ASA 5520 Bandwidth limiting

Unanswered Question
Sep 22nd, 2010
User Badges:

Hello,


I want to limit the amount of bandwidth per user (down/up) with my asa 5520. Now i am using the following code and i wonder if it's the most efficient way of doing this:


Policy-map IPS_outside
class bandwidth-outside-class
  police input 2000000 600000 conform-action transmit exceed-action drop
  police output 2000000 600000 conform-action transmit exceed-action drop


Currently i am wondering the follow:

-What rates should i put in (i want 250 kB up/down for my users).

-Right now i put these in and i get 350 kB up/down, am i correct in saying that the first value is the normal bandwidth and the second defines how much you can go above it?

-It also feels like this configuration limits my entire connection to this (not sure though, need some more testing). Though i doubt this observation is correct.

-Frankly what i want is that on the moment multiple users are downloading it starts to limit the highrollers so everyone gets a decent connection.


So if someone wants to explain this to me (please a bit detailed, read some stuff about it but i can't seem to grasp it) i would be very grateful.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcin Latosiewicz Wed, 09/22/2010 - 02:04
User Badges:
  • Cisco Employee,

I don't think that would be (easily?) doable, since ASA polices per flow not per packet.

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/conns_qos.html#wp1064207


You can set maximum bandwidth to be used by a particular flow, set of flows but within that flow or set of flows ...


Your best option is to shape traffic and/or policy particular bandwidth hoggers.


Shaping (example at the end of section)

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/conns_qos.html#wp1064207


For values being explained:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/p.html#wp2133826


and shape:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/s1.html#wp1451099


ASA is not a router, it will not have as many QoS capabilities.


Hopt this helps.

Marcin

Actions

This Discussion