CAR and VPN

Unanswered Question
May 18th, 2006
User Badges:

Hello,


I try to implement CAR for limiting bandwidth used by specific trafic under an IPSec Tunnel between 2 878 routers over SDSL.


I specify access-list and use the rate-limit command under the dialer 1 interface.


The problem is that the dialer 1 interface has also the crypto map command and I think that the rate-limit command cannot work because the trafic is already encrypt when the rate-limit command is apply.


Is there an issue to my problem ???


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mheusinger Thu, 05/18/2006 - 07:57
User Badges:
  • Green, 3000 points or more

Hello,


you should have a look at the qos pre-classify feature. Basically the router "remembers" the original - unencrypted - header and can match based on this info. Unfortunately this is not supported by CAR, afaik. You would have to use class-based shaping, which is the better option anyhow IMHO.

An example config could be something like:


ip cef


class-map match-all Limit1

match ip address 101


class-map match-all Limit2

match protocol ftp


policy-map RateLimit

class Limit1

shape average 100000

class Limit2

shape average 64000


crypto-map MySec

qos pre-classify


interface Dialer1

service-policy output RateLimit


access-list 101 permit tcp 10.1.1.0 0.0.0.255 any eq 80


For further reading I would recommend you "Configuring QoS for Virtual Private Networks"

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800c75d3.html


Hope this helps! Please rate all posts.


Regards, Martin

Actions

This Discussion