04-16-2009 10:12 AM - edited 03-11-2019 08:19 AM
Can the ASA police flows based on the destination IP but not related to a VPN tunnel?
I am trying to set download rate limits to my users. Limit each individual IP to 2megs on Internet to help smooth out the peaks in the Intnernet pipe.
I am thinking that i want to match on destination IP in the direction of transmitting out the inside interface. This should give me a per IP flow policing policy but the ASA wants the 'match tunnel group' statement first so it seems the per flow policing feature is only usable within a tunnel? Do
04-16-2009 09:11 PM
Hi,
Try this:
access-list 100 extended permit ip any 192.168.10.0 255.255.255.0
class-map police_class
match access-list 100
policy-map police_policy
class police_class
police input 2000000
police output 2000000
04-17-2009 02:51 AM
Thank you for your response. This is about how far I have gotten it but I think this will police the entire class, in this case the 192.168.10.0/24 network. So the sum of all traffic on this network would be 2 meg as in your example and not per user. Am I wrong about this?
JC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide