Cisco ASA 9.1 - Possible to police individual flows within a set bandwidth cap?

In this scenario, there is a 10Mb pipe out of the ASA to ISP1. The goal is to police inbound/outbound traffic to inside subnet X.X.X.X/24 to use a max of 8Mb of that pipe. This I've accomplished with a service policy on the ISP1 interface, with the observed behaviour being that download 1 will take up all 8Mb, then when a second download starts, they will begin to share the 8Mb, then a third starts and again they will all share the pipe evenly, so the aggregate of the flows continues to use a max of 8Mb. But I'm trying to determine if there's a way to police the individual flows in the subnet. Meaning "hey you subnet X, flows to/from IPs in your range can only use up to 5Mb each, with your aggregate total being 8Mb".
dms_itAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dms_itAuthor Commented:
This is TAC's response, anyone else have any comments?

"Unfortunately QOS polices based on connections information is not supported in the ASA, any policy must match a class and classes are defined as per ip range basis and protocols only."

The simplified pronounced example I also gave to them was suppose I have a 50Mb pipe and want to restrict any connections to/from subnet X to a max of 1Mb each. Not possible. The policing with a class-map matching a subnet only seems to apply to the subnet as a whole. I realize that logically this approach may be flawed as in 'why would you want to do that', I suppose it wouldn't matter as long as I could find a better explanation of how the policing shares the bandwidth among multiple connections when priority queues aren't specified.
0
asavenerCommented:
The only reasons to use QoS is to manage congestion, or to prioritize low-latency flows.  Introducing policing policies is basically denial-of-servicing yourself.

So if you're asking "why isn't this feature available?" then the answer is "because you shouldn't do that in the first place."

I suppose there are certain cases where you might want to test whether an application works over a low-bandwidth connection, which I've had to do before, but it's better to use a router to police the flow rather than an ASA.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dms_itAuthor Commented:
Thanks. The idea is to be able to limit individual users or groups of users to lower bandwidths than is available on a given circuit.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.