• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 400
  • Last Modified:

Cisco ASA 9.1 - Possible to police individual flows within a set bandwidth cap?

In this scenario, there is a 10Mb pipe out of the ASA to ISP1. The goal is to police inbound/outbound traffic to inside subnet X.X.X.X/24 to use a max of 8Mb of that pipe. This I've accomplished with a service policy on the ISP1 interface, with the observed behaviour being that download 1 will take up all 8Mb, then when a second download starts, they will begin to share the 8Mb, then a third starts and again they will all share the pipe evenly, so the aggregate of the flows continues to use a max of 8Mb. But I'm trying to determine if there's a way to police the individual flows in the subnet. Meaning "hey you subnet X, flows to/from IPs in your range can only use up to 5Mb each, with your aggregate total being 8Mb".
0
dms_it
Asked:
dms_it
  • 2
2 Solutions
 
dms_itAuthor Commented:
This is TAC's response, anyone else have any comments?

"Unfortunately QOS polices based on connections information is not supported in the ASA, any policy must match a class and classes are defined as per ip range basis and protocols only."

The simplified pronounced example I also gave to them was suppose I have a 50Mb pipe and want to restrict any connections to/from subnet X to a max of 1Mb each. Not possible. The policing with a class-map matching a subnet only seems to apply to the subnet as a whole. I realize that logically this approach may be flawed as in 'why would you want to do that', I suppose it wouldn't matter as long as I could find a better explanation of how the policing shares the bandwidth among multiple connections when priority queues aren't specified.
0
 
asavenerCommented:
The only reasons to use QoS is to manage congestion, or to prioritize low-latency flows.  Introducing policing policies is basically denial-of-servicing yourself.

So if you're asking "why isn't this feature available?" then the answer is "because you shouldn't do that in the first place."

I suppose there are certain cases where you might want to test whether an application works over a low-bandwidth connection, which I've had to do before, but it's better to use a router to police the flow rather than an ASA.
0
 
dms_itAuthor Commented:
Thanks. The idea is to be able to limit individual users or groups of users to lower bandwidths than is available on a given circuit.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now