Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
844
Views
0
Helpful
5
Replies

Is QoS appropriate for this situation

Go to solution
l8nite4me2
Level 1
Level 1

‎02-23-2010 07:04 AM - edited ‎03-11-2019 10:13 AM

Over the past couple of days I have read numerous articles and threads on QoS for the ASA 5510.  Here is my scenario that I am looking for information about.  My management will not allow me to block certain websites such as facebook, youtube, myspace etc.  Is there a way in the ASA 5510 running Software 8.0(2) to limit the about of bandwidth these users receive while visiting these websites? ie If a set of users visit facebook, can I limit their bandwidth to 512k instead of letting them eat up all 5 of my t1's?

Thanks in Advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎02-25-2010 08:18 AM

Hi,

I would agree with the QoS configuration on the ASA.

You can use the MPF to configure QoS features such as policing and shaping very similar to an IOS router.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_qos.html

Federico.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎02-25-2010 08:18 AM

Hi,

I would agree with the QoS configuration on the ASA.

You can use the MPF to configure QoS features such as policing and shaping very similar to an IOS router.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_qos.html

Federico.

0 Helpful

Go to solution
l8nite4me2
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-25-2010 08:24 AM

Federico,

Thank you for your reply.  I will review the link you posted as a solution.

Thank You

0 Helpful

Go to solution
l8nite4me2
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-26-2010 08:48 AM

Federico had the first correct answer to this solution.  I have spent the last couple of days deciphering the instructions and laying out the command structure to implement this solution.  I really apprecaite everyones help and new the community would not let me down.

Thanks for all the great suggestions.

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee

‎02-25-2010 02:00 PM

You cannot do it exactly as you would like. You can match on HTTP GET field but those cannot be used for QoS.

In other words you would only be able to do it by matching the traffic to these website according to their ip after resolving their ip.

Here is a link that has examples http://supportforums.cisco.com/docs/DOC-1230

I hope it helps

PK

0 Helpful

Go to solution
PETER NEGUS
Level 1
Level 1

‎02-26-2010 01:54 AM

Yes, I think it is.

The best way to do this is to look at the QoS guide at

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_qos.html

What you need to do is:

Define class-map for the traffic that you wish to limit.

     You can fix YouTube, MySpace etc by doing a class map on the URL

     BitTorrent & SkyPe requires a bit more native cunning, You need to look for the TCP ports. Blocking the TCP ports doesn't work, as they then jump onto port 80 and give you even more headache.

Then define the policy-map.

     In preference to most of the examples, you need to SHAPE the traffic rather than Policing. Shaping allows the application to gracefully throttle the traffic, rather than policing which just kills the session.

Apply the policy to the inside interface of the ASA for traffic going into your network.

Try to keep the class map as simple as possible to avoid potential loading problems. Please tell me how you get on.

Best regards

Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card