Traffic shaping on Cisco ASA X-series firewalls

Hello - what (if any) are the options for shaping traffic on an X-series firewall?  I have a customer with a Gig handoff Internet circuit, currently provisioning 150-Mbps. This is terminated on an old ISR, which is shaping the traffic via "bandwidth 150000" command to prevent carrier policing. We need to move this connection off of the ISR onto a ASA 5525-X.

From what I've found so, it appears there's no way to handle traffic shaping on the X-series firewalls. (I haven't looked into the new FTD appliances yet, so would be interested in feedback on those as well.) The 5525 is currently running 9.2 code, and the 9.2 configuration guide (https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall/asa-firewall-cli/conns-qos.html) indicates that traffic shaping is only supported on the 5505 (not the "multi-core models such as 5500-X"). I haven't checked newer release notes.

Is there a way to perform the same shaping function on an ASA 5525, with either the existing or newer code? If not, how are other customers handling sub-rated circuits to prevent policing and the potential resulting connection drops? Again, if the newer FTD appliances (2100's) can provide for this, that'd be helpful to know.

Thank you
cfan73Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mikecrCommented:
Yes, you can create service policy rules that can be configured to do traffic policing based on the criteria of the policy.
Soulja53 6F 75 6C 6A 61 Commented:
Every company that I have supported always had a router on the edge for this purpose as well as other features that ASA's don't support such as DMVPN and Router VPN's. I think you may be out of luck in this scenario unfortunately in regards to the ASA. The FTD, I do believe offer some for of rate limiting, but may be more of a policing feature than shaping. As well as not have that many options.
cfan73Author Commented:
Thanks for the responses. It's sounding like policing is the only option on these, unfortunately. Without the ability to buffer/shape traffic (vs. dropping it based on a policing policy), how much risk do we run of dropped TCP connections or other possible issues?  Would it be a strategy to pump up the carrier service to a level beyond what the ASA could forward, and thus the carrier would never need to policy the data being sent by the firewall?

Again, they're looking to remove an existing router (impending End of Support) and were hoping of leveraging the existing firewall. The old backup Internet circuit was a bonded T1 pipe, so it required the router to terminate this connection. This has since been removed, and both handoffs are Ethernet (the primary this shaped circuit, the 2nd a 10-Mbps handoff).

Thanks again - just considering the options.
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

Soulja53 6F 75 6C 6A 61 Commented:
Yes in this case that would probably be the easiest route is the pump up the carrier service where the firewall doesn't even hit their policy. Otherwise, I would just replace the end of service router with another. If that is not an option, policing on your firewall really wouldn't benefit since the ISP is already policing unless there is some penalty from the carrier when they must police your traffic.
ArneLoviusCommented:
As per Soulja is there a financial requirement to shape to 150Mbs ?, or just a desire to not hit the ISP shaping ?

Shaping on a T1 I can certainly understand, but are you seeing traffic that would require shaping on 150 Mbs ?

You might find the below useful as a starting point to setting a bandwidth limit

https://community.cisco.com/t5/firewalls/bandwidth-limit-on-asa/td-p/2892360

Whether you have dropped TCP connections would depend on your ISP traffic shaping policy, I woudl be very tempted to just try it durign a suitable maintenance window, presuming that you can simulate "normal" traffic.
cfan73Author Commented:
@ArneLovius

That link is again how to configure policing, which would drop packets to prevent exceeding the configured limit. My concern with policing is that the dropped packets may have a worse effect of possibly dropping connections, causing TCP resets, etc. I realize I may be overthinking this.

Secondly, the sub-rated circuit lands on a 1-Gbps port. Without shaping or policy, wouldn't the interface attempt to serialize all data at 1,000-Mbps and thus always result in drops, or is the carrier policing based on windows of time (such as exceeding the 150-Mbps rate over 5 seconds, etc.)?

Thanks again
Soulja53 6F 75 6C 6A 61 Commented:
No it wouldn't send it out as gigabit. Bandwidth is just the capability, not the actual speed. As long as you don't hit your ISP's limit they won't police. Most ISP allow some burst past their set policed rate. You may want to find out what that is.
cfan73Author Commented:
@Soulja

Maybe I wasn't clear with the above question. Let's assume we took the "bandwidth 40000" statement out completely (since it doesn't directly impact speed/shaping/policing, anyway).  A gigabit port can only serialize a data bit at 1-Gbps, so how would the device buffer traffic to prevent overrun if you DID decide to add shaping commands at sub-rate?

Thanks again
Soulja53 6F 75 6C 6A 61 Commented:
@cfan73,

I think you are confusing bandwidth vs speed. Yes, the interface will have the speed of 1Gbps, but the bandwidth is available capacity for the data transfer. The ISP is policing your capacity, not your speed. A perfect example of this difference is port-channels.  You can have a port-channel consisting of 4 1-Gbps ports. You would have 4Gbps bandwidth, but still only transmit at 1Gbps speed.
cfan73Author Commented:
@Soulja

I understand the port channel example, but let's focus on the single interface case, whereas there's a single 1-Gbps port which will transmit data at the same rate. If we implemented shaping at a sub-1G rate (to prevent carrier policing and dropped packets), how does the router buffer and transmit data to match this? Does it buffer 9/10 of the bits (if we were shaping at 100-Mbps) to prevent the overrun?

Thanks for your continued patience, and I think we're close. :)
Soulja53 6F 75 6C 6A 61 Commented:
You are still confusing speed with bandwidth. Look up TX Ring and TX Queing. The speed is the tx ring. The shaping happens in the TX Queue. The TX Queue is where QOS shaping works.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cfan73Author Commented:
@Soulja

I will do the additional research, and thanks again for your patience.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.