 routers over SDSL.

I specify access-list and use the rate-limit command under the dialer 1 interface.

The problem is that the dialer 1 interface has also the crypto map command and I think that the rate-limit command cannot work because the trafic is already encrypt when the rate-limit command is apply.

Is there an issue to my problem ???

Thanks.

mheusinger · ‎05-18-2006

Hello,

you should have a look at the qos pre-classify feature. Basically the router "remembers" the original - unencrypted - header and can match based on this info. Unfortunately this is not supported by CAR, afaik. You would have to use class-based shaping, which is the better option anyhow IMHO.

An example config could be something like:

ip cef

class-map match-all Limit1

match ip address 101

class-map match-all Limit2

match protocol ftp

policy-map RateLimit

class Limit1

shape average 100000

class Limit2

shape average 64000

crypto-map MySec

qos pre-classify

interface Dialer1

service-policy output RateLimit

access-list 101 permit tcp 10.1.1.0 0.0.0.255 any eq 80

For further reading I would recommend you "Configuring QoS for Virtual Private Networks"

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800c75d3.html

Hope this helps! Please rate all posts.

Regards, Martin