Due to the fact we've gotten a tremendous internet upgrade, I have attempted to setup a traffic policing rule at our local ASA. Currently one of our offices has a 1GB internet uplink which saturates some of the lower speed offices.
I'm attempting to blanket-rate-limit all esp traffic out of that site with the below configuration. My understanding of this rule would be that "all esp protocol traffic traversing NYHQ-OUTSIDE_COGENT would be rate limited to 8kb/sec" however both sending and receiving through that interface runs at a blistering 60 megabytes per second.
Can anyone point out where I am making a mistake?
EDIT: This is the sh inv for the ASA in question:
NYHQ-ASA# sh inv
Name: "Chassis", DESCR: "ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC"
PID: ASA5515
access-list NYHQ-OUTSIDE_COGENT_mpc extended permit esp any any
class-map Cogent-Class
match access-list NYHQ-OUTSIDE_COGENT_mpc
policy-map Cogent-Policy
class Cogent-Class
police input 8000
police output 8000
!
service-policy Cogent-Policy interface NYHQ-OUTSIDE_COGENT
Best Answer
I also had a similar requirement some time back please see this post which details limiting from the tunnel-group which will catch anything going via that specific VPN, cisco-asa-rate-limit-vpn-tunnel
Hope this helps, any questions let me know. Please see more details:
The tunnel group should already be in place as per the usual config:
1) Create a class map to define the traffic which should be matched, in our case we will be matching any traffic which pass the tunnel-group:
2) Create a policy map, associate the class map against it, and define an action for matched traffic, below the data is in bps:
3) Activate the policy map by assigning it to the external interface:
4) Verify that the policy has taken effect by pinging across the tunnel from a server behind the firewall: