I had a task to build a site-to-site VPN tunnel with another vendor over which a large amount of data was planned to be transacted on regular basis. On my end, the end-point was a Cisco ASA 5585-X firewall running 9.8 code.
To protect the internet circuit from being over-saturated, I decided to use MQC (Modular QoS CLI) policy to rate-limit the tunnel down to 100Mbps with a 5Mbps burst-rate.
!
class-map VENDOR-VPN-QOS-CLASS-MAP
match tunnel-group <tunnel-group peer ip address>
match flow ip destination-address
!
policy-map OUTSIDE-QOS-POLICY-MAP
class VENDOR-VPN-QOS-CLASS-MAP
police output 100000000 5000000
!
service-policy OUTSIDE-QOS-POLICY-MAP interface <outside interface name>
!