Solved

Limit internet usage on ASA 5520 - configure policing

Posted on 2008-06-18
14
4,597 Views
Last Modified: 2008-08-07
raptorjb007:
"So, if you want to limit bandwidth usage you need to use policing. You define the traffic that needs to be limited then set a limit and apply it to an interface.

If you need, I can assist you with configuring policing."

As a subsequent question.... I need some help configuring policing.  As far as defining the traffic, it would be all traffic that is NOT coming from a certain IP.  Traffic from IP (lets say 10.0.10.237) is to be unrestricted, and all other traffic on all other IPs would need to be throttled so that they would not exceed 9mb/s.

I have been in the ASDM >> Configuration > Security Policy > Service Policy Rules > 
but I'm a little gunshy about playing with the settings.  raptorjb007: if you are still around I will take you up on assistance with configuration.

Thanks
0
Comment
Question by:gracewild
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
14 Comments
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21817298
I have not had to configure policing previously but I'll give this a shot for you.

The following code are the configuration commands to define the traffic to police and then subsequently policy it.

Line 1-2 is the access-list that defines the traffic you are applying the rate policy too. Line 1 is the IP you do not want to limit.

Line 4-5 defines the traffic as a class to be used in the policy.

Line 7-10 creates the policy that applies the rate limit to your previously defined class. Line 10 specifically defines the limit you are applying. "Output" specifies the direction you are limiting, the first number representing the 9mbps rate limit, and the second number representing a burst rate of 9.5.mps. You can remove the burst rate or adjust its size to your preference.

Line 12 applies the policy to your outside interface.

Of coarse "PoliceClassName", "PoliceACLname", and "PolicePolicyName" are all just names that you can set to whatever you please.

Let me know how this works for you.
access-list PoliceACLname deny ip host 10.0.10.237 any
access-list PoliceACLname permit ip 10.0.10.0 netmask 255.255.255.0 any
 
class-map PoliceClassName
 match access-list PoliceACLname
 
policy-map PolicePolicyName
 description Policy to limit general traffic usage
 class PoliceClassName
  police output 9000000 9500000
 
service-policy PolicePolicyName interface outside

Open in new window

0
 

Author Comment

by:gracewild
ID: 21821655
Wow man.  You are much more concise than Cisco documentation.  I think I might actually understand how that language works with your example.  I will give that a shot later today and let you know how it goes.

(I'm also asking a question about logging in the same zone.)
0
 

Author Comment

by:gracewild
ID: 21832092
CompanysASA(config)# class-map PoliceClassName
CompanysASA(config-cmap)# description Policy to limit general traffic usage
CompanysASA(config-cmap)# class PoliceClassName
CompanysASA(config-cmap)# police output 9000000 9500000
                                                         ^
ERROR: % Invalid input detected at '^' marker.

raptorjb007, I was able to get the first part of the config going, but I am getting errors on the 'police' line.

any ideas?
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 6

Expert Comment

by:raptorjb007
ID: 21832355
You set the police command in "policy-map" not class-map.
policy-map PolicePolicyName
 description Policy to limit general traffic usage
 class PoliceClassName
  police output 9000000 9500000

Open in new window

0
 

Author Comment

by:gracewild
ID: 21833289
Ok, I see what I did wrong.  I went into class-map and didn't ctrl-Z back to regular configure terminal?

Anyway, it looks like the policy is in place.  There are mulitple subnets that go through the outside interface for the internet, so would it work to have the exclusion first, then have 'any' for the next set of IP?

I couldn't figure out how to 'show' the class-map or the policy-map, but here are the 'show access-list' and 'show service-policy'

(They also changed the address on me.  They are on 10.0.10.52, but now they're saying there will be more to add to the exclusion list.  But for now would this work?):
-------------------------------------------------------------------------------------------------
GASA# show access-list PoliceACLname
access-list PoliceACLname; 2 elements
access-list PoliceACLname line 1 extended deny ip host 10.0.10.52 any (hitcnt=0)

access-list PoliceACLname line 2 extended permit ip any any (hitcnt=0)

------------------------------------------------------------------------------------------------------------
GASA# show service-policy

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: ftp, packet 13475040, drop 0, reset-drop 7

Interface outside:
  Service-policy: PolicePolicyName
    Class-map: PoliceClassName
      police Interface outside:
        cir 9000000 bps, bc 9500000 bytes
        conformed 0 packets, 0 bytes; actions:  transmit
        exceeded 0 packets, 0 bytes; actions:  drop
        conformed 0 bps, exceed 0 bps
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21833533
You can use the following commands to view the specific running config sections.
"show run access-list"
"show run class-map"
"show run policy-map"
"show run service-policy"

Since the deny lines would be first you would have to delete the existing access-list and recreate it to add the new deny statements.

You may want to test the policy without the deny statement in the ACL first just to make sure to works. I am unsure how the deny statement would be handled. Typically only permit statements are used for policies.
0
 

Author Comment

by:gracewild
ID: 21846949
Strange, I posted a response Friday, but it must not have taken.  

When I had that in place, it was not policing the outbound traffic.  Its a little frustrating, because now I no longer have the configs that I printed out to show what settings were there.

So I tried with the ASDM interface...
In the ASDM, when I put in an 'all traffic' policy on the outbound interface, it limits the traffic.  However, if I try to so any sort of ACL for specific IPs, it does not limit anything. Also, the ACL would only apply itself to the inside interface, but not the outside interface, which seemed like a logical way, but it was not limiting anything.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21871471
I did some testing and found some errors in my ways =)

First one is very basic. You cannot use internal NAT'd IP's on an ACL applied to the outside interface. So Basically the following acl:

access-list PoliceACLname deny ip host 10.0.10.237 any
access-list PoliceACLname permit ip 10.0.10.0 netmask 255.255.255.0 any

will not match any traffic on a policy applied to the outside interface as NAT readdresses the traffic. You can reconifgure this ACL to match all traffic and deny a host only if it has a static outside IP mapped to it.

EX. using fake external IP's.

access-list PoliceACLname deny ip host 208.67.222.222 any
access-list PoliceACLname permit ip 208.67.222.220 netmask 255.255.255.0 any

======================

Second, less obvious, the burst rate is in bytes instead of bits, even though the limit rate is in bits. Further it is the amount above the rate that is exceeded. So if you want a 9mb/s limit and a 9.5mb/s burst rate, the burst value will be the amount over the rate limit you want, in this case .5mb/s, which in bytes would be 62500 Bytes. So the police command would look like the following.

police output 9000000 62500

=======================

I guess the difficult part for you now would be to to figure out how to exclude specific hosts as I am guessing most don't have static external IP's. If your goal however is to simply manage your traffic to your ISP limits to avoid overage charges, a ACL that includes all IP traffic would suffice. The next step would be to only apply the limit during the day, you can accomplish this by setting a time-range on the ACL.

time-range test
 periodic daily 8:00 to 17:00

access-list PoliceACLname permit ip any any time-range test

See code for full command listing. I hope this works.

time-range test
 periodic daily 8:00 to 17:00
 
access-list PoliceACLname permit ip any any time-range test
 
class-map PoliceClassName
 match access-list PoliceACLname
 
policy-map PolicePolicyName
 description Policy to limit general traffic usage
 class PoliceClassName
  police output 9000000 62500
 
service-policy PolicePolicyName interface outside

Open in new window

0
 

Author Comment

by:gracewild
ID: 21886056
If our main external interface is a static, and all traffic goes through there, could I use the ACL outside > outside and just list the 'main' external IP, as all traffic would be 'originating' from there?

0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21886418
The PoliceACLname will need to reference IP addresses relevant to the outside interface, ie. external IP's. So if you only have one IP address all traffic will be effected by the policy. If you have multiple external IP's like say one for general access and a couple static IP's mapped to servers, you can exclude these external IP's by using a deny statement in the ACL.

The actually configuration depends on your IP's available and your NAT config.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21911540
Any Luck?
0
 

Author Comment

by:gracewild
ID: 22015359
Sorry for not getting back with you.  I was unable to get the limiter working as I needed it to.  I do appreciate your help though.
0
 
LVL 6

Accepted Solution

by:
raptorjb007 earned 500 total points
ID: 22037279
Hmm, that worked in my lab setup, the only other thing I can think of is to apply the policing to the inside interface and change the ACL to reference inside addresses.
0
 

Author Comment

by:gracewild
ID: 22180481
I'm going to give you the points for helping, but I am still in the same boat.

I'm currently working on another project and don't have the resources to hack at it now, but perhaps in the future, I can get a more concise description of what I'm doing and get something going.

Thanks for your help.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Monitor Internet Edge Router behind Firewall 2 37
VOIP gateways - feedback 23 123
Change name on 7940 Cisco UM 10 86
Moving vSAN traffic to a new network 4 110
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question