We help IT Professionals succeed at work.

Cisco ASA QoS For Bandwidth

TestMonkey
TestMonkey asked
on
Medium Priority
2,178 Views
Last Modified: 2012-05-11
On my router I had a QoS setup that was needed as my uplink is 1Gbit, but my bandwidth limitation was 100MBit Dedicated.

On the ASA whats the similar Function to set the bandwidth limits?
Comment
Watch Question

IT Manager
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
I dont want to limit based on traffic type, i want to limit based off available bandwidth
Svet PaperovIT Manager

Commented:
This was just an example. Neither of the class maps actually limits on the type of traffic. I just called them SMTP and FTP classes for convenience cause they work in that way for in my setup. You will need to check the Cisco manual for the syntax of these commands.  

Author

Commented:
ive been looking and have had little luck, I can set a QoS policy on a router and just set the data limits outgoing and incoming on interface outside, doesnt want to work that way on the ASA

I added over 300 Service Objects to cover our traffic, traffic types etc :P if I use that method id be setting it up for months i would think

Author

Commented:
Is there a command to limit all traffic going out to 100Mbit? or limit incoming to 100Mbit?
Svet PaperovIT Manager

Commented:
No, there is not. It is done with service-policy command. But if you want to limit 1Gbps to 100Mbit way you don't just put a cheap 100Mbps switch in the path?

Author

Commented:
Well that doesnt make any sense at all, I cant set a policy that says no more than 100Mbit going in and out on outside interface?

I have to set traffic types?

I went from a router and added the firewall, I cant believe i spent 10000 on this firewall and its not capable of a rate limit
Svet PaperovIT Manager

Commented:
Yes, you can - using service-policy. You specify the interesting traffic using access lists and you apply that policy on the interface. With the access list you can nail it to specific ip range, subnet, port, or even all ip - it is your choice. Actually, being a litle bit more complex, the service policies are very powerful.

Author

Commented:
Dont mean to be a idiot but what is the interesting traffic? set any traffic type on interface outside or do you mean specifying HTTP, HTTPS, H323, FTP, SFTP, TFTP, IPSEC etc etc etc etc then for example individual ports manipulated for sip, 5060,5250 are currently in use, see where Im going?   Theres 100s of custom ports, Nat'd ports, over 200 public routable IPs, if i have to literally set port on each type when i dont care about the traffic, i dont care if someone is using all bandwidth on ftp, or doing a test of 5000 calls, the 100MBit is available for all and everything with zero limitations based on the type of traffic, i need it to match my ISPs set limits

If I cant to do the firewall needs to be removed and another one looked at capable of something so simple
Svet PaperovIT Manager

Commented:
Yes, it can be any IP traffic going through a single interface in inbound or outbound directions. You don’t need to specify the ports as HTTP, HTTPS, etc in the access-list if you need to limit everything. So your access list needs to match only the subnets (source or destination) as it is done in any other access-list.

Here is another example that matches better what you need http://slazyk.com/2009/08/bandwidth-policing-throttling-cisco-asa/
 

Author

Commented:
police output 1500000 20000000

100Mbits translated into Mbits and the second number from my understand is bytes for bursting?
Svet PaperovIT Manager

Commented:
Yes

Author

Commented:
Your above settings wouldnt be for 100Mbit, and the burst is larger than the policed output?

I thought it would be something like 104857600 for the first and I have 8000 for the second, the document states first number is in bits, second in bytes so bytes shouldnt be larger than the bits or am i wrong?

And what would a good setting be?  I have police output 104857600 8000 and my upload still drops packets
Svet PaperovIT Manager
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
police output 104857600 ?

20MBit ot Bytes?  

I just need it throttled from me to isp, im not understanding the burst thing, nor the real use for it in my case, not trying to be a tard, but I have 5GB uploads that take place that I dont want to limit at a lower speed etc, i want it to get a full 100Mbit sustained
Svet PaperovIT Manager

Commented:
policy output 104857600 1500 will limit everything at 100Mbps
policy output 104857600 20000000 will pass the first 20000000 bytes at max speed and then will start to limit - that's the burst

Author

Commented:
policy output 104857600 1500 will limit everything at 100Mbps

Testing this now

Author

Commented:
Should I use Conform Action Transmit and Exceed Drop?

Conform can transmit or drop and Burst Size can be either as well
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
parts of both
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.