Rather than blocking unwanted web traffic, how can we rate limit it to a a low bandwidth on ASA5500? In an application, we are not allowed to block such traffic but we are permitted to shape or bandwidth manage the traffic.
Any document or sample code will be great, running OS 8.3.
Solved! Go to Solution.
What you're looking for is QoS. Please check this link:
I know that is supported on all models of ASAs, but not sure about the 5580, please check on that.
Thanks for your prompt response. I was looking for more like deep packet inspection, wherein Cisco ASA docs state dropping such packets altogether, but we can not do that. We need to rate limit those to a low value say, 100kbps so that users are discouraged to do such things at work / school and bandwidth is available for productive work.
I know it is difficult to achieve rate limiting or bandwidth management over internet as it will not save the bandwidth, but will choke / throttle down at our own firewall, but I believe some downloads are dependent on the upstream speed for such requests / windows sizing. Packeteer claims to do that, we want to achieve it with firewall. And there is no perimeter router (that does allow what I wish to do) in front of firewall.
I had looked at following document, but that does not help with my situation.
The document you're looking at is to block those applications using the Modular Policy Framework on the ASA.
To rate-limit the traffic, the ASA provides you with some QoS features like policing and shaping. You can restrict how much bandwidth certain traffic can use.
It is pretty much the same way that you will configure QoS on a router (classifying the traffic, creating the policies to such traffic and applying the service policy globally or to an interface).
QoS in the ASA allows to police or shape this traffic. Take a look at the document that I sent you.
The restriction I was telling you about is for the 10-GE cards on the 5580 only (does not support priority queue).
But how will I classify such P2P traffic in the first place without NBAR or application layer inspection?
ASA 5580 does not support AIP-SSM module, which has many signatures that will match P2P traffic and traffic can then be reset or controlled.
The ASA can classify its traffic for QoS based on the default-inspection-traffic (option used by the inspection engines)
So, you can configure QoS based on an inspection for applications like P2P or IM.
Towards the end of the document that you sent a link to, there is a table that lists all allowed inspect protocols. I do not find anything related to P2P inspection.
I will have to inspect http and then use port-misuse command but it does not support policing or shaping, only allow or drop as parameters.
I will really appreciate if you can suggest some sample code.
Yes, I think you're right.
Now, you mentioned that there's no router behind the ASA that can mark those packets, so that ASA just respect the QoS policies based on the DSCP marks on the IP packets?
Yes there is no router behind and it is just L2 switches that can not do NBAR or deep packet inspection.
Since ASA 5580 do not support AIP-SSM, and throughput requirements are only met with large routers like 7206VXR, I was looking at utilizing those for the purposes of zone firewalling, QoS / unwanted traffic rate limiting, IPS, OSPF etc. Do you see any issues with rate-limiting P2P, IM and Music streaming etc?
Not really, it should work fine.
Again, the ASA can respect the marking of the packets so that you have the QoS policies working through the ASA as well.
As you said, the QoS should be an end-to-end policy to work fine, but for rate-limiting the P2P traffic, you can have the QoS on your path out.
I will be planning to replace the firewalls and not add router behind it. The firewalls will be diverted to another location to justify their upgrade with 7204VXR. Just wanted to know if you have any experience with zone based firewalling. I have in the past used IOS FW on routers and it was great. So if I use NPE-G2 on 7204VXR, I believe it should be able to deliver 400Mbps plus of throughput in presence of firewalling, IOS-IPS, NBAR application inspection and packet shaping / rate-limiting and simple web filtering based on regex.
Please advise your comments so that I can put in my recommendations.
Much appreciate all your excellent support.
There is no IDS/IPS module for this router, though Cisco Router Guide (the last version I could find was 2007) mentions support of NM-CIDS module on 7200, but on further research on Cisco indicates that it is not available for 7200 (I was wondering how can this module fit into 7200 anyway).
So I thought if I use NPE-G2, then IPS hit may be acceptable.
In future, I may experiment with Snort / snortsam / 7200 integration that way offload IPS to snort.
Anyway, thank you so much for your insight and excellent support.