07-17-2013 12:48 AM - edited 03-11-2019 07:13 PM
I tried this many different ways but either I'm hitting a bug or I don't understand the concept completely. Either way please let me know what I'm doing wrong. So here's the scenario..
I'm looking after a firewall in a DC catering multiple clients. Each client is in own VLAN. I'm trying to to implement some sort of rate limiting on each vlan sub interface (on ASA) so I can limit each client to utilize maximum bandwidth of ( say 20/20mbps) and if a specific need arises, to customize this so one client can use more ( say 30/30Mbps).
I wanted to do this in a scalable manner.. So my thinking was.. If I create a global policy like the one below it will get applied on all vlan sub interfaces on the ASA.
!
access-list rate_limit_global extended permit ip any4 any4
!
class-map class_map_global
match access-list rate_limit_global
!
!
policy-map global_policy
class class-map-global
police input 20000000 30000
police output 20000000 30000
!
!
service-policy global_policy global
!
This worked fine... Life is good
So the next step was to customize one of the vlans so one customer can get more.. So my thinking was if I create a new class-map just specifying the subnets I wanted have higher bandwidth and deny those on the class-map-global previously defined..(shown below) and have a specific policy-map applied on client's sub interface.. it will only up the bandwidth of that interface...
Assuming the customer VLAN subnet is 10.10.1.0/24 and the destination VLAN it needs to reach with higher bandwidth is 10.10.2.0/24..
** This shows only newly added lines ( the above still exist)
!
access-list rate_limit_global extended deny ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0 <-- New additions
access-list rate_limit_global extended deny ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.0 <-- New additions
access-list rate_limit_global extended permit ip any4 any4
!
!
access-list rate_limit_inside extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list rate_limit_inside extended permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.0
!
!
class-map class_map_inside1
match access-list rate_limit_inside
!
policy-map policy_map_inside
class class_map_inside1
police input 30000000 30000
police output 30000000 30000
!
service-policy policy_map_inside interface inside
But this is not working as expected. Sometimes it works sometimes it doesn't. I think it depends on the what command I put there first.. Am I missing something here.. ?? Am I making it too complex and there is an easy way to tackle this scenario.
I'm currently testing this on ASA 5505 running Software Version 9.0(2) with Security Plus licenses.
Appreciate your input...
Solved! Go to Solution.
07-23-2013 05:59 PM
Hello Shamal,
Have you done a clear-local host after the changes? If not try that without removing anything and sure keep me posted
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
07-22-2013 02:39 PM
Really..no one can answer this...
??
07-22-2013 02:39 PM
Really..no one can answer this...
??
07-22-2013 02:45 PM
Hello Shamal,
You are doing it fine, the configuration is the one required,
Now what do you mean with this:
Sometimes it works sometimes it doesn't. I think it depends on the what command I put there first
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
07-22-2013 11:21 PM
Hi Julio,
Thanks a lot for replying..
So the problem is that,
If I have the interface specific policy first and then added the Global policy, this works fine. If the ASA reboots, still works fine.
But if I have the Global policy in place, and then If I added the interface specific policy, The inteface policy is not affectively applied (ie, still the global rate-limits are applied) and the ASA needs a reboot OR I have to remove the global policy and re-aply it while the new interface policy is still applied
This is not an acceptable scenario for me because this is a multi-tenent ASA.. I can't remove and re-apply the global policy everytime I want a interface specific configuration bacause it breaks other traffic streams that utilize the global policy ( global inspections etc.)
You have any idea what's going on here.. ??
Thanks for your time.
07-23-2013 05:59 PM
Hello Shamal,
Have you done a clear-local host after the changes? If not try that without removing anything and sure keep me posted
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
08-25-2013 06:06 PM
Hi Julio,
Sorry for not getting back to you any sooner..
As you suggested, "clear-local host" worked for me. But the strange thing is, after doing that, even if I applied everything from the scratch ( regardless of what I do with the asa..), everything worked well even without using the "clear-local host" (which is a good thing ). So now everhitng works fine. It could be that firewall was doing some weried buggy thing and suddenly cleared that up... thanks a lot for helping me out !!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide