Solved: Re:ASA policing (rate limiting) globally vs specific interface

shamax_1983 · ‎07-17-2013

I tried this many different ways but either I'm hitting a bug or I don't understand the concept completely. Either way please let me know what I'm doing wrong. So here's the scenario..

I'm looking after a firewall in a DC catering multiple clients. Each client is in own VLAN. I'm trying to to implement some sort of rate limiting on each vlan sub interface (on ASA) so I can limit each client to utilize maximum bandwidth of ( say 20/20mbps) and if a specific need arises, to customize this so one client can use more ( say 30/30Mbps).

I wanted to do this in a scalable manner.. So my thinking was.. If I create a global policy like the one below it will get applied on all vlan sub interfaces on the ASA.

!

access-list rate_limit_global extended permit ip any4 any4

!

class-map class_map_global

match access-list rate_limit_global

!

policy-map global_policy

class class-map-global

police input 20000000 30000

police output 20000000 30000

!

service-policy global_policy global

!

This worked fine... Life is good

So the next step was to customize one of the vlans so one customer can get more.. So my thinking was if I create a new class-map just specifying the subnets I wanted have higher bandwidth and deny those on the class-map-global previously defined..(shown below) and have a specific policy-map applied on client's sub interface.. it will only up the bandwidth of that interface...

Assuming the customer VLAN subnet is 10.10.1.0/24 and the destination VLAN it needs to reach with higher bandwidth is 10.10.2.0/24..

** This shows only newly added lines ( the above still exist)

!

access-list rate_limit_global extended deny ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0 <-- New additions

access-list rate_limit_global extended deny ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.0 <-- New additions

access-list rate_limit_global extended permit ip any4 any4

!

access-list rate_limit_inside extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0

access-list rate_limit_inside extended permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.0

!

class-map class_map_inside1

match access-list rate_limit_inside

!

policy-map policy_map_inside

class class_map_inside1

police input 30000000 30000

police output 30000000 30000

!

service-policy policy_map_inside interface inside

But this is not working as expected. Sometimes it works sometimes it doesn't. I think it depends on the what command I put there first.. Am I missing something here.. ?? Am I making it too complex and there is an easy way to tackle this scenario.

I'm currently testing this on ASA 5505 running Software Version 9.0(2) with Security Plus licenses.

Appreciate your input...

Julio Carvajal · ‎07-23-2013

Hello Shamal,

Have you done a clear-local host after the changes? If not try that without removing anything and sure keep me posted

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

shamax_1983 · ‎07-22-2013

Really..no one can answer this...
??

shamax_1983 · ‎07-22-2013

Really..no one can answer this...
??

Julio Carvajal · ‎07-22-2013

Hello Shamal,

You are doing it fine, the configuration is the one required,

Now what do you mean with this:

Sometimes it works sometimes it doesn't. I think it depends on the what command I put there first

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

shamax_1983 · ‎07-22-2013

Hi Julio,

Thanks a lot for replying..

So the problem is that,

If I have the interface specific policy first and then added the Global policy, this works fine. If the ASA reboots, still works fine.

But if I have the Global policy in place, and then If I added the interface specific policy, The inteface policy is not affectively applied (ie, still the global rate-limits are applied) and the ASA needs a reboot OR I have to remove the global policy and re-aply it while the new interface policy is still applied

This is not an acceptable scenario for me because this is a multi-tenent ASA.. I can't remove and re-apply the global policy everytime I want a interface specific configuration bacause it breaks other traffic streams that utilize the global policy ( global inspections etc.)

You have any idea what's going on here.. ??

Thanks for your time.

Julio Carvajal · ‎07-23-2013

Hello Shamal,

Have you done a clear-local host after the changes? If not try that without removing anything and sure keep me posted

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

shamax_1983 · ‎08-25-2013

Hi Julio,

Sorry for not getting back to you any sooner..

As you suggested, "clear-local host" worked for me. But the strange thing is, after doing that, even if I applied everything from the scratch ( regardless of what I do with the asa..), everything worked well even without using the "clear-local host" (which is a good thing ). So now everhitng works fine. It could be that firewall was doing some weried buggy thing and suddenly cleared that up... thanks a lot for helping me out !!