07-26-2010 11:37 AM - edited 03-11-2019 11:16 AM
I have a customer that is a 2 office medical practice that has a VPN setup between the offices with an ASA5505 on each end. They have a T-1 at each office and they do RDP sessions from the remote office to the main office over the VPN. The trouble comes in when they try to transmit claims and I guess the provider on the other end can take the claims as fast as they can send them so it totally swamps the T-1 and kills the RDP sessions from the remote office.
So I have this in my configuration:
class-map outside-class
match flow ip destination-address
match tunnel-group 1.1.1.1
!
!
policy-map outside-policy
class outside-class
police output 500000 1500
The main question I have is this limiting the traffic over the VPN to 500K or is it reserving 500K for the VPN traffic? I have kind of seen it described both ways and even a description that indicated maybe the 5505 does it differently from anything else. The ASAs in question here are currently running 8.2(2).
Thanks
Mike
07-26-2010 12:00 PM
It should limit the traffic to 500K, basically anything that matches your class maps gets policed to the speed you set.
If you want to reserve 500K you have to limit everything else to 500K less than your max bandwidth.
Here is a good link for the QoS config:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml#rate
07-26-2010 12:38 PM
Ok....So I changed it to something like:
!
access-list outside_mpc extended deny ip any host 1.1.1.1
!
class-map outside-class
match access-list outside_mpc
!
!
policy-map outside-policy
class outside-class
police output 800000 1500
!
It is a T-1 and comes through Cbeyond which they have there IAD out front that does voice and data. So, I figure 800Kb for everything then that leaves 700Kb for everything else including the voice and VPN. The IAD that Cbeyond has in place will handle any QOS requirements for the voice once it gets out there.
Also, you can't relly specify anything NOT part of a tunnel group so I just used the endpoint of the VPN for the ACL.
07-26-2010 01:01 PM
This seems fine to me although I have never tinkered with only VPN traffic. The one thing I notice wrong is that you don't have a second part to your access-list. If you only have one deny, then by the rules of the access-list everything else is implicitly denied as well.
so it should be like:
access-list outside_mpc extended deny ip any host 1.1.1.1 //Deny the traffic we don't want to limit
access-list outside_mpc extended permit ip any any //Permit the traffic we do want to limit
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide