I am applying qos on my traffic on few different virtual interfaces that I have .
I have applies the shape and police on the internal interfaces as opposed to external on internet .
Internal 1 192.168.0.1
Internal 2 192.168.0.1
I know shape is for output or upload only and police is for download/upload or input, am I correct ?
Now lets imagine we have my asa called asa1 and another website called yahoo
When someone behind network internal 1 tries to download from yahoo below is the process as I understand it
internal 1 send the traffic out to input of internet on asa then asa internet will forward this from output asa to yahoo . Yahoo then sends the data back which goes to internet in and then out to internal in and then out to internal out which is the host , is that right ?
so here is where I get confused,
I apply police output 3mbps to internal 1 which means all upload should be limited to 3 mb but that restricts the download as opposed to upload which is confusing me
unless my explanation above is incorrect then there is something wrong with my asa
What you look to have done is applied a restriction in the wrong direction. Output from the internal interface is the download of the HTTP connection. The traffic out of the internal interface is heading towards your requesting host so that is why you have limited the download speed rather than upload.
If you were to place the output restriction to the interface to your ISP, the upload of the http connection would be restricted and the download left alone.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...