We have an ASA 5510 running version 7 of the IOS. The firewall is connected to a 3rd Party Cisco Router (not permited to access ) which in turn is connected to a LES. The LES circuit is 10Mb.
As a school most of the traffic is HTTP based, in particular we have 3 key resources staff and students access via the web, a Virtual Learning Environment, a local council based Learning Platform and Mail servers. The problem I have is that the available bandwidth is being eaten up with 'student browsing', streaming video, music as well as 'normal' HTTP traffic and such like.
I know the ASA is capable of 'policing' traffic, but not at all sure how to set this up;
Forgive the incorrect terminology; what I want to do is 'reserve' 6Mb of the bandwidth for the VLE, SLP and Mail which is all HTTP based. As I said nearly all of our traffic is HTTP based so the only way to differentiate traffic would be via IP address'.
So the question is can you set up a way of 'reserving bandwidth', or 'prioritising bandwidth' for 3 specific IP addresses over and above other HTTP traffic?
I'm not asking you to write my config for me but if you could point me in the right direction that would be really appreciated.
Ok, a new dynamic to this..........thanks for the links by the way.
I used Netflow on the ASA ( the free version ) to get an overview of the traffic usage; key thing I noted was that the majority of bandwidth usage was incoming, which makes sense as it's video and music being streamed into the network.
Reading the docs on the various flavours of QoS, as I understand it (and please I'm new at this so jump in where necessary) QoS polocies are applied only at the outbound interface on the basis that it's too late to manage traffic on the inbound as the bandwidth has already been used up. I also understand that the best QoS solutions are end to end, unfortunately we don't have that option.
Other aspects to consider, out side of teacher control, is that there are legitimate times when students and teachers need to stream video and music so a blanket ban is not an option.
So in essence I'm looking for a solution that would allow me to effectively segregate our 10Mb connection into 2 logical pipes, 6Mb for VLE, SLP and mail with the other 4Mb for everything else, so that no matter what is inbound it doesn't encroach on the 6Mb set aside unless it's traffic from the VLE, SLP and Mail servers............
Am I asking for something not yet created or have I got this completely ass about face as it were!!!
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...