topic Hello in Network Security

Traffic Policing at bad rates

n.franck — Tue, 26 Mar 2019 00:58:48 GMT

Hello

It's my first post at the cisco community. So as you will see, i'm not very fluent in English.

I have a couple of 5515 ASA (9.1(2) software) in active/passive failover.

In the past, i have configured the traffic to be policed at 500 Mbs and it worked fine.now I want to police incoming traffic at 370 Mbs and it don't works.

Regardless of police configuration, the asa continue to police at 500 mbs. However the police traffic seem to work:

FWCLI1# sh service police

Interface office:
Service-policy: office-policy
    Class-map: office-class
      Input police Interface office:
        cir 370000000 bps, bc 185000 bytes
        conformed 12088008714 packets, 16534894809058 bytes; actions: transmit
        exceeded 409706800 packets, 580106518335 bytes; actions: drop
        conformed 115580664 bps, exceed 4055000 bps

Interface Beemo:
Service-policy: Beemo-policy
    Class-map: Beemo-class
      Output police Interface Beemo:
        cir 370000000 bps, bc 185000 bytes
        conformed 12059578807 packets, 16493581309971 bytes; actions: transmit
        exceeded 57232 packets, 80699078 bytes; actions: drop
        conformed 115291880 bps, exceed 560 bps

For better comprehension, office interface is outside interface and BEEMO interface is inside interface and i implement policing traffic at 2 interface.

My cacti server indicate me that the traffic climb to 600 Mbs at outside interface and 500 Mb at inside interface as you can see in png attachements.

this amount of traffic is confirmed by my isp so i think that problem don't come from cacti server.

Does any one could help me ?

Thanks

Hi -

Paul Chapman — Thu, 26 May 2016 21:09:14 GMT

Hi -

Both of your police policies need to be "output". Currently you are only policing traffic in a unidirectional manner. By setting both police policies to output you will match traffic in both directions and drop as needed.

Hope that helps.

PSC

Hello

n.franck — Fri, 27 May 2016 07:39:56 GMT

Hello

Thanks

For now, i just want to police trafic that come from internal network and that go to external network...

Franck

Hi Franck -

Paul Chapman — Fri, 27 May 2016 17:15:55 GMT

Hi Franck -

I found a few interesting things in the documentation. 1) If a flow is established before the policer is installed, then you have to do a "clear conn" to get the new policy to apply. 2) Only outbound policers can be applied to VPN tunneled traffic.

Considering these 2 cases, have you rebooted the firewall lately? Are you trying to limit traffic to a VPN destination?

PSC