Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
307
Views
0
Helpful
3
Replies

Traffic Policing at bad rates

n.franck
Level 1
Level 1

‎05-26-2016 07:18 AM - last edited on ‎03-25-2019 05:58 PM by Community Manager

Hello

It's my first post at the cisco community. So as you will see, i'm not very fluent in English.

I have a couple of 5515 ASA (9.1(2) software) in active/passive failover.

In the past, i have configured the traffic to be policed at 500 Mbs and it worked fine.now I want to police incoming traffic at 370 Mbs and it don't works.

Regardless of police configuration, the asa continue to police at 500 mbs. However the police traffic seem to work:

FWCLI1# sh service police

Interface office:
  Service-policy: office-policy
    Class-map: office-class
      Input police Interface office:
        cir 370000000 bps, bc 185000 bytes
        conformed 12088008714 packets, 16534894809058 bytes; actions:  transmit
        exceeded 409706800 packets, 580106518335 bytes; actions:  drop
        conformed 115580664 bps, exceed 4055000 bps

Interface Beemo:
  Service-policy: Beemo-policy
    Class-map: Beemo-class
      Output police Interface Beemo:
        cir 370000000 bps, bc 185000 bytes
        conformed 12059578807 packets, 16493581309971 bytes; actions:  transmit
        exceeded 57232 packets, 80699078 bytes; actions:  drop
        conformed 115291880 bps, exceed 560 bps

For better comprehension, office interface is outside interface and BEEMO interface is inside interface and i implement policing traffic at 2 interface.

My cacti server indicate me that the traffic climb to 600  Mbs at outside interface and 500 Mb at inside interface as you can see in png attachements.

this amount of traffic is confirmed by my isp so i think that problem don't come from cacti server.

Does any one could help me ?

Thanks

Thanks

Labels:
Preview file
25 KB
Preview file
25 KB
Preview file
29 KB
0 Helpful
3 Replies 3

Paul Chapman
Level 4
Level 4

‎05-26-2016 02:09 PM

Hi -

Both of your police policies need to be "output".  Currently you are only policing traffic in a unidirectional manner.  By setting both police policies to output you will match traffic in both directions and drop as needed.

Hope that helps.

PSC

0 Helpful

n.franck
Level 1
Level 1
In response to Paul Chapman

‎05-27-2016 12:39 AM

Hello

Thanks

For now, i just want to police trafic that come from internal network and that go to external network...

Franck

0 Helpful

Paul Chapman
Level 4
Level 4
In response to n.franck

‎05-27-2016 10:15 AM

Hi Franck -

I found a few interesting things in the documentation. 1) If a flow is established before the policer is installed, then you have to do a "clear conn" to get the new policy to apply. 2) Only outbound policers can be applied to VPN tunneled traffic.

Considering these 2 cases, have you rebooted the firewall lately? Are you trying to limit traffic to a VPN destination?

PSC 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card