Solved

Cisco ASA 5510 VPN Bandwidth Throttling

Posted on 2016-08-12
8
101 Views
Last Modified: 2016-08-15
Is it possible to limit how much bandwidth a particular VPN session takes up or to at least limit the amount of bandwidth all VPN sessions take up on the ASA? We had some updates go out from SCCM and that took up too much bandwidth. Thank you.
0
Comment
Question by:amigan_99
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 16

Expert Comment

by:Mike T
ID: 41755011
Hi,

You can throttle SCCM very easily and comprehensively - I think the setting is on the DP itself. You can set the time (in hours) and the bandwidth. This setting is per boundary, so will match the VPN IP range for you.
If you need more detail I can look Monday when I have it in front of me :).

Mike
1
 
LVL 1

Author Comment

by:amigan_99
ID: 41755020
Thanks Mike. Please send any details you can when possible!
0
 
LVL 16

Expert Comment

by:Mike T
ID: 41756196
Hi,

the setting I mean is the rate limits tab. It only appears on your remote DPs. There are 3 settings you can use: unlimited, pulse and limited.

TechNet:

◾Unlimited when sending to this destination: Specifies that Configuration Manager sends content to the distribution point with no rate limit restrictions.


◾Pulse mode: Specifies the size of the data blocks that are sent to the distribution point. You can also specify a time delay between sending each data block. Use this option when you must send data across a very low bandwidth network connection to the distribution point. For example, you might have constraints to send 1 KB of data every five seconds, regardless of the speed of the link or its usage at a given time.


◾Limited to specified maximum transfer rates by hour: Specify this setting to have a site send data to a distribution point by using only the percentage of time that you configure. When you use this option, Configuration Manager does not identify the networks available bandwidth, but instead divides the time it can send data into slices of time. Then data is sent for a short block of time, which is followed by blocks of time when data is not sent. For example, if the maximum rate is set to 50%, Configuration Manager transmits data for a period of time followed by an equal period of time when no data is sent. The actual size amount of data, or size of the data block, is not managed. Instead, only the amount of time during which data is sent is managed.

Ref: https://technet.microsoft.com/en-us/library/ded46139-8692-4dd6-bd80-64f7b4045924#BKMK_ModifyDistributionPointSettings

---
You have to plan how you want to split the traffic with your network team. A good summary is here:

https://msitpros.com/?p=1727

but there is also the concurrent package settings you can change too:
http://nikifoster.wordpress.com/2012/10/18/controlling-concurrent-package-distribution-in-sccm-2/>

Between the two, you have strong control, per DP, of how and when ConfigMgr pushes anything out.

Mike
0
 
LVL 16

Accepted Solution

by:
Michael Ortega (Internetwerx, Inc.) earned 250 total points
ID: 41756211
Of you can deal with it on the ASA using policing.

Create an ACL to define the interesting traffic.
Create a class-map and bring in the ACL.
Create a policy-map to bring in the class-map and set the action to police input/output to a certain bandwidth value and conform rate.
Create a service-policy to set the policy-map onto the outside interface.

MO
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 13

Assisted Solution

by:SIM50
SIM50 earned 125 total points
ID: 41756360
Is it possible to limit how much bandwidth a particular VPN session takes up

ASA supports QoS per specific vpn tunnels. When you create class-map, use "match tunnel-group <name>" command.
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 125 total points
ID: 41756383
Id throttle it based on the SCCM IP (this will throttle all traffic across all tunnels (and all traffic from the SCCM other than this traffic of course)

Cisco ASA 5500 – Throttling (Rate Limiting) Traffic


Pete
0
 
LVL 16

Assisted Solution

by:Michael Ortega (Internetwerx, Inc.)
Michael Ortega (Internetwerx, Inc.) earned 250 total points
ID: 41756657
@SIM50 & PeteLong,

I was referring to "interesting traffic" as defining what communication you want policed, e.g. SCCM traffic to VPN subnets.

MO
0
 
LVL 1

Author Closing Comment

by:amigan_99
ID: 41756688
Thanks all. Very helpful!
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now