How to implement Traffic Policing between two ASAs for IPSec traffic

Due to the fact we've gotten a tremendous internet upgrade, I have attempted to setup a traffic policing rule at our local ASA. Currently one of our offices has a 1GB internet uplink which saturates some of the lower speed offices.

I'm attempting to blanket-rate-limit all esp traffic out of that site with the below configuration. My understanding of this rule would be that "all esp protocol traffic traversing NYHQ-OUTSIDE_COGENT would be rate limited to 8kb/sec" however both sending and receiving through that interface runs at a blistering 60 megabytes per second.

Can anyone point out where I am making a mistake?

EDIT: This is the sh inv for the ASA in question:


NYHQ-ASA# sh inv
Name: "Chassis", DESCR: "ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC"
PID: ASA5515


access-list NYHQ-OUTSIDE_COGENT_mpc extended permit esp any any

class-map Cogent-Class
 match access-list NYHQ-OUTSIDE_COGENT_mpc

policy-map Cogent-Policy
 class Cogent-Class
  police input 8000
  police output 8000
!
service-policy Cogent-Policy interface NYHQ-OUTSIDE_COGENT

(asa)# sh service-policy Interface outside: Service-policy: outside-policy Class-map: VF-VPN-Class Output police Interface outside: cir 75000000 bps, bc 37500 bytes conformed 4 packets, 440 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 200 bps, exceed 0 bps

Best Answer

I also had a similar requirement some time back please see this post which details limiting from the tunnel-group which will catch anything going via that specific VPN, cisco-asa-rate-limit-vpn-tunnel

Hope this helps, any questions let me know. Please see more details:

The tunnel group should already be in place as per the usual config:

tunnel-group 85.205.255.6 type ipsec-l2l
tunnel-group 85.205.255.6 ipsec-attributes
 pre-shared-key *

1) Create a class map to define the traffic which should be matched, in our case we will be matching any traffic which pass the tunnel-group:

class-map VF-VPN-Class
 match tunnel-group 85.205.255.6
 match flow ip destination-address

2) Create a policy map, associate the class map against it, and define an action for matched traffic, below the data is in bps:

policy-map outside-policy
 class VF-VPN-Class
  police output 75000000 37500

3) Activate the policy map by assigning it to the external interface:

service-policy outside-policy interface outside

4) Verify that the policy has taken effect by pinging across the tunnel from a server behind the firewall:

Best Answer

Related Solutions

Cisco – Traffic Policing

Cisco – Traffic policing on 3750-x Lan base

Related Topic