Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1086
Views
0
Helpful
3
Replies

ASA 5510 managing traffic.

Sean Haynes
Level 1
Level 1

‎03-19-2010 03:01 AM - edited ‎03-11-2019 10:23 AM

We have an ASA 5510 running version 7 of the IOS. The firewall is connected to a 3rd Party Cisco Router (not permited to access ) which in turn is connected to a LES. The LES circuit is 10Mb.

As a school most of the traffic is HTTP based, in particular we have 3 key resources staff and students access via the web, a Virtual Learning Environment, a local council based Learning Platform and Mail servers. The problem I have is that the available bandwidth is being eaten up with 'student browsing', streaming video, music as well as 'normal' HTTP traffic and such like.

I know the ASA is capable of 'policing' traffic, but not at all sure how to set this up;

Forgive the incorrect terminology; what I want to do is 'reserve' 6Mb of the bandwidth for the VLE, SLP and Mail which is all HTTP based. As I said nearly all of our traffic is HTTP based so the only way to differentiate traffic would be via IP address'.

So the question is can you set up a way of 'reserving bandwidth', or 'prioritising bandwidth' for 3 specific IP addresses over and above other HTTP traffic?

I'm not asking you to write my config for me but if you could point me in the right direction that would be really appreciated.

Thanks for you time.

Labels:
0 Helpful
3 Replies 3

sean_evershed
Level 7
Level 7

‎03-19-2010 03:50 AM

Hi,

Yes it is possible if you configure QoS. See below

http://www.cisco.com/en/US/partner/docs/security/asa/asa70/configuration/guide/qos.html

0 Helpful

dhananjoy chowdhury
Level 5
Level 5

‎03-19-2010 03:50 AM

You can achieve this by policing traffic on the ASA box.

But prior to applying the commands, you need to correctly identify and classify the traffic based on the protocol / IP address.

You can refer to the example at this link.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml

In this example, it is configured as "police output" but in your case you may need to configure "police input", as the traffic for VLE, slp and mail are coming in to your network.

HTH,

~dc~

0 Helpful

Sean Haynes
Level 1
Level 1

‎03-20-2010 03:12 AM

Ok, a new dynamic to this..........thanks for the links by the way.

I used Netflow on the ASA ( the free version ) to get an overview of the traffic usage; key thing I noted was that the majority of bandwidth usage was incoming, which makes sense as it's video and music being streamed into the network.

Reading the docs on the various flavours of QoS, as I understand it  (and please I'm new at this so jump in where necessary) QoS polocies are applied only at the outbound interface on the basis that it's too late to manage traffic on the inbound as the bandwidth has already been used up. I also understand that the best QoS solutions are end to end, unfortunately we don't have that option.

Other aspects to consider, out side of teacher control, is that there are legitimate times when students and teachers need to stream video and music so a blanket ban is not an option.

So in essence I'm looking for a solution that would allow me to effectively segregate our 10Mb connection into 2 logical pipes, 6Mb for VLE, SLP and mail with the other 4Mb for everything else, so that no matter what is inbound it doesn't encroach on the 6Mb set aside unless it's traffic from the VLE, SLP and Mail servers............

Am I asking for something not yet created or have I got this completely ass about face as it were!!!

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card