Setup Bandwidth Limit on V-Lans

Unanswered Question
Jun 8th, 2009

Hi, I am wondering of how to setup the bandwidth limit on following V-LANS. We have 2 MBPS 1:1 lease line and the downloading speed comes max upto 180 to 200 KB.

1) NOC (192.168.12.0/24)

2) DEV (192.168.13.0/24)

3) QA (192.168.14.0/24)

4) Tech(192.168.15.0/24)

Now, Internet is on and when users downloading anything from any V-lans then it consumes higher bandwidth which could have resulted Network gets chowk and it affects buisness production activities. Now I want to setup a limited bandwidth for entire V-lan like assign only upto 30kb downloading for QA V-Lan and same for other except NOC V-LAN. Can anyone suggest is it possible as I know it can be done by QOS but I am not so much perfect in QOS commands so I would request to experts please expain briefly with commands, if possible.

Thanks

1)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Pravin Phadte Wed, 06/10/2009 - 02:31

I would suggest to do a QOS or Rate-limit would be the easy way to get this done.

If this is a router or switch. If ASA you will have to do QOS.

BrinksArgentina Thu, 06/11/2009 - 04:50

With this config, QA VLAN will get only 30KB, but the usage of WAN link may be bigger, because you can only limit traffic when egress from ASA.

access-list traffic_QA extended permit ip any 192.168.14.0 255.255.255.255

class-map traffic_QA

match access-list traffic_QA

policy-map limit_QA_out

class traffic_QA

police output 30000 60000

service-policy limit_QA_out interface VL_QA


Guido.

Please rate all the helpful comments.

ray_stone Thu, 06/11/2009 - 23:13

Hi, Thank you for your responses.

"but the usage of WAN link may be bigger, because you can only limit traffic when egress from ASA"

I didn't understand the meaning of above sentence. Can you pls expain it briefly.

Thanks

BrinksArgentina Fri, 06/12/2009 - 06:18

QoS for inbound traffic

Ok, I review all and make some testing and finally found how this must be done.

Yes, you CAN throttle down inbound traffic.

The only consideration is that you must specify the outside address, so you must create a different pool for each VLAN.

</p><p>global (outside) 1 200.1.1.2</p><p>global (outside) 2 200.1.1.3</p><p></p><p>nat (NOC) 1 192.168.12.0 255.255.255.0</p><p>nat (QA) 2 192.168.14.0 255.255.255.0</p><p></p><p></p><p>access-list traffic_wwwNOC extended permit ip any host 200.1.1.2</p><p>access-list traffic_wwwQA extended permit ip any host 200.1.1.2</p><p> </p><p>class-map class_wwwNOC</p><p> match access-list traffic_wwwNOC</p><p></p><p>class-map class_wwwQA</p><p> match access-list traffic_wwwQA</p><p></p><p>policy-map limit_outside</p><p> class class_wwwNOC</p><p>  police input 1500000 60000</p><p></p><p> class class_wwwQA</p><p>  police input 300000 30000</p><p></p><p>service-policy limit_outside interface outside</p><p>

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/qos.html


Guido.

Please rate all the helpful comments.

ray_stone Fri, 06/12/2009 - 23:32

Hi, If I am using below commands in my configuration:

global (outside) 1 interface outside

global (outside) 2 interface outside

What commands needs to be changed???

Pls explain.

BrinksArgentina Sat, 06/13/2009 - 14:06

You need a public address for each VLAN with a different policy shaping.

For instance, if your outside ip address is 200.1.1.2 255.255.255.248, you can use:

</p><p>global (outside) 1 interface outside</p><p>global (outside) 2 200.1.1.3</p><p></p><p>access-list traffic_wwwNOC extended permit ip any host 200.1.1.2 </p><p>access-list traffic_wwwQA extended permit ip any host <b>200.1.1.3</b></p><p>

You can use for the global pool, an address curently used for PAT. For example if you have something like that:

static (inside,outside) tcp 200.1.1.3 80 192.168.12.20 80 netmask 255.255.255.255

... this is not a problem.

Witch is the netmask of your public address?

Please note that I made a mistake in the acl of the previus post. Each acl must point to the correspondig public address of the global pool.


Guido.

Please rate all the helpful comments.

ray_stone Thu, 08/06/2009 - 05:04

Hi,

We have 2mbps link and 4 vlans are placed on ASA FW.

1) NOC 192.168.12.0

2) QA 192.168.15.0

3) Tech 192.168.21.0

4) DEV 192.168.14.0

Now I want to set the download speed 30 kb for entire V-LAN. I want to allow 150 KB bandwith for QA V-lan for STS DC Tunnel. I want to allow 150 KB Bandwidth for Techsol V-LAN for 192.168.59.109 host which is placed Sterling STS Tunnel.

Pls. explain the commands. Thnaks

BrinksArgentina Fri, 08/07/2009 - 04:13

How many public IP addresses do you have?

You need a /28 at least. One public IP for each global nat pool.

Guido

BrinksArgentina Sun, 08/09/2009 - 16:13

Do you have tested the previously posted commands?

(replace 200.1.1.x with you public address)

</p><p>global (outside) 1 <font color="green">200.1.1.2</font></p><p>global (outside) 2 <font color="green">200.1.1.3</font></p><p></p><p>nat (NOC) 1 192.168.12.0 255.255.255.0 </p><p>nat (QA) 2 192.168.14.0 255.255.255.0 </p><p></p><p></p><p>access-list traffic_wwwNOC extended permit ip any host <font color="green">200.1.1.2</font> </p><p>access-list traffic_wwwQA extended permit ip any host <font color="green">200.1.1.3</font></p><p></p><p><font color="blue">!identify traffic:</font></p><p>class-map class_wwwNOC </p><p>match access-list traffic_wwwNOC </p><p></p><p>class-map class_wwwQA </p><p>match access-list traffic_wwwQA </p><p></p><p><font color="blue">!apply different shaping to each class of traffic:</font></p><p>policy-map limit_outside </p><p>class class_wwwNOC </p><p>police input 1500000 60000 </p><p></p><p>class class_wwwQA </p><p>police input 300000 30000 </p><p></p><p><font color="blue">!enable service-policy on the interface:</font></p><p>service-policy limit_outside interface outside </p><p>

Actions

This Discussion