[c-nsp] Bandwidth limitation for IPSec

BoXeR piestaga at aster.pl
Wed Apr 13 19:57:09 EDT 2005 

hi,

some time ago I posted the mail bellow where I was looking for a
method to limit a bandwidth for users who connects to VPN network
using Cisco VPN Client.
Since then, I have investigated, that for today Cisco has no dedicated
solution for that.
There is a possibility to apply a qos-group to crypto isakmp prolile,
but the policy created that way is applied only for outgoing traffic
(I mean from VPN through IPSec tunnel to remote user).
What I need is exactly opposite direction.


So, I am thinking over the following scenario, and I would like to ask
you to tell me what is wrong, because except the face that probably
the idea is OK, the method is not working. :-)


All remote users are establishing the ipsec tunnels between thsir PCs
and loopback interface on aggregator.
The tunnels before reaching the loopback has to go through aggregator
phisical interface which connect the aggregator with the Internet.

For tests I have created the class-map:

class-map match-all customer_a
 match access-group name customer_a

 
and policy-map:

policy-map customers
 class customer_a
  police rate 40000


and I have assigned service-policy input customers
to the Internet facing interface.

The access list should match all the traffic betwen all remote users
(ANY) to aggregator loopback.
I have checked all possilility, but could not created the
configuration that would work.
Finaly I checked the ACL to mach any any statement (bothe IP and ESP)

ip access-list extended customer_a
  permit ip any any
  permit esp any any

No results.

What I see as an output of sh policy-map interface is that the traffic
is mached by defult class-map.

I am not an qos configuration aware

Could you please take a look, what can be the reason of that.
Maybe the reason is that on the same interface exists crypto-map and
service-policy. I have not find such example on CCO, so it is hard to
say, is such scenario possible or not.

Thanks in advance
Sebastian






  

> I am in front of the problem of limiting the bandwidth for different
> remote IPSec sessions to MPLS based VPNs.
> Could you tell me what is the best practice when applaying the
> restrictions for different types of IPSec clients.
> The client can be:
> - the remote IPSec-CPE router(s) connected to single IPSec-aggregator
> via GRE over ISPec tunnels
> - the remote PC connected to "the same" IPSec-aggregator via
> Cisco-VPN-Client application.

> In both cases the remote sites (PCs or CPEs) are connected VRF on
> IPSec-aggregator. That VRF is dedicated to to particular customer.

> If the remote IPSec-CPE bandwidth limitation can be performed basis on
> the CPE's interface limitation (CPE is in my management domain) but the
> problem can be with the Cisco VPN client, where the remote PC client
> can send the IPSec traffic up to the bandwidth of LAN card. Which is
> not the way I would like to provide the service.

> I would like to be able to apply the limitation both for single
> session and the whole customer ("customer" means the company that that
> possess a dozen or so PCs and CPEs dedicated for remote access to VPN
> and terminated within single VRF on IPSec-Aggregator).

> Thanks for any ideas.
> --------------------- 
> Regards
> Sebastian

More information about the cisco-nsp mailing list