FAQ-Rate Limiting of IPSec Data Flows on the AR

Publication Date:  2016-02-01 Views:  624 Downloads:  0
Issue Description
The AR needs to limit the rate of IPSec data flows.
Solution
As shown in Figure 1-1, the communication between the enterprise branch and headquarters is encrypted by IPSec. The rate of IPSec data flows from RouterA and RouterB needs to be limited.

Figure 1-1 IPSec networking



Generally, an ACL is used to accurately match data flows to meet some rate limiting requirements. To correctly match IPSec data flows using an ACL, you need to know well about IPSec traffic forwarding and data flow transmission.

<Huawei> system-view
[Huawei] acl 3005   //Define the ACL rule to specify the network segment of IPSec data flows whose rate needs to be limited.
[Huawei-acl-adv-3005] rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.1.1.0 0.0.0.255   //The network segment of IPSec data flows must be a public network address.
[Huawei-acl-adv-3005 quit
[Huawei] interface gigabitethernet0/0/1    //Limit the rate of packets on the interface where the IPSec policy is applied.
[Huawei-GigabitEthernet0/0/1] qos car outbound acl 3005 cir 1024 //Configure rate limiting in the outbound direction of the interface to limit the rate of packets matching ACL 3005. Set the CIR to 1 Mbit/s.

If you do not know well about IPSec data flows, you are advised to match IPSec data flows using the QoS group. The operation is as follows:

<Huawei> system-view
[Huawei] ipsec policy policy1 10 isakmp   //Configure an IPSec policy.
[Huawei-ipsec-policy-isakmp-policy1-10] qos group 30   //Bind QoS group 30 to the IPSec policy.
[Huawei-ipsec-policy-isakmp-policy1-10] quit
[Huawei] traffic classifier class1
[Huawei-classifier-class1] if-match qos-group 30   //Define a matching rule based on QoS group 30.
[Huawei-classifier-class1] quit
[Huawei] traffic behavior b1
[Huawei-behaivor-b1] car cir 1024   //Set the CIR to 1 Mbit/s.
[Huawei-behaivor-b1] quit
[Huawei] traffic policy p1
[Huawei-policy-p1] classifier c1 behaivor b1    //Associate the traffic classifier with the traffic behavior.  
[Huawei-policy-p1] quit
[Huawei] interface gigabitethernet0/0/1    //Apply the traffic policy to an interface. According to the service direction, when IPSec data flows are transmitted, the rate of the data flows is limited within 1 Mbit/s.
[Huawei-GigabitEthernet0/0/1] traffic-policy p1 outbound 
//Apply the traffic policy in the outbound or inbound direction of the interface.
[Huawei-GigabitEthernet0/0/1] traffic-policy p1 inbound     
//Apply the traffic policy in the inbound or outbound direction of the interface.

Note:
    If the QoS group bound to the IPSec policy is modified, the traffic policy can match the modified QoS group only when a new SA is established through negotiation using the reset ipsec sa or reset ike sa command.

END