[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2048
  • Last Modified:

Cisco ASA QoS For Bandwidth

On my router I had a QoS setup that was needed as my uplink is 1Gbit, but my bandwidth limitation was 100MBit Dedicated.

On the ASA whats the similar Function to set the bandwidth limits?
0
TestMonkey
Asked:
TestMonkey
  • 12
  • 8
3 Solutions
 
Svet PaperovIT ManagerCommented:
There no a single command on Cisco ASA that can do that. You can implement throttling using service policies. Here is an example of two service policies, on applied on inside interface and limiting inbound traffic, the other applied on outside interface and limiting outbound SMTP and FTP traffic. You can check the IOS manuals to see how it works.

policy-map outside-policy
 description OUTSIDE interface Service Policy
 class FTP-Throttling-CLASS
  police output 300000 1500
 class SMTP-Throttling-CLASS
  police output 200000 200000
policy-map inside-policy
 description INSIDE interface Service Policy
 class IP-10-Throttling-CLASS
  police output 1500000 20000000
!
class-map IP-10-Throttling-CLASS
 description Limit inbound traffic towards 192.168.10.10 during business hours
 match access-list inside_mpc
class-map FTP-Throttling-CLASS
 description Limit FTP outbond traffic during working hours
 match access-list outside_mpc_2
!
service-policy inside-policy interface inside
service-policy outside-policy interface outside
!
access-list inside_mpc extended permit ip any host 192.168.10.10 time-range WORKING_HOURS 
access-list outside_mpc_2 extended permit tcp host xxx.xxx.xxx.123 any time-range WORKING_HOURS

Open in new window

0
 
TestMonkeyAuthor Commented:
I dont want to limit based on traffic type, i want to limit based off available bandwidth
0
 
Svet PaperovIT ManagerCommented:
This was just an example. Neither of the class maps actually limits on the type of traffic. I just called them SMTP and FTP classes for convenience cause they work in that way for in my setup. You will need to check the Cisco manual for the syntax of these commands.  
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
TestMonkeyAuthor Commented:
ive been looking and have had little luck, I can set a QoS policy on a router and just set the data limits outgoing and incoming on interface outside, doesnt want to work that way on the ASA

I added over 300 Service Objects to cover our traffic, traffic types etc :P if I use that method id be setting it up for months i would think
0
 
TestMonkeyAuthor Commented:
Is there a command to limit all traffic going out to 100Mbit? or limit incoming to 100Mbit?
0
 
Svet PaperovIT ManagerCommented:
No, there is not. It is done with service-policy command. But if you want to limit 1Gbps to 100Mbit way you don't just put a cheap 100Mbps switch in the path?
0
 
TestMonkeyAuthor Commented:
Well that doesnt make any sense at all, I cant set a policy that says no more than 100Mbit going in and out on outside interface?

I have to set traffic types?

I went from a router and added the firewall, I cant believe i spent 10000 on this firewall and its not capable of a rate limit
0
 
Svet PaperovIT ManagerCommented:
Yes, you can - using service-policy. You specify the interesting traffic using access lists and you apply that policy on the interface. With the access list you can nail it to specific ip range, subnet, port, or even all ip - it is your choice. Actually, being a litle bit more complex, the service policies are very powerful.
0
 
TestMonkeyAuthor Commented:
Dont mean to be a idiot but what is the interesting traffic? set any traffic type on interface outside or do you mean specifying HTTP, HTTPS, H323, FTP, SFTP, TFTP, IPSEC etc etc etc etc then for example individual ports manipulated for sip, 5060,5250 are currently in use, see where Im going?   Theres 100s of custom ports, Nat'd ports, over 200 public routable IPs, if i have to literally set port on each type when i dont care about the traffic, i dont care if someone is using all bandwidth on ftp, or doing a test of 5000 calls, the 100MBit is available for all and everything with zero limitations based on the type of traffic, i need it to match my ISPs set limits

If I cant to do the firewall needs to be removed and another one looked at capable of something so simple
0
 
Svet PaperovIT ManagerCommented:
Yes, it can be any IP traffic going through a single interface in inbound or outbound directions. You don’t need to specify the ports as HTTP, HTTPS, etc in the access-list if you need to limit everything. So your access list needs to match only the subnets (source or destination) as it is done in any other access-list.

Here is another example that matches better what you need http://slazyk.com/2009/08/bandwidth-policing-throttling-cisco-asa/
 
0
 
TestMonkeyAuthor Commented:
police output 1500000 20000000

100Mbits translated into Mbits and the second number from my understand is bytes for bursting?
0
 
Svet PaperovIT ManagerCommented:
Yes
0
 
TestMonkeyAuthor Commented:
Your above settings wouldnt be for 100Mbit, and the burst is larger than the policed output?

I thought it would be something like 104857600 for the first and I have 8000 for the second, the document states first number is in bits, second in bytes so bytes shouldnt be larger than the bits or am i wrong?

And what would a good setting be?  I have police output 104857600 8000 and my upload still drops packets
0
 
Svet PaperovIT ManagerCommented:
You can set the burst as small as a MTU size, 1500 for example - you wouldn't have a burst like that. When you have a traffic faster then the first number in bps the ASA starts to drop packets. If you see dropped packets that mean the policy works.
The second link that I provided you matches better what you need. In my setup of 1500000 20000000 the policy limits to 1.5Mbps only after the first 20MB


0
 
TestMonkeyAuthor Commented:
police output 104857600 ?

20MBit ot Bytes?  

I just need it throttled from me to isp, im not understanding the burst thing, nor the real use for it in my case, not trying to be a tard, but I have 5GB uploads that take place that I dont want to limit at a lower speed etc, i want it to get a full 100Mbit sustained
0
 
Svet PaperovIT ManagerCommented:
policy output 104857600 1500 will limit everything at 100Mbps
policy output 104857600 20000000 will pass the first 20000000 bytes at max speed and then will start to limit - that's the burst
0
 
TestMonkeyAuthor Commented:
policy output 104857600 1500 will limit everything at 100Mbps

Testing this now
0
 
TestMonkeyAuthor Commented:
Should I use Conform Action Transmit and Exceed Drop?

Conform can transmit or drop and Burst Size can be either as well
0
 
TestMonkeyAuthor Commented:
policy output 104857600

This one is working, i didnt add the 1500
0
 
TestMonkeyAuthor Commented:
parts of both
0

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

  • 12
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now