https://community.cisco.com/t5/network-security/per-flow-policing-that-is-not-into-a-vpn/m-p/1226372#M860775 <P></P><P>Can the ASA police flows based on the destination IP but not related to a VPN tunnel? </P><P></P><P>I am trying to set download rate limits to my users. Limit each individual IP to 2megs on Internet to help smooth out the peaks in the Intnernet pipe.</P><P></P><P>I am thinking that i want to match on destination IP in the direction of transmitting out the inside interface. This should give me a per IP flow policing policy but the ASA wants the 'match tunnel group' statement first so it seems the per flow policing feature is only usable within a tunnel? Do</P> Mon, 11 Mar 2019 15:19:42 GMT jcosgrove 2019-03-11T15:19:42Z https://community.cisco.com/t5/network-security/per-flow-policing-that-is-not-into-a-vpn/m-p/1226372#M860775 <P></P><P>Can the ASA police flows based on the destination IP but not related to a VPN tunnel? </P><P></P><P>I am trying to set download rate limits to my users. Limit each individual IP to 2megs on Internet to help smooth out the peaks in the Intnernet pipe.</P><P></P><P>I am thinking that i want to match on destination IP in the direction of transmitting out the inside interface. This should give me a per IP flow policing policy but the ASA wants the 'match tunnel group' statement first so it seems the per flow policing feature is only usable within a tunnel? Do</P> Mon, 11 Mar 2019 15:19:42 GMT https://community.cisco.com/t5/network-security/per-flow-policing-that-is-not-into-a-vpn/m-p/1226372#M860775 jcosgrove 2019-03-11T15:19:42Z https://community.cisco.com/t5/network-security/per-flow-policing-that-is-not-into-a-vpn/m-p/1226373#M860776 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>Try this:</P><P></P><P>access-list 100 extended permit ip any 192.168.10.0 255.255.255.0</P><P></P><P>class-map police_class</P><P> match access-list 100</P><P></P><P>policy-map police_policy</P><P> class police_class</P><P> police input 2000000 </P><P> police output 2000000 </P></BODY></HTML> Fri, 17 Apr 2009 04:11:13 GMT https://community.cisco.com/t5/network-security/per-flow-policing-that-is-not-into-a-vpn/m-p/1226373#M860776 roshan.maskey 2009-04-17T04:11:13Z https://community.cisco.com/t5/network-security/per-flow-policing-that-is-not-into-a-vpn/m-p/1226374#M860777 <HTML><HEAD></HEAD><BODY><P>Thank you for your response. This is about how far I have gotten it but I think this will police the entire class, in this case the 192.168.10.0/24 network. So the sum of all traffic on this network would be 2 meg as in your example and not per user. Am I wrong about this? </P><P></P><P>JC</P></BODY></HTML> Fri, 17 Apr 2009 09:51:23 GMT https://community.cisco.com/t5/network-security/per-flow-policing-that-is-not-into-a-vpn/m-p/1226374#M860777 jcosgrove 2009-04-17T09:51:23Z