Police Policy Overview
The police command creates bandwidth restrictions on traffic flows. Table 8-3 describes the
parameters for the police command, the syntax for which is as follows:
police conform-rate conform-burst | conform-action {drop | transmit} | exceed-action
{drop | transmit}
This police command allows a security administrator to set maximum transmit limits, or
caps, on egress traffic through a specific interface or the global interface. The rate limit is
compared to the sustained traffic rate of the associated traffic flow. In Figure 8-2, Client A
has a VPN connection to Headquarters through an ASA 5520 Security Appliance. A policy
map has been applied to Client A’s traffic flow, and the rate has been limited to 64 kbps using
the following police command:
ASAfirewall(config-pmap-c)# police 64000 1000 conform-action transmit exceed-action
drop
Table 8-3 police Command Parameters
Syntax Description
conform-action The action to take when the traffic rate is below the conform-burst value.
conform-rate Sets the maximum speed (rate limit) for the traffic flow. This value can be
between 8000 and 2,000,000,000.
conform-burst Sets the maximum number of bytes allowed in a sustained burst at any one
instance. This value can be between 1000 and 512,000,000.
exceed-action The action to take when the traffic rate exceeds the conform-burst value.
drop Drop the packet.
transmit Transmit the packet.