Per flow policing that is not into a VPN.

Unanswered Question
Apr 16th, 2009

Can the ASA police flows based on the destination IP but not related to a VPN tunnel?

I am trying to set download rate limits to my users. Limit each individual IP to 2megs on Internet to help smooth out the peaks in the Intnernet pipe.

I am thinking that i want to match on destination IP in the direction of transmitting out the inside interface. This should give me a per IP flow policing policy but the ASA wants the 'match tunnel group' statement first so it seems the per flow policing feature is only usable within a tunnel? Do

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
roshan.maskey Thu, 04/16/2009 - 21:11

Hi,

Try this:

access-list 100 extended permit ip any 192.168.10.0 255.255.255.0

class-map police_class

match access-list 100

policy-map police_policy

class police_class

police input 2000000

police output 2000000

jcosgrove Fri, 04/17/2009 - 02:51

Thank you for your response. This is about how far I have gotten it but I think this will police the entire class, in this case the 192.168.10.0/24 network. So the sum of all traffic on this network would be 2 meg as in your example and not per user. Am I wrong about this?

JC

Actions

This Discussion