Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Rate limit on a IPSEc Tunnel

HI, Is it possible to limit traffic in a IPSec Point tto Point tunnel, I have 4Mbps link and I want to limit 2Mbps to VPN tunnel and other 2Mbps for general Internet traffic, can it be done pls give me some examples.

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Rate limit on a IPSEc Tunnel

Something like this:

Interface

rate-limit input access-group 100 2000000 2400 2400 conform-action transmit exceed-action drop

rate-limit output access-group 200 2000000 2400 2400 conform-action transmit exceed-action drop

ip access-list extended 100
permit esp host host
permit ahp host host

ip access-list extended 200
permit esp host host
permit ahp host host

Hall of Fame Super Gold

Re: Rate limit on a IPSEc Tunnel

I think that rate-limit (policing) will have an adverse effect as it do not buffer.

You may want to look into traffic shaping with modular qos cli instead.

9 REPLIES
Hall of Fame Super Blue

Re: Rate limit on a IPSEc Tunnel

asoka@people.net.au

HI, Is it possible to limit traffic in a IPSec Point tto Point tunnel, I have 4Mbps link and I want to limit 2Mbps to VPN tunnel and other 2Mbps for general Internet traffic, can it be done pls give me some examples.

Which device and IOS ?

Jon

New Member

Re: Rate limit on a IPSEc Tunnel

This is a 1760 router, IOS 12.4, running

c1700-advipservicesk9-mz.124-13b.bin

Re: Rate limit on a IPSEc Tunnel

Something like this:

Interface

rate-limit input access-group 100 2000000 2400 2400 conform-action transmit exceed-action drop

rate-limit output access-group 200 2000000 2400 2400 conform-action transmit exceed-action drop

ip access-list extended 100
permit esp host host
permit ahp host host

ip access-list extended 200
permit esp host host
permit ahp host host

New Member

Re: Rate limit on a IPSEc Tunnel

Thanks for your input, Few questions though,

IN this method you need to apply in both direction isnt it, but I feel like applying that to two different interfaces,

rate-limit input to inside interface

rate-limit output to outside interface

Otherwise packet enter the router and then drop at inside interface isn't it

And, in this method I can rate limit the, let say, Internet bound traffic to 3Mbps and then automaticaly I have reserved 1Mbps to VPN tunnel traffic, is it correct ??

Regards

Hall of Fame Super Gold

Re: Rate limit on a IPSEc Tunnel

I think that rate-limit (policing) will have an adverse effect as it do not buffer.

You may want to look into traffic shaping with modular qos cli instead.

New Member

Re: Rate limit on a IPSEc Tunnel

Thanks,

And if you could give me some guidence in that direction pls

New Member

Re: Rate limit on a IPSEc Tunnel

Hi, I just realised that will be bit difficult with NATing , isn't it

How can you differenciate traffic before NATing interface

Or what is the best method to limit traffic to and from Internet to users,

Regards

Hall of Fame Super Gold

Re: Rate limit on a IPSEc Tunnel

Nat traffic have private address that you can identify with a three lines ACL.

NAT also provides a virtual interface of optional use.

Alls these things are easier for a certified professional that I would recommend to engage for best results.

Re: Rate limit on a IPSEc Tunnel

IN this method you need to apply in both direction isnt it, but I feel like applying that to two different interfaces,

rate-limit input to inside interface

rate-limit output to outside interface

Yes, it is good idea. This should slightly reduce the CPU load

And, in this method I can rate limit the, let say, Internet bound traffic to 3Mbps and then automaticaly I have reserved 1Mbps to VPN tunnel traffic, is it correct ??

This is correct if your ISP guarantees you 4 Mbps bandwidth. For the best result you can use shapers instead of rate-limit.

http://www.cisco.com/en/US/docs/ios/12_0/qos/configuration/guide/qcgts.html

2668
Views
0
Helpful
9
Replies