Unanswered Question
May 18th, 2006
User Badges:


I try to implement CAR for limiting bandwidth used by specific trafic under an IPSec Tunnel between 2 878 routers over SDSL.

I specify access-list and use the rate-limit command under the dialer 1 interface.

The problem is that the dialer 1 interface has also the crypto map command and I think that the rate-limit command cannot work because the trafic is already encrypt when the rate-limit command is apply.

Is there an issue to my problem ???


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
mheusinger Thu, 05/18/2006 - 07:57
User Badges:
  • Green, 3000 points or more


you should have a look at the qos pre-classify feature. Basically the router "remembers" the original - unencrypted - header and can match based on this info. Unfortunately this is not supported by CAR, afaik. You would have to use class-based shaping, which is the better option anyhow IMHO.

An example config could be something like:

ip cef

class-map match-all Limit1

match ip address 101

class-map match-all Limit2

match protocol ftp

policy-map RateLimit

class Limit1

shape average 100000

class Limit2

shape average 64000

crypto-map MySec

qos pre-classify

interface Dialer1

service-policy output RateLimit

access-list 101 permit tcp any eq 80

For further reading I would recommend you "Configuring QoS for Virtual Private Networks"

Hope this helps! Please rate all posts.

Regards, Martin


This Discussion