Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
457
Views
0
Helpful
2
Replies

Per flow policing that is not into a VPN.

jcosgrove
Level 1
Level 1

‎04-16-2009 10:12 AM - edited ‎03-11-2019 08:19 AM

Can the ASA police flows based on the destination IP but not related to a VPN tunnel?

I am trying to set download rate limits to my users. Limit each individual IP to 2megs on Internet to help smooth out the peaks in the Intnernet pipe.

I am thinking that i want to match on destination IP in the direction of transmitting out the inside interface. This should give me a per IP flow policing policy but the ASA wants the 'match tunnel group' statement first so it seems the per flow policing feature is only usable within a tunnel? Do

Labels:
0 Helpful
2 Replies 2

roshan.maskey
Level 1
Level 1

‎04-16-2009 09:11 PM

Hi,

Try this:

access-list 100 extended permit ip any 192.168.10.0 255.255.255.0

class-map police_class

match access-list 100

policy-map police_policy

class police_class

police input 2000000

police output 2000000

0 Helpful

jcosgrove
Level 1
Level 1
In response to roshan.maskey

‎04-17-2009 02:51 AM

Thank you for your response. This is about how far I have gotten it but I think this will police the entire class, in this case the 192.168.10.0/24 network. So the sum of all traffic on this network would be 2 meg as in your example and not per user. Am I wrong about this?

JC

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card