When you want to police the encrypted traffic, you match on tunnel-group
and do a 'police output'.

To police the decrypted VPN traffic, matching based on tunnel-group will
not work because of the way flows are created before/after decryption. As
an encrypted packet gets terminated at a tunnel, a flow is created based on
tunnel header. The packet is decrypted, a new flow is created based on the
new IP header and re-injected into appropriate forwarding interface. So,
matching based on inner IP header info like dcsp, IP address etc and
'police input' should do for decrypted traffic.

Thanks.


> Message: 2
> Date: Wed, 9 Nov 2011 09:38:16 -0600
> From: "Manire, Matt" <[email protected]>
> To: "Kingsley Charles" <[email protected]>,
>        <[email protected]>
> Subject: Re: [OSL | CCIE_Security] Policing traffic coming out from
>        tunnel  afterdecryption
> Message-ID:
>        <[email protected]>
> Content-Type: text/plain; charset="us-ascii"
>
> Kings,
>
>
>
> I thought you could only police traffic outbound.  Does it work if you
> change the police action from an input to an output as such:
>
>
>
> class-map vpn
>  match tunnel-group 10.20.30.40
>
> policy-map vpn
>  class vpn
>  police output 9000
>
> service-policy vpn interface outside
>
>
>
> Matt Manire
> CCSP, CCNP, CCDP, MCSE 2003 & MCSE 2000
> Information Systems Security Manager
> [email protected] <mailto:[email protected]>
> t: 817.525.1863
> f: 817.525.1903
> m: 817.271.9165
>
> First Rate | 1903 Ascension Boulevard | Arlington, TX 76006|
> www.FirstRate.com <http://www.firstrate.com/>
>
>
>
>
>
> From: [email protected]
> [mailto:[email protected]] On Behalf Of Kingsley
> Charles
> Sent: Wednesday, November 09, 2011 12:08 AM
> To: [email protected]
> Subject: [OSL | CCIE_Security] Policing traffic coming out from tunnel
> afterdecryption
>
>
>
> Hi all
>
> I am trying to police packets coming out of the tunnel after decryption
> using the following config but doesn't work. Has anyone tried?
>
> class-map vpn
>  match tunnel-group 10.20.30.40
>
> policy-map vpn
>  class vpn
>  police input 9000
>
> service-policy vpn interface outside
>
>
> asa1# sh service-policy interface outside
>
> Interface outside:
>  Service-policy: vpn
>    Class-map: vpn
>      Input police Interface outside:
>        cir 9000 bps, bc 1500 bytes
>        conformed 0 packets, 0 bytes; actions:  transmit
>        exceeded 0 packets, 0 bytes; actions:  drop
>        conformed 0 bps, exceed 0 bps
>
>
>
> Policing packets going into the tunnel for encryption works.
>
> class-map vpn
>  match tunnel-group 10.20.30.40
>  match flow ip destination-address
>
> policy-map vpn
>  class vpn
>  police output 9000
>
> service-policy vpn interface outside
>
>
> With regards
> Kings
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to