Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1890
Views
0
Helpful
9
Replies

ASA 5510 traffic policing

itadmin
Level 1
Level 1

‎09-03-2010 10:01 AM - edited ‎03-11-2019 11:34 AM

I am trying to set up policing from 3 particular servers. The traffic that I want to limit is https (443) connections. The service policy rules that I have set up so far seem to have no effect at all. I'm using the traffic match criteria source and destination IP address, I have the source and destination configured, and I've tried several different services. Under rule actions, protocol selection is set to DCERPC selected, QoS is set to enable policing on input and output, rate is set to 250000.

What am I missing.

Thanks

Mike

Labels:
0 Helpful
9 Replies 9

mirober2
Cisco Employee
Cisco Employee

‎09-03-2010 10:09 AM

Hi Mike,

Do you have priority queueing enabled as well? This link may help you fix the problem:

https://supportforums.cisco.com/docs/DOC-1230

NOTE 2: Priority queueing needs to be used with 
policing or traffic shaping. The reason is that unless the link that LLQ
 is saturated the packets will not be prioritized. Usually the 
interfaces of the ASA can be 100Mbps or 1Gbps or more, so saturating 
these links isn't something that will happen often . But implementing 
policing or traffic shaping along with LLQ actually makes LLQ kick in at
 the point the policing or shaping limits are met.

Hope that helps.

-Mike

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee

‎09-03-2010 12:20 PM

Please also send us the "sh run class-map", "sh run policy-map", "sh run service-policy" and the ACLs used in the class-maps in order to do a sanity check on the config.

PK

0 Helpful

itadmin
Level 1
Level 1
In response to Panos Kampanakis

‎09-07-2010 07:57 AM

How do I show the ACL's? I attached the other files..

71697-sh run policy-map.txt.zip
0 Helpful

mirober2
Cisco Employee
Cisco Employee
In response to itadmin

‎09-07-2010 08:02 AM

Hi Mike,

To see the ACLs used for this config, you can use the following command:

show run access-list inside_mpc

-Mike

0 Helpful

itadmin
Level 1
Level 1
In response to mirober2

‎09-07-2010 10:59 AM

File as requested. I really appreciate the help

Mike

71712-show run access-list inside_mpc.txt.zip
0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to itadmin

‎09-07-2010 11:15 AM

I see the ACL lines being inactive. These will not be matching traffic.

Please put them in again without the inactive keyword.

PK

0 Helpful

itadmin
Level 1
Level 1
In response to Panos Kampanakis

‎09-07-2010 11:16 AM

When they were active, it didn't have an effect..

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to itadmin

‎09-07-2010 11:29 AM

You are applying your policy on the inside interface policing at 250kbps for traffic from your 172.... hosts to the 65.... hosts on port 443.

When the lines were active did you see hitcounts on them "sh access-list . If yes, they you were policing.

do you want to policy https download from the hosts, or http uploads? If it is uploads the source port of the ACL should be https, and not the destination.

I hope it helps.

PK

0 Helpful

itadmin
Level 1
Level 1
In response to Panos Kampanakis

‎09-07-2010 11:40 AM

Hitcount was 0 after I just re-enabled them, I want incoming and out going traffic from the 172.16.10.81-83 IP's to be policed.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card