cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
906
Views
0
Helpful
2
Replies

QOS - match flow ip destination-address

gp1200x
Level 2
Level 2

                   I need someone to help me understand something. I have read several sources and they appear to state that this command has changed over the ASA versions so now I have no real idea if it works as I think.

    I am using QOS over ASA tunnels - code level 8.2.5.  I have a class for only tunneled-packets and I want to police (rate limit) the tunneled packets - not individual flows within the tunneled data. From what I gather this command will not do that. Example if I have five users in the tunnel all sending a lot of date to each of their 5 unique destination addresses with a police output of 10Mb, I think I could actually have 50 Mb going through that tunnel at one time. Is this correct?

I think I need to discard this command use a match access-list where the source and destinations are the subnets of the VPN sites that would go through this tunnel. That way I police all the packets in the tunnel to the set limit. Is this reasonnign correct??   Thanks.

1 Accepted Solution

Accepted Solutions

Hello,

Exactly.

Actually starting on 8.2.1 is a MUST when using policing and matching tunnel groups to have this keyword and YES it will match individual flows

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

2 Replies 2

gp1200x
Level 2
Level 2

I think I found my answer.

It does apply to individual flow according to the 8.2.5 command reference.

Thanks

Hello,

Exactly.

Actually starting on 8.2.1 is a MUST when using policing and matching tunnel groups to have this keyword and YES it will match individual flows

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: