Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
702
Views
0
Helpful
3
Replies

guaranteeing bandwidth on ASA 5505

mwkirk
Level 1
Level 1

‎07-26-2010 11:37 AM - edited ‎03-11-2019 11:16 AM

I have a customer that is a 2 office medical practice that has a VPN setup between the offices with an ASA5505 on each end.   They  have a T-1 at each office and they do RDP sessions from the remote office to the main office over the VPN.  The trouble comes in when they try to transmit claims and I guess the provider on the other end can take the claims as fast as they can send them so it totally swamps the T-1 and kills the RDP sessions from the remote office.

So I have this in my configuration:

class-map outside-class
match flow ip destination-address
match tunnel-group 1.1.1.1
!
!
policy-map outside-policy
class outside-class
  police output 500000 1500

The main question I have is this limiting the traffic over the VPN to 500K or is it reserving 500K for the VPN traffic?  I have kind of seen it described both ways and even a description that indicated maybe the 5505 does it differently from anything else.  The ASAs in question here are currently running 8.2(2).

Thanks

Mike

Labels:
0 Helpful
3 Replies 3

August Ritchie
Level 1
Level 1

‎07-26-2010 12:00 PM

It should limit the traffic to 500K, basically anything that matches your class maps gets policed to the speed you set.

If you want to reserve 500K you have to limit everything else to 500K less than your max bandwidth.

Here is a good link for the QoS config:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml#rate

0 Helpful

mwkirk
Level 1
Level 1
In response to August Ritchie

‎07-26-2010 12:38 PM

Ok....So I changed it to something like:

!
access-list outside_mpc extended deny ip any host 1.1.1.1
!
class-map outside-class
match access-list outside_mpc
!
!
policy-map outside-policy
class outside-class
  police output 800000 1500
!

It is a T-1 and comes through Cbeyond which they have there IAD out front that does voice and data.  So, I figure 800Kb for everything then that leaves 700Kb for everything else including the voice and VPN.  The IAD that Cbeyond has in place will handle any QOS requirements for the voice once it gets out there.

Also, you can't relly specify anything NOT part of a tunnel group so I just used the endpoint of the VPN for the ACL.

0 Helpful

August Ritchie
Level 1
Level 1
In response to mwkirk

‎07-26-2010 01:01 PM

This seems fine to me although I have never tinkered with only VPN traffic. The one thing I notice wrong is that you don't have a second part to your access-list. If you only have one deny, then by the rules of the access-list everything else is implicitly denied as well.

so it should be like:

access-list outside_mpc extended deny ip any host 1.1.1.1 //Deny the traffic we don't want to limit

access-list outside_mpc extended permit ip any any //Permit the traffic we do want to limit

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card