11-15-2013 06:59 PM
I need someone to help me understand something. I have read several sources and they appear to state that this command has changed over the ASA versions so now I have no real idea if it works as I think.
I am using QOS over ASA tunnels - code level 8.2.5. I have a class for only tunneled-packets and I want to police (rate limit) the tunneled packets - not individual flows within the tunneled data. From what I gather this command will not do that. Example if I have five users in the tunnel all sending a lot of date to each of their 5 unique destination addresses with a police output of 10Mb, I think I could actually have 50 Mb going through that tunnel at one time. Is this correct?
I think I need to discard this command use a match access-list where the source and destinations are the subnets of the VPN sites that would go through this tunnel. That way I police all the packets in the tunnel to the set limit. Is this reasonnign correct?? Thanks.
Solved! Go to Solution.
11-15-2013 10:24 PM
Hello,
Exactly.
Actually starting on 8.2.1 is a MUST when using policing and matching tunnel groups to have this keyword and YES it will match individual flows
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
11-15-2013 10:08 PM
I think I found my answer.
It does apply to individual flow according to the 8.2.5 command reference.
Thanks
11-15-2013 10:24 PM
Hello,
Exactly.
Actually starting on 8.2.1 is a MUST when using policing and matching tunnel groups to have this keyword and YES it will match individual flows
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: