Limiting bandwidth

Unanswered Question
Nov 29th, 2007
User Badges:

I have an ASA5510 with a T1 connection. I have a few users who download large files with a download manager that takes up all of my bandwidth and then everyone complains the internet is slow. Is there a way on the firewall to limit each connection to a maximum bandwidth so that one user cant take all of the bandwidth?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.5 (2 ratings)
Collin Clark Thu, 11/29/2007 - 09:16
User Badges:
  • Purple, 4500 points or more

You could use QoS to limit FTP downloads, however HTTP downloads are used just as often. If you need to restrict per connect bandwidth Packeteer (www.packeteer) makes some products that can do it.

HTH and please rate.

Nathan Spitzer Sat, 12/01/2007 - 18:01
User Badges:

Like the other poster said, packeteer makes some things that will fix this. Also, forcing HTTP and FTP through a proxy server will allow you to limit throughput on a user basis. I have done this with Squid which allowed me to solve similar issues. In addition, a proxy server will lessen the load on the internet link. If most of the T1 is http, it can dramatically reduce the load.

Let me also comment that the root of this issue is a policy or personel issue. Sometimes the best solution to these issues is therefore not to spend a boatload of time and/or money on a technology solution but to implement a policy or procedure that state that download managers are not to be used in such a way as to degrade the T1 performance. Tell those users causing problems NOT TO DO IT AGAIN. Inform their managers they are causing service degredation and it needs to stop.

kevin.jones1 Sun, 12/02/2007 - 15:56
User Badges:

there will always be people who will ignore

policy or procedure.

Instead of spending money on packeteer, which

is a good product by the way, the alternative

solution is to implement checkpoint firewall

solution. Checkpoint firewalls come with QoS

(formerly Floodgate) integrate and it can do

exactly what you describe. For a small

enterprise, that's something you probably want

instead of deploying another device on the


srue Sun, 12/02/2007 - 21:34
User Badges:
  • Blue, 1500 points or more

access-list qos_acl permit tcp any eq 20 any

class-map qos-class-map

match access-list qos_acl

policy-map qos

class qos-class-map

police output 8000 2000

service-policy qos interface inside

i'm by no means a qos expert, but this seemed to work on my asa5505.

you can of course configure the ACL and police rates to your own liking. you could just limit all tcp traffic to something like 64000/user with 32000/burst as an example.

Nathan Spitzer Mon, 12/03/2007 - 04:43
User Badges:

Yes, there are always people who ignore policy, but a good LART deployed early and often will quickly remedy that :-)

My personal favorite LART is a hard-bound copy of the policy and procedure manual, printed in 90-point type.


This Discussion