Solved

Cisco ASA 9.1 - Possible to police individual flows within a set bandwidth cap?

Posted on 2014-11-18
3
339 Views
Last Modified: 2014-12-15
In this scenario, there is a 10Mb pipe out of the ASA to ISP1. The goal is to police inbound/outbound traffic to inside subnet X.X.X.X/24 to use a max of 8Mb of that pipe. This I've accomplished with a service policy on the ISP1 interface, with the observed behaviour being that download 1 will take up all 8Mb, then when a second download starts, they will begin to share the 8Mb, then a third starts and again they will all share the pipe evenly, so the aggregate of the flows continues to use a max of 8Mb. But I'm trying to determine if there's a way to police the individual flows in the subnet. Meaning "hey you subnet X, flows to/from IPs in your range can only use up to 5Mb each, with your aggregate total being 8Mb".
0
Comment
Question by:dms_it
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 

Assisted Solution

by:dms_it
dms_it earned 0 total points
ID: 40452516
This is TAC's response, anyone else have any comments?

"Unfortunately QOS polices based on connections information is not supported in the ASA, any policy must match a class and classes are defined as per ip range basis and protocols only."

The simplified pronounced example I also gave to them was suppose I have a 50Mb pipe and want to restrict any connections to/from subnet X to a max of 1Mb each. Not possible. The policing with a class-map matching a subnet only seems to apply to the subnet as a whole. I realize that logically this approach may be flawed as in 'why would you want to do that', I suppose it wouldn't matter as long as I could find a better explanation of how the policing shares the bandwidth among multiple connections when priority queues aren't specified.
0
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 40481399
The only reasons to use QoS is to manage congestion, or to prioritize low-latency flows.  Introducing policing policies is basically denial-of-servicing yourself.

So if you're asking "why isn't this feature available?" then the answer is "because you shouldn't do that in the first place."

I suppose there are certain cases where you might want to test whether an application works over a low-bandwidth connection, which I've had to do before, but it's better to use a router to police the flow rather than an ASA.
0
 

Author Closing Comment

by:dms_it
ID: 40500005
Thanks. The idea is to be able to limit individual users or groups of users to lower bandwidths than is available on a given circuit.
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

689 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question