Limit internet usage on ASA 5520 - configure policing

raptorjb007:
"So, if you want to limit bandwidth usage you need to use policing. You define the traffic that needs to be limited then set a limit and apply it to an interface.

If you need, I can assist you with configuring policing."

As a subsequent question.... I need some help configuring policing.  As far as defining the traffic, it would be all traffic that is NOT coming from a certain IP.  Traffic from IP (lets say 10.0.10.237) is to be unrestricted, and all other traffic on all other IPs would need to be throttled so that they would not exceed 9mb/s.

I have been in the ASDM >> Configuration > Security Policy > Service Policy Rules > 
but I'm a little gunshy about playing with the settings.  raptorjb007: if you are still around I will take you up on assistance with configuration.

Thanks
gracewildAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
raptorjb007Connect With a Mentor Commented:
Hmm, that worked in my lab setup, the only other thing I can think of is to apply the policing to the inside interface and change the ACL to reference inside addresses.
0
 
raptorjb007Commented:
I have not had to configure policing previously but I'll give this a shot for you.

The following code are the configuration commands to define the traffic to police and then subsequently policy it.

Line 1-2 is the access-list that defines the traffic you are applying the rate policy too. Line 1 is the IP you do not want to limit.

Line 4-5 defines the traffic as a class to be used in the policy.

Line 7-10 creates the policy that applies the rate limit to your previously defined class. Line 10 specifically defines the limit you are applying. "Output" specifies the direction you are limiting, the first number representing the 9mbps rate limit, and the second number representing a burst rate of 9.5.mps. You can remove the burst rate or adjust its size to your preference.

Line 12 applies the policy to your outside interface.

Of coarse "PoliceClassName", "PoliceACLname", and "PolicePolicyName" are all just names that you can set to whatever you please.

Let me know how this works for you.
access-list PoliceACLname deny ip host 10.0.10.237 any
access-list PoliceACLname permit ip 10.0.10.0 netmask 255.255.255.0 any
 
class-map PoliceClassName
 match access-list PoliceACLname
 
policy-map PolicePolicyName
 description Policy to limit general traffic usage
 class PoliceClassName
  police output 9000000 9500000
 
service-policy PolicePolicyName interface outside

Open in new window

0
 
gracewildAuthor Commented:
Wow man.  You are much more concise than Cisco documentation.  I think I might actually understand how that language works with your example.  I will give that a shot later today and let you know how it goes.

(I'm also asking a question about logging in the same zone.)
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
gracewildAuthor Commented:
CompanysASA(config)# class-map PoliceClassName
CompanysASA(config-cmap)# description Policy to limit general traffic usage
CompanysASA(config-cmap)# class PoliceClassName
CompanysASA(config-cmap)# police output 9000000 9500000
                                                         ^
ERROR: % Invalid input detected at '^' marker.

raptorjb007, I was able to get the first part of the config going, but I am getting errors on the 'police' line.

any ideas?
0
 
raptorjb007Commented:
You set the police command in "policy-map" not class-map.
policy-map PolicePolicyName
 description Policy to limit general traffic usage
 class PoliceClassName
  police output 9000000 9500000

Open in new window

0
 
gracewildAuthor Commented:
Ok, I see what I did wrong.  I went into class-map and didn't ctrl-Z back to regular configure terminal?

Anyway, it looks like the policy is in place.  There are mulitple subnets that go through the outside interface for the internet, so would it work to have the exclusion first, then have 'any' for the next set of IP?

I couldn't figure out how to 'show' the class-map or the policy-map, but here are the 'show access-list' and 'show service-policy'

(They also changed the address on me.  They are on 10.0.10.52, but now they're saying there will be more to add to the exclusion list.  But for now would this work?):
-------------------------------------------------------------------------------------------------
GASA# show access-list PoliceACLname
access-list PoliceACLname; 2 elements
access-list PoliceACLname line 1 extended deny ip host 10.0.10.52 any (hitcnt=0)

access-list PoliceACLname line 2 extended permit ip any any (hitcnt=0)

------------------------------------------------------------------------------------------------------------
GASA# show service-policy

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: ftp, packet 13475040, drop 0, reset-drop 7

Interface outside:
  Service-policy: PolicePolicyName
    Class-map: PoliceClassName
      police Interface outside:
        cir 9000000 bps, bc 9500000 bytes
        conformed 0 packets, 0 bytes; actions:  transmit
        exceeded 0 packets, 0 bytes; actions:  drop
        conformed 0 bps, exceed 0 bps
0
 
raptorjb007Commented:
You can use the following commands to view the specific running config sections.
"show run access-list"
"show run class-map"
"show run policy-map"
"show run service-policy"

Since the deny lines would be first you would have to delete the existing access-list and recreate it to add the new deny statements.

You may want to test the policy without the deny statement in the ACL first just to make sure to works. I am unsure how the deny statement would be handled. Typically only permit statements are used for policies.
0
 
gracewildAuthor Commented:
Strange, I posted a response Friday, but it must not have taken.  

When I had that in place, it was not policing the outbound traffic.  Its a little frustrating, because now I no longer have the configs that I printed out to show what settings were there.

So I tried with the ASDM interface...
In the ASDM, when I put in an 'all traffic' policy on the outbound interface, it limits the traffic.  However, if I try to so any sort of ACL for specific IPs, it does not limit anything. Also, the ACL would only apply itself to the inside interface, but not the outside interface, which seemed like a logical way, but it was not limiting anything.
0
 
raptorjb007Commented:
I did some testing and found some errors in my ways =)

First one is very basic. You cannot use internal NAT'd IP's on an ACL applied to the outside interface. So Basically the following acl:

access-list PoliceACLname deny ip host 10.0.10.237 any
access-list PoliceACLname permit ip 10.0.10.0 netmask 255.255.255.0 any

will not match any traffic on a policy applied to the outside interface as NAT readdresses the traffic. You can reconifgure this ACL to match all traffic and deny a host only if it has a static outside IP mapped to it.

EX. using fake external IP's.

access-list PoliceACLname deny ip host 208.67.222.222 any
access-list PoliceACLname permit ip 208.67.222.220 netmask 255.255.255.0 any

======================

Second, less obvious, the burst rate is in bytes instead of bits, even though the limit rate is in bits. Further it is the amount above the rate that is exceeded. So if you want a 9mb/s limit and a 9.5mb/s burst rate, the burst value will be the amount over the rate limit you want, in this case .5mb/s, which in bytes would be 62500 Bytes. So the police command would look like the following.

police output 9000000 62500

=======================

I guess the difficult part for you now would be to to figure out how to exclude specific hosts as I am guessing most don't have static external IP's. If your goal however is to simply manage your traffic to your ISP limits to avoid overage charges, a ACL that includes all IP traffic would suffice. The next step would be to only apply the limit during the day, you can accomplish this by setting a time-range on the ACL.

time-range test
 periodic daily 8:00 to 17:00

access-list PoliceACLname permit ip any any time-range test

See code for full command listing. I hope this works.

time-range test
 periodic daily 8:00 to 17:00
 
access-list PoliceACLname permit ip any any time-range test
 
class-map PoliceClassName
 match access-list PoliceACLname
 
policy-map PolicePolicyName
 description Policy to limit general traffic usage
 class PoliceClassName
  police output 9000000 62500
 
service-policy PolicePolicyName interface outside

Open in new window

0
 
gracewildAuthor Commented:
If our main external interface is a static, and all traffic goes through there, could I use the ACL outside > outside and just list the 'main' external IP, as all traffic would be 'originating' from there?

0
 
raptorjb007Commented:
The PoliceACLname will need to reference IP addresses relevant to the outside interface, ie. external IP's. So if you only have one IP address all traffic will be effected by the policy. If you have multiple external IP's like say one for general access and a couple static IP's mapped to servers, you can exclude these external IP's by using a deny statement in the ACL.

The actually configuration depends on your IP's available and your NAT config.
0
 
raptorjb007Commented:
Any Luck?
0
 
gracewildAuthor Commented:
Sorry for not getting back with you.  I was unable to get the limiter working as I needed it to.  I do appreciate your help though.
0
 
gracewildAuthor Commented:
I'm going to give you the points for helping, but I am still in the same boat.

I'm currently working on another project and don't have the resources to hack at it now, but perhaps in the future, I can get a more concise description of what I'm doing and get something going.

Thanks for your help.
0
All Courses

From novice to tech pro — start learning today.