11-15-2013 06:59 PM
I need someone to help me understand something. I have read several sources and they appear to state that this command has changed over the ASA versions so now I have no real idea if it works as I think.
I am using QOS over ASA tunnels - code level 8.2.5. I have a class for only tunneled-packets and I want to police (rate limit) the tunneled packets - not individual flows within the tunneled data. From what I gather this command will not do that. Example if I have five users in the tunnel all sending a lot of date to each of their 5 unique destination addresses with a police output of 10Mb, I think I could actually have 50 Mb going through that tunnel at one time. Is this correct?
I think I need to discard this command use a match access-list where the source and destinations are the subnets of the VPN sites that would go through this tunnel. That way I police all the packets in the tunnel to the set limit. Is this reasonnign correct?? Thanks.
Solved! Go to Solution.
11-15-2013 10:24 PM
Hello,
Exactly.
Actually starting on 8.2.1 is a MUST when using policing and matching tunnel groups to have this keyword and YES it will match individual flows
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
11-15-2013 10:08 PM
I think I found my answer.
It does apply to individual flow according to the 8.2.5 command reference.
Thanks
11-15-2013 10:24 PM
Hello,
Exactly.
Actually starting on 8.2.1 is a MUST when using policing and matching tunnel groups to have this keyword and YES it will match individual flows
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide