05-26-2016 07:18 AM - last edited on 03-25-2019 05:58 PM by ciscomoderator
Hello
It's my first post at the cisco community. So as you will see, i'm not very fluent in English.
I have a couple of 5515 ASA (9.1(2) software) in active/passive failover.
In the past, i have configured the traffic to be policed at 500 Mbs and it worked fine.now I want to police incoming traffic at 370 Mbs and it don't works.
Regardless of police configuration, the asa continue to police at 500 mbs. However the police traffic seem to work:
FWCLI1# sh service police
Interface office:
Service-policy: office-policy
Class-map: office-class
Input police Interface office:
cir 370000000 bps, bc 185000 bytes
conformed 12088008714 packets, 16534894809058 bytes; actions: transmit
exceeded 409706800 packets, 580106518335 bytes; actions: drop
conformed 115580664 bps, exceed 4055000 bps
Interface Beemo:
Service-policy: Beemo-policy
Class-map: Beemo-class
Output police Interface Beemo:
cir 370000000 bps, bc 185000 bytes
conformed 12059578807 packets, 16493581309971 bytes; actions: transmit
exceeded 57232 packets, 80699078 bytes; actions: drop
conformed 115291880 bps, exceed 560 bps
For better comprehension, office interface is outside interface and BEEMO interface is inside interface and i implement policing traffic at 2 interface.
My cacti server indicate me that the traffic climb to 600 Mbs at outside interface and 500 Mb at inside interface as you can see in png attachements.
this amount of traffic is confirmed by my isp so i think that problem don't come from cacti server.
Does any one could help me ?
Thanks
Thanks
05-26-2016 02:09 PM
Hi -
Both of your police policies need to be "output". Currently you are only policing traffic in a unidirectional manner. By setting both police policies to output you will match traffic in both directions and drop as needed.
Hope that helps.
PSC
05-27-2016 12:39 AM
Hello
Thanks
For now, i just want to police trafic that come from internal network and that go to external network...
Franck
05-27-2016 10:15 AM
Hi Franck -
I found a few interesting things in the documentation. 1) If a flow is established before the policer is installed, then you have to do a "clear conn" to get the new policy to apply. 2) Only outbound policers can be applied to VPN tunneled traffic.
Considering these 2 cases, have you rebooted the firewall lately? Are you trying to limit traffic to a VPN destination?
PSC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide