Solved

Limit internet usage on ASA 5520 - configure policing

Posted on 2008-06-18
14
4,512 Views
Last Modified: 2008-08-07
raptorjb007:
"So, if you want to limit bandwidth usage you need to use policing. You define the traffic that needs to be limited then set a limit and apply it to an interface.

If you need, I can assist you with configuring policing."

As a subsequent question.... I need some help configuring policing.  As far as defining the traffic, it would be all traffic that is NOT coming from a certain IP.  Traffic from IP (lets say 10.0.10.237) is to be unrestricted, and all other traffic on all other IPs would need to be throttled so that they would not exceed 9mb/s.

I have been in the ASDM >> Configuration > Security Policy > Service Policy Rules >
but I'm a little gunshy about playing with the settings.  raptorjb007: if you are still around I will take you up on assistance with configuration.

Thanks
0
Comment
Question by:gracewild
  • 7
  • 7
14 Comments
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21817298
I have not had to configure policing previously but I'll give this a shot for you.

The following code are the configuration commands to define the traffic to police and then subsequently policy it.

Line 1-2 is the access-list that defines the traffic you are applying the rate policy too. Line 1 is the IP you do not want to limit.

Line 4-5 defines the traffic as a class to be used in the policy.

Line 7-10 creates the policy that applies the rate limit to your previously defined class. Line 10 specifically defines the limit you are applying. "Output" specifies the direction you are limiting, the first number representing the 9mbps rate limit, and the second number representing a burst rate of 9.5.mps. You can remove the burst rate or adjust its size to your preference.

Line 12 applies the policy to your outside interface.

Of coarse "PoliceClassName", "PoliceACLname", and "PolicePolicyName" are all just names that you can set to whatever you please.

Let me know how this works for you.
access-list PoliceACLname deny ip host 10.0.10.237 any

access-list PoliceACLname permit ip 10.0.10.0 netmask 255.255.255.0 any

 

class-map PoliceClassName

 match access-list PoliceACLname

 

policy-map PolicePolicyName

 description Policy to limit general traffic usage

 class PoliceClassName

  police output 9000000 9500000

 

service-policy PolicePolicyName interface outside

Open in new window

0
 

Author Comment

by:gracewild
ID: 21821655
Wow man.  You are much more concise than Cisco documentation.  I think I might actually understand how that language works with your example.  I will give that a shot later today and let you know how it goes.

(I'm also asking a question about logging in the same zone.)
0
 

Author Comment

by:gracewild
ID: 21832092
CompanysASA(config)# class-map PoliceClassName
CompanysASA(config-cmap)# description Policy to limit general traffic usage
CompanysASA(config-cmap)# class PoliceClassName
CompanysASA(config-cmap)# police output 9000000 9500000
                                                         ^
ERROR: % Invalid input detected at '^' marker.

raptorjb007, I was able to get the first part of the config going, but I am getting errors on the 'police' line.

any ideas?
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21832355
You set the police command in "policy-map" not class-map.
policy-map PolicePolicyName

 description Policy to limit general traffic usage

 class PoliceClassName

  police output 9000000 9500000

Open in new window

0
 

Author Comment

by:gracewild
ID: 21833289
Ok, I see what I did wrong.  I went into class-map and didn't ctrl-Z back to regular configure terminal?

Anyway, it looks like the policy is in place.  There are mulitple subnets that go through the outside interface for the internet, so would it work to have the exclusion first, then have 'any' for the next set of IP?

I couldn't figure out how to 'show' the class-map or the policy-map, but here are the 'show access-list' and 'show service-policy'

(They also changed the address on me.  They are on 10.0.10.52, but now they're saying there will be more to add to the exclusion list.  But for now would this work?):
-------------------------------------------------------------------------------------------------
GASA# show access-list PoliceACLname
access-list PoliceACLname; 2 elements
access-list PoliceACLname line 1 extended deny ip host 10.0.10.52 any (hitcnt=0)

access-list PoliceACLname line 2 extended permit ip any any (hitcnt=0)

------------------------------------------------------------------------------------------------------------
GASA# show service-policy

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: ftp, packet 13475040, drop 0, reset-drop 7

Interface outside:
  Service-policy: PolicePolicyName
    Class-map: PoliceClassName
      police Interface outside:
        cir 9000000 bps, bc 9500000 bytes
        conformed 0 packets, 0 bytes; actions:  transmit
        exceeded 0 packets, 0 bytes; actions:  drop
        conformed 0 bps, exceed 0 bps
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21833533
You can use the following commands to view the specific running config sections.
"show run access-list"
"show run class-map"
"show run policy-map"
"show run service-policy"

Since the deny lines would be first you would have to delete the existing access-list and recreate it to add the new deny statements.

You may want to test the policy without the deny statement in the ACL first just to make sure to works. I am unsure how the deny statement would be handled. Typically only permit statements are used for policies.
0
 

Author Comment

by:gracewild
ID: 21846949
Strange, I posted a response Friday, but it must not have taken.  

When I had that in place, it was not policing the outbound traffic.  Its a little frustrating, because now I no longer have the configs that I printed out to show what settings were there.

So I tried with the ASDM interface...
In the ASDM, when I put in an 'all traffic' policy on the outbound interface, it limits the traffic.  However, if I try to so any sort of ACL for specific IPs, it does not limit anything. Also, the ACL would only apply itself to the inside interface, but not the outside interface, which seemed like a logical way, but it was not limiting anything.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 6

Expert Comment

by:raptorjb007
ID: 21871471
I did some testing and found some errors in my ways =)

First one is very basic. You cannot use internal NAT'd IP's on an ACL applied to the outside interface. So Basically the following acl:

access-list PoliceACLname deny ip host 10.0.10.237 any
access-list PoliceACLname permit ip 10.0.10.0 netmask 255.255.255.0 any

will not match any traffic on a policy applied to the outside interface as NAT readdresses the traffic. You can reconifgure this ACL to match all traffic and deny a host only if it has a static outside IP mapped to it.

EX. using fake external IP's.

access-list PoliceACLname deny ip host 208.67.222.222 any
access-list PoliceACLname permit ip 208.67.222.220 netmask 255.255.255.0 any

======================

Second, less obvious, the burst rate is in bytes instead of bits, even though the limit rate is in bits. Further it is the amount above the rate that is exceeded. So if you want a 9mb/s limit and a 9.5mb/s burst rate, the burst value will be the amount over the rate limit you want, in this case .5mb/s, which in bytes would be 62500 Bytes. So the police command would look like the following.

police output 9000000 62500

=======================

I guess the difficult part for you now would be to to figure out how to exclude specific hosts as I am guessing most don't have static external IP's. If your goal however is to simply manage your traffic to your ISP limits to avoid overage charges, a ACL that includes all IP traffic would suffice. The next step would be to only apply the limit during the day, you can accomplish this by setting a time-range on the ACL.

time-range test
 periodic daily 8:00 to 17:00

access-list PoliceACLname permit ip any any time-range test

See code for full command listing. I hope this works.

time-range test

 periodic daily 8:00 to 17:00
 

access-list PoliceACLname permit ip any any time-range test

 

class-map PoliceClassName

 match access-list PoliceACLname

 

policy-map PolicePolicyName

 description Policy to limit general traffic usage

 class PoliceClassName

  police output 9000000 62500

 

service-policy PolicePolicyName interface outside

Open in new window

0
 

Author Comment

by:gracewild
ID: 21886056
If our main external interface is a static, and all traffic goes through there, could I use the ACL outside > outside and just list the 'main' external IP, as all traffic would be 'originating' from there?

0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21886418
The PoliceACLname will need to reference IP addresses relevant to the outside interface, ie. external IP's. So if you only have one IP address all traffic will be effected by the policy. If you have multiple external IP's like say one for general access and a couple static IP's mapped to servers, you can exclude these external IP's by using a deny statement in the ACL.

The actually configuration depends on your IP's available and your NAT config.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21911540
Any Luck?
0
 

Author Comment

by:gracewild
ID: 22015359
Sorry for not getting back with you.  I was unable to get the limiter working as I needed it to.  I do appreciate your help though.
0
 
LVL 6

Accepted Solution

by:
raptorjb007 earned 500 total points
ID: 22037279
Hmm, that worked in my lab setup, the only other thing I can think of is to apply the policing to the inside interface and change the ACL to reference inside addresses.
0
 

Author Comment

by:gracewild
ID: 22180481
I'm going to give you the points for helping, but I am still in the same boat.

I'm currently working on another project and don't have the resources to hack at it now, but perhaps in the future, I can get a more concise description of what I'm doing and get something going.

Thanks for your help.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now