guaranteeing bandwidth on ASA 5505

Unanswered Question
Jul 26th, 2010

I have a customer that is a 2 office medical practice that has a VPN setup between the offices with an ASA5505 on each end.   They  have a T-1 at each office and they do RDP sessions from the remote office to the main office over the VPN.  The trouble comes in when they try to transmit claims and I guess the provider on the other end can take the claims as fast as they can send them so it totally swamps the T-1 and kills the RDP sessions from the remote office.

So I have this in my configuration:

class-map outside-class
match flow ip destination-address
match tunnel-group
policy-map outside-policy
class outside-class
  police output 500000 1500

The main question I have is this limiting the traffic over the VPN to 500K or is it reserving 500K for the VPN traffic?  I have kind of seen it described both ways and even a description that indicated maybe the 5505 does it differently from anything else.  The ASAs in question here are currently running 8.2(2).



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mwkirk Mon, 07/26/2010 - 12:38

Ok....So I changed it to something like:

access-list outside_mpc extended deny ip any host
class-map outside-class
match access-list outside_mpc
policy-map outside-policy
class outside-class
  police output 800000 1500

It is a T-1 and comes through Cbeyond which they have there IAD out front that does voice and data.  So, I figure 800Kb for everything then that leaves 700Kb for everything else including the voice and VPN.  The IAD that Cbeyond has in place will handle any QOS requirements for the voice once it gets out there.

Also, you can't relly specify anything NOT part of a tunnel group so I just used the endpoint of the VPN for the ACL.

August Ritchie Mon, 07/26/2010 - 13:01

This seems fine to me although I have never tinkered with only VPN traffic. The one thing I notice wrong is that you don't have a second part to your access-list. If you only have one deny, then by the rules of the access-list everything else is implicitly denied as well.

so it should be like:

access-list outside_mpc extended deny ip any host //Deny the traffic we don't want to limit

access-list outside_mpc extended permit ip any any //Permit the traffic we do want to limit


This Discussion