Solved

Cisco ASA  Bandwidth Control

Posted on 2014-02-11
6
2,688 Views
Last Modified: 2014-02-12
Hello,

At my current job we are having issues with making the most out of limited bandwidth.  We were trying Untangle, but this is out of our price range.  

So in the absence of something like untangle, I was thinking that we make the most out of our ASA, which is paid for already.  

I have a CCNA, which I just got recently, but don't have that much actual experience and ASA's are not really within the scope of that cert anyways.  

Based on some googlefoo, I know there is traffic policing and shaping policies that can be configured on this device.  The former being applied to inside and outside, dropping packets if they exceed whatever, the latter being only appliable to the outside interface and dependent on RAM for buffering (which I am worried will be overloaded).

This ASA has a lot of pre-existing configurations and provides not only internet access, but VPN access.

I would love to be able create some kind of rule, policing or shaping to throttle internal users connection to the internet (IE not affecting LAN access) to only have 300 kbits a second bandwidth each regardless of what protocol they are using.  IE the idea being that no one user can saturate the entire connection...which they currently can if the source has more bandwidth than us.

I am looking for a simple command and explanation to do this or an explanation as to why this is not possible and maybe the next best alternative command.  Also, just to confirm which interface would such a rule be applied to?  Internal?  I don't want this to throttle internal LAN communications, just communications to the internet.

Thanks for your help and feedback.
0
Comment
Question by:CnicNV
  • 3
  • 3
6 Comments
 
LVL 26

Expert Comment

by:Soulja
Comment Utility
Firstly, you won't be able to do this on a per user basis.
With that said you need to first create and extended access list that will

1. first deny traffic sourced from your internal subnets to the vpn far end subnets
2. Second permit traffic sourced from your internal subnets to the internet

Then you create a class map to match the access list you created.
Then create a policy map to enforce policing at the limit you want to restrict the traffic to.

Example config:

access-list internet_outbound extended deny ip  192168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list internet_outbound extended permit ip  192168.1.0 255.255.255.0 any

class-map  internet_limit
match access-list internet_outbound

policy-map  trottle_internet
class internet_limit
police output 512000 96000   conform-action transmit exceed-action drop  (download limit to 512k)
police input 256000 96000  conform-action transmit exceed-action drop (upload limit to 256k)
service-policy throttle_internet interface inside

0
 

Author Comment

by:CnicNV
Comment Utility
Hi Soulja,

What is the purpose of the two ACLs?  I am guessing to not throttle VPN traffic and throttle regular LAN to WAN traffic?

I figured it would not be able to do this on a per user basis as it would need some sort of sophisticated method of using LDAP to correlate with network traffic origin.

So my next question would be, how is this traffic policing command handling traffic?  IE, just to confirm that the connection limit would not be based on the interface globally IE all aggregate traffic through the inside interfaces would be limited to d512k/u256k and that instead it would be as I am hoping based on each new connection traversing that interface?  IE, if someone establishes and FTP session, it is limited to d512k/u256k, and then they start streaming a webex conference and this is a new stream of d512k/u256k totaling d1024k/u512k.  This is ideal, as I don't want to limit the entire interface to only d512k/u256k.

Thanks
0
 
LVL 26

Expert Comment

by:Soulja
Comment Utility
The ACL is the match the source and destination traffic that will be policed. The reason I deny the first line is because that is the traffic between the vpn subnets.

Basically all traffic sourcing from the internal subnet headed to the internet would be policed if it goes over 512 download or 256k upload the packets will be dropped.  This can be one session or multiple sessions. One session could take up the entire 512, but the point if for the wan connection to not be saturated by the web traffic.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:CnicNV
Comment Utility
Ok, I think I understand what you're describing.

Let me use an example.  

Lets say my internet connection is actually 10mbits up and down, and I have 100 users .  If I apply that policing command you indicated above, will it limit the entire interfaces actual bandwidth to 512k download and 256k upload for all traffic combined of those 100 users?  If so, that would be worse, in that it would make a 10mbit connection 512kbit.

But I am guessing that what you are saying to me, is that the limit is a per connection limit (one ip to another ip) and that no one connection could use more than this limit individually?  That combined together, the full internet bandwidth on the interface is still 10mbits, and that no one connection is allowed to use all of it?

Thanks for you patients, just trying to make sure 100% that I understand you:-)
0
 
LVL 26

Accepted Solution

by:
Soulja earned 500 total points
Comment Utility
You can set the policing limit to whatever you want. I just used 512k for an example.

My example would limit the traffic to 512 for only traffic to the internet. This is not a per session limit but a total limit. The policer will monitor web traffic as a whole. If it starts to exceed 512, the packet that exceed will be dropped. Being that the default queing is FIFO, this would be various sources coming from the lan side to the internet.
0
 

Author Closing Comment

by:CnicNV
Comment Utility
ahh ok, that's what I was worried about.  I was hoping it could do it based on each new connection created to prevent individual connections from using up the entire available bandwidth.  

I guess policing is really used for reining in burstable connections in keeping with the CIR for things like frame relay connections and not really for end user bandwidth control.

Thanks for taking the time to clear that up for me.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now