11-29-2007 08:52 AM - edited 03-11-2019 04:37 AM
I have an ASA5510 with a T1 connection. I have a few users who download large files with a download manager that takes up all of my bandwidth and then everyone complains the internet is slow. Is there a way on the firewall to limit each connection to a maximum bandwidth so that one user cant take all of the bandwidth?
11-29-2007 09:16 AM
You could use QoS to limit FTP downloads, however HTTP downloads are used just as often. If you need to restrict per connect bandwidth Packeteer (www.packeteer) makes some products that can do it.
HTH and please rate.
12-01-2007 06:01 PM
Like the other poster said, packeteer makes some things that will fix this. Also, forcing HTTP and FTP through a proxy server will allow you to limit throughput on a user basis. I have done this with Squid which allowed me to solve similar issues. In addition, a proxy server will lessen the load on the internet link. If most of the T1 is http, it can dramatically reduce the load.
Let me also comment that the root of this issue is a policy or personel issue. Sometimes the best solution to these issues is therefore not to spend a boatload of time and/or money on a technology solution but to implement a policy or procedure that state that download managers are not to be used in such a way as to degrade the T1 performance. Tell those users causing problems NOT TO DO IT AGAIN. Inform their managers they are causing service degredation and it needs to stop.
12-02-2007 03:56 PM
there will always be people who will ignore
policy or procedure.
Instead of spending money on packeteer, which
is a good product by the way, the alternative
solution is to implement checkpoint firewall
solution. Checkpoint firewalls come with QoS
(formerly Floodgate) integrate and it can do
exactly what you describe. For a small
enterprise, that's something you probably want
instead of deploying another device on the
network.
12-02-2007 09:34 PM
access-list qos_acl permit tcp any eq 20 any
class-map qos-class-map
match access-list qos_acl
policy-map qos
class qos-class-map
police output 8000 2000
service-policy qos interface inside
i'm by no means a qos expert, but this seemed to work on my asa5505.
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/qos.html
you can of course configure the ACL and police rates to your own liking. you could just limit all tcp traffic to something like 64000/user with 32000/burst as an example.
12-03-2007 04:43 AM
Yes, there are always people who ignore policy, but a good LART deployed early and often will quickly remedy that :-)
My personal favorite LART is a hard-bound copy of the policy and procedure manual, printed in 90-point type.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: