Configuring VPN Traffic Policing on an ASA
In this article we will show you how to set traffic policing on traffic which is tranversing a VPN.
Please Note : The command usage has changed from 8.0.4 to 8.2.1. When matching on a tunnel-group and policing at the same time you will have to also configure the match flow ip destination-address command to get the policy to work.
The destination flow statement will allow you to police on all outbound individual destination flows in the tunnel group rather then the tunnel group as a whole. Because of this we will match the traffic using an access-list and then police on the inbound and outbound traffic. This way it is not based on flows but based on the source and destination address of the access-list.
This also prevents you from having to create a class-map for each Site to Site Tunnel. Instead you only need to add the source and destination networks of each VPN to the inbound and outbound access-lists.
Example : In this example each flow matched to either the inbound or outbound access-list will be policed (limited) to 256k. The example presumes that the VPN, Group-Policy and Tunnel-Group has already been configured.
access-list outbound extended permit ip 192.168.201.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list inbound extended permit ip 192.168.200.0 255.255.255.0 192.168.201.0 255.255.255.0
match access-list inbound
match access-list outbound
police output 256000
police input 256000
service-policy outside-police interface outside