We have a Cisco 3750 switch and an ASA. The ASA has 100Mbps bandwidth from ISP and it has two ports connected to the switch (inside and outside). 100 users are behind this ASA to access internet. What we want to achieve is to throttle the download rate for these 100 users to 70Mbps and retain the rest of the 30Mbps for other services.
Ideally I should do the traffic shaping/policing on the switch for the outside interface outbound direction. But according to Cisco article, 3750 series only allows to do the traffic shaping/policing on the inbound traffic not outbound. My question is:
If I do the traffic shaping/polcing on the switch for inside interface ingress direction, will it also work?
Litterally it shouldn't work because it only restrict the rate between users (LAN) and the ASA inside interface. However, does TCP protocol know how to adjust the rate to avoid too much packets being dropped before it goes to the inside interface? So the rate between ISP and the ASA outside can also be shaped? It's something related to TCP congestion theory I think. Anyone ever tested this in your environment or do you have other suggestions?
access-list 101 permit ip any any
class-map match-any RSP_ASA_Class
match access-group 101
police 70000000 1000000 exceed-action drop
service-policy input RSP_ASA