Solved

Cisco ASA 9.1 - Possible to police individual flows within a set bandwidth cap?

Posted on 2014-11-18
3
304 Views
Last Modified: 2014-12-15
In this scenario, there is a 10Mb pipe out of the ASA to ISP1. The goal is to police inbound/outbound traffic to inside subnet X.X.X.X/24 to use a max of 8Mb of that pipe. This I've accomplished with a service policy on the ISP1 interface, with the observed behaviour being that download 1 will take up all 8Mb, then when a second download starts, they will begin to share the 8Mb, then a third starts and again they will all share the pipe evenly, so the aggregate of the flows continues to use a max of 8Mb. But I'm trying to determine if there's a way to police the individual flows in the subnet. Meaning "hey you subnet X, flows to/from IPs in your range can only use up to 5Mb each, with your aggregate total being 8Mb".
0
Comment
Question by:dms_it
  • 2
3 Comments
 

Assisted Solution

by:dms_it
dms_it earned 0 total points
Comment Utility
This is TAC's response, anyone else have any comments?

"Unfortunately QOS polices based on connections information is not supported in the ASA, any policy must match a class and classes are defined as per ip range basis and protocols only."

The simplified pronounced example I also gave to them was suppose I have a 50Mb pipe and want to restrict any connections to/from subnet X to a max of 1Mb each. Not possible. The policing with a class-map matching a subnet only seems to apply to the subnet as a whole. I realize that logically this approach may be flawed as in 'why would you want to do that', I suppose it wouldn't matter as long as I could find a better explanation of how the policing shares the bandwidth among multiple connections when priority queues aren't specified.
0
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
Comment Utility
The only reasons to use QoS is to manage congestion, or to prioritize low-latency flows.  Introducing policing policies is basically denial-of-servicing yourself.

So if you're asking "why isn't this feature available?" then the answer is "because you shouldn't do that in the first place."

I suppose there are certain cases where you might want to test whether an application works over a low-bandwidth connection, which I've had to do before, but it's better to use a router to police the flow rather than an ASA.
0
 

Author Closing Comment

by:dms_it
Comment Utility
Thanks. The idea is to be able to limit individual users or groups of users to lower bandwidths than is available on a given circuit.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now