QoS with Police

Unanswered Question
Apr 1st, 2008

I'm trying to get a service-policy setup that rate-limits the http traffic our users are creating by surfing the net. In our case, our asa actually sits with our ISP, so I'm trying to cut down on the bandwidth costs the http traffic is taking up from the inside interface of the asa across our wan link to our home office.

We have an internal proxy server that all the users in the company use for accessing the internet. This is perfect, cause it's only the traffic to this proxy server that I want to limit.

Proxy server: (is on the inside interface of the asa)

Our ASA already has the default "service-policy global_policy global" command in there along with the default-inspection and I don't intend on changing that unless I have to.

So, I've created this:


access-list in_http extended permit tcp any host



class-map in_http

match access-list in_http


policy-map in_http

class in_http

police output 500000 50000


service-policy in_http interface inside


My question is, on the service-policy command, should I apply that policy to the inside interface of the asa or the outside interface? I want to police the traffic coming into our firewall destined for (our proxy server) on the inside interface. I'm hoping the ACL I created there matches all the traffic destined for the server..

Here's a clip from a "show connection" on the asa that shows an internet connection from the proxy server:

TCP out xxx.xxx.xxx.xxx:80 in idle 0:00:07 bytes 3763 flags UIO

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
jbayuka Tue, 04/08/2008 - 05:55

QoS is a traffic-management strategy that lets you allocate network resources for both mission-critical and normal data, based on the type of network traffic and the priority you assign to that traffic. In short, QoS ensures unimpeded priority traffic and provides the capability of rate-limiting (policing) default traffic.

For example, video and voice over IP (VoIP) are increasingly important for interoffice communication between geographically dispersed sites, using the infrastructure of the Internet as the transport mechanism. Firewalls are key to securing networks by controlling access, which includes inspecting VoIP protocols. QoS is the focal point to provide clear, uninterrupted voice and video communications, while still providing a basic level of service for all other traffic passing through the device.

Refer to Applying QoS Policies for more information



This Discussion