fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Configuring VPN Traffic Policing on an ASA

In this article we will show you how to set traffic policing on traffic which is tranversing a VPN.

Please Note : The command usage has changed from 8.0.4 to 8.2.1. When matching on a tunnel-group and policing at the same time you will have to also configure the match flow ip destination-address command to get the policy to work.

The destination flow statement will allow you to police on all outbound individual destination flows in the tunnel group rather then the tunnel group as a whole. Because of this we will match the traffic using an access-list and then police on the inbound and outbound traffic. This way it is not based on flows but based on the source and destination address of the access-list.
This also prevents you from having to create a class-map for each Site to Site Tunnel. Instead you only need to add the source and destination networks of each VPN to the inbound and outbound access-lists.

Example : In this example each flow matched to either the inbound or outbound access-list will be policed (limited) to 256k. The example presumes that the VPN, Group-Policy and Tunnel-Group has already been configured.

access-list outbound extended permit ip 192.168.201.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list inbound extended permit ip 192.168.200.0 255.255.255.0 192.168.201.0 255.255.255.0

class-map inbound
match access-list inbound

class-map outbound
match access-list outbound

policy-map outside-police
class outbound
police output 256000

class inbound
police input 256000

service-policy outside-police interface outside

Tags: ASA, VPN

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001