01-19-2010 11:31 PM - edited 03-11-2019 09:58 AM
Hello all,
I have a lan2lan vpn on an ASA 5520 and am trying to limit the bandwidth of this tunnel going outside.
I have created the following configuration, but it is not working:
class-map 1.1.1.1_CM
match tunnel-group 1.1.1.1
match flow ip destination-address
policy-map VPNQOS_PM
class 1.1.1.1_CM
police output 1000000
service-policy VPNQOS_PM interface outside
As a workaround I created the following configuration, which does the trick, but not as nicely as the above config:
access-list 1.1.1.1_ACL extended permit ip host 2.2.2.2 host 3.3.3.3
access-list 1.1.1.1_ACL extended deny ip any any
class-map 1.1.1.1_CM
match access-list 1.1.1.1_ACL
policy-map VPNQOS_PM
class 1.1.1.1_CM
police output 1000000
service-policy VPNQOS_PM interface outside
Does anybody know what I am doing wrong?
Thanks!
01-27-2010 10:46 AM
By outside you mean traffic going out to the internet or going throgh the vpn tunnel?
01-27-2010 11:40 AM
Hi Ivan,
By outside I mean indeed traffic to the internet.
I think I have configured traffic through the tunnel at the moment.
What I really would like to know, is what my faulty configuration should do and why it doesn't work...
Regards,
Tom
01-27-2010 11:41 AM
Ok, so if that traffic is going out to the internet rather than going through the vpn tunnel this configuration will not work since the QoS config for a tunnel group applies only for traffic going through that crypto connection.
01-28-2010 02:26 AM
Hi Ivan,
I thought we were differentiating between traffic going through the tunnel and the encrypted packets (ipsec/ike) going to the internet (peer). Not traffic that is not going through the vpn tunnel.
So what I really am trying to do, is limiting the bandwidth of a VPN site-to-site tunnel, which is tunnelgroup 1.1.1.1 in my example.
I don't really care if the traffic within the tunnel is limited or the entire tunnel itself.
I can confirm that when I sent packets from 2.2.2.2 to 3.3.3.3, the tunnel 1.1.1.1 is established and the vpn works perfectly.
I can confirm that limiting works with the access-lists but I cannot get the limiting to work based on the tunnelgroup name (which is very dynamic and which I would prefer).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide