Solved

Cisco ASA 9.1 - Possible to police individual flows within a set bandwidth cap?

Posted on 2014-11-18
3
309 Views
Last Modified: 2014-12-15
In this scenario, there is a 10Mb pipe out of the ASA to ISP1. The goal is to police inbound/outbound traffic to inside subnet X.X.X.X/24 to use a max of 8Mb of that pipe. This I've accomplished with a service policy on the ISP1 interface, with the observed behaviour being that download 1 will take up all 8Mb, then when a second download starts, they will begin to share the 8Mb, then a third starts and again they will all share the pipe evenly, so the aggregate of the flows continues to use a max of 8Mb. But I'm trying to determine if there's a way to police the individual flows in the subnet. Meaning "hey you subnet X, flows to/from IPs in your range can only use up to 5Mb each, with your aggregate total being 8Mb".
0
Comment
Question by:dms_it
  • 2
3 Comments
 

Assisted Solution

by:dms_it
dms_it earned 0 total points
ID: 40452516
This is TAC's response, anyone else have any comments?

"Unfortunately QOS polices based on connections information is not supported in the ASA, any policy must match a class and classes are defined as per ip range basis and protocols only."

The simplified pronounced example I also gave to them was suppose I have a 50Mb pipe and want to restrict any connections to/from subnet X to a max of 1Mb each. Not possible. The policing with a class-map matching a subnet only seems to apply to the subnet as a whole. I realize that logically this approach may be flawed as in 'why would you want to do that', I suppose it wouldn't matter as long as I could find a better explanation of how the policing shares the bandwidth among multiple connections when priority queues aren't specified.
0
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 40481399
The only reasons to use QoS is to manage congestion, or to prioritize low-latency flows.  Introducing policing policies is basically denial-of-servicing yourself.

So if you're asking "why isn't this feature available?" then the answer is "because you shouldn't do that in the first place."

I suppose there are certain cases where you might want to test whether an application works over a low-bandwidth connection, which I've had to do before, but it's better to use a router to police the flow rather than an ASA.
0
 

Author Closing Comment

by:dms_it
ID: 40500005
Thanks. The idea is to be able to limit individual users or groups of users to lower bandwidths than is available on a given circuit.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now