Per flow policing that is not into a VPN.

Unanswered Question
Apr 16th, 2009
User Badges:


Can the ASA police flows based on the destination IP but not related to a VPN tunnel?


I am trying to set download rate limits to my users. Limit each individual IP to 2megs on Internet to help smooth out the peaks in the Intnernet pipe.


I am thinking that i want to match on destination IP in the direction of transmitting out the inside interface. This should give me a per IP flow policing policy but the ASA wants the 'match tunnel group' statement first so it seems the per flow policing feature is only usable within a tunnel? Do

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
roshan.maskey Thu, 04/16/2009 - 21:11
User Badges:

Hi,


Try this:


access-list 100 extended permit ip any 192.168.10.0 255.255.255.0


class-map police_class

match access-list 100


policy-map police_policy

class police_class

police input 2000000

police output 2000000

jcosgrove Fri, 04/17/2009 - 02:51
User Badges:

Thank you for your response. This is about how far I have gotten it but I think this will police the entire class, in this case the 192.168.10.0/24 network. So the sum of all traffic on this network would be 2 meg as in your example and not per user. Am I wrong about this?


JC

Actions

This Discussion