No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Rate Limiting of IPSec Data Flows on the AR

Rate Limiting of IPSec Data Flows on the AR


AR router, IPSec, rate limiting


The AR needs to limit the rate of IPSec data flows.

Problem Description

The AR needs to limit the rate of IPSec data flows.


As shown in Figure 1-1, the communication between the enterprise branch and headquarters is encrypted by IPSec. The rate of IPSec data flows from RouterA and RouterB needs to be limited.

Figure 25-20  IPSec networking

Generally, an ACL is used to accurately match data flows to meet some rate limiting requirements. To correctly match IPSec data flows using an ACL, you need to know well about IPSec traffic forwarding and data flow transmission.

<Huawei> system-view 
[Huawei] acl 3005  //Define the ACL rule to specify the network segment of IPSec data flows whose rate needs to be limited.
[Huawei-acl-adv-3005] rule 0 permit ip source destination  //The network segment of IPSec data flows must be a public network address. 
[Huawei-acl-adv-3005] quit 
[Huawei] interface gigabitethernet0/0/1  //Limit the rate of packets on the interface where the IPSec policy is applied. 
[Huawei-GigabitEthernet0/0/1] qos car outbound acl 3005 cir 1024  //Configure rate limiting in the outbound direction of the interface to limit the rate of packets matching ACL 3005. Set the CIR to 1 Mbit/s.

If you do not know well about IPSec data flows, you are advised to match IPSec data flows using the QoS group. The operation is as follows:

<Huawei> system-view 
[Huawei] ipsec policy policy1 10 isakmp  //Configure an IPSec policy. 
[Huawei-ipsec-policy-isakmp-policy1-10] qos group 30  //Bind QoS group 30 to the IPSec policy.
[Huawei-ipsec-policy-isakmp-policy1-10] quit 
[Huawei] traffic classifier class1 
[Huawei-classifier-class1] if-match qos-group 30  //Define a matching rule based on QoS group 30.
[Huawei-classifier-class1] quit 
[Huawei] traffic behavior b1 
[Huawei-behaivor-b1] car cir 1024  //Set the CIR to 1 Mbit/s. 
[Huawei-behaivor-b1] quit 
[Huawei] traffic policy p1 
[Huawei-policy-p1] classifier c1 behaivor b1  //Associate the traffic classifier with the traffic behavior.
[Huawei-policy-p1] quit 
[Huawei] interface gigabitethernet0/0/1  //Apply the traffic policy to an interface. According to the service direction, when IPSec data flows are transmitted, the rate of the data flows is limited within 1 Mbit/s. 
[Huawei-GigabitEthernet0/0/1] traffic-policy p1 outbound  //Apply the traffic policy in the outbound or inbound direction of the interface. 
[Huawei-GigabitEthernet0/0/1] traffic-policy p1 inbound  //Apply the traffic policy in the inbound or outbound direction of the interface.

If the QoS group bound to the IPSec policy is modified, the traffic policy can match the modified QoS group only when a new SA is established through negotiation using the reset ipsec sa or reset ike sa command.

Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 454078

Downloads: 4316

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next