Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Per flow policing that is not into a VPN.

Can the ASA police flows based on the destination IP but not related to a VPN tunnel?

I am trying to set download rate limits to my users. Limit each individual IP to 2megs on Internet to help smooth out the peaks in the Intnernet pipe.

I am thinking that i want to match on destination IP in the direction of transmitting out the inside interface. This should give me a per IP flow policing policy but the ASA wants the 'match tunnel group' statement first so it seems the per flow policing feature is only usable within a tunnel? Do

New Member

Re: Per flow policing that is not into a VPN.


Try this:

access-list 100 extended permit ip any

class-map police_class

match access-list 100

policy-map police_policy

class police_class

police input 2000000

police output 2000000

New Member

Re: Per flow policing that is not into a VPN.

Thank you for your response. This is about how far I have gotten it but I think this will police the entire class, in this case the network. So the sum of all traffic on this network would be 2 meg as in your example and not per user. Am I wrong about this?


CreatePlease to create content