When you want to police the encrypted traffic, you match on tunnel-group and do a 'police output'.
To police the decrypted VPN traffic, matching based on tunnel-group will not work because of the way flows are created before/after decryption. As an encrypted packet gets terminated at a tunnel, a flow is created based on tunnel header. The packet is decrypted, a new flow is created based on the new IP header and re-injected into appropriate forwarding interface. So, matching based on inner IP header info like dcsp, IP address etc and 'police input' should do for decrypted traffic. Thanks. > Message: 2 > Date: Wed, 9 Nov 2011 09:38:16 -0600 > From: "Manire, Matt" <[email protected]> > To: "Kingsley Charles" <[email protected]>, > <[email protected]> > Subject: Re: [OSL | CCIE_Security] Policing traffic coming out from > tunnel afterdecryption > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="us-ascii" > > Kings, > > > > I thought you could only police traffic outbound. Does it work if you > change the police action from an input to an output as such: > > > > class-map vpn > match tunnel-group 10.20.30.40 > > policy-map vpn > class vpn > police output 9000 > > service-policy vpn interface outside > > > > Matt Manire > CCSP, CCNP, CCDP, MCSE 2003 & MCSE 2000 > Information Systems Security Manager > [email protected] <mailto:[email protected]> > t: 817.525.1863 > f: 817.525.1903 > m: 817.271.9165 > > First Rate | 1903 Ascension Boulevard | Arlington, TX 76006| > www.FirstRate.com <http://www.firstrate.com/> > > > > > > From: [email protected] > [mailto:[email protected]] On Behalf Of Kingsley > Charles > Sent: Wednesday, November 09, 2011 12:08 AM > To: [email protected] > Subject: [OSL | CCIE_Security] Policing traffic coming out from tunnel > afterdecryption > > > > Hi all > > I am trying to police packets coming out of the tunnel after decryption > using the following config but doesn't work. Has anyone tried? > > class-map vpn > match tunnel-group 10.20.30.40 > > policy-map vpn > class vpn > police input 9000 > > service-policy vpn interface outside > > > asa1# sh service-policy interface outside > > Interface outside: > Service-policy: vpn > Class-map: vpn > Input police Interface outside: > cir 9000 bps, bc 1500 bytes > conformed 0 packets, 0 bytes; actions: transmit > exceeded 0 packets, 0 bytes; actions: drop > conformed 0 bps, exceed 0 bps > > > > Policing packets going into the tunnel for encryption works. > > class-map vpn > match tunnel-group 10.20.30.40 > match flow ip destination-address > > policy-map vpn > class vpn > police output 9000 > > service-policy vpn interface outside > > > With regards > Kings >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
