Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

guaranteeing bandwidth on ASA 5505

I have a customer that is a 2 office medical practice that has a VPN setup between the offices with an ASA5505 on each end.   They  have a T-1 at each office and they do RDP sessions from the remote office to the main office over the VPN.  The trouble comes in when they try to transmit claims and I guess the provider on the other end can take the claims as fast as they can send them so it totally swamps the T-1 and kills the RDP sessions from the remote office.

So I have this in my configuration:

class-map outside-class
match flow ip destination-address
match tunnel-group 1.1.1.1
!
!
policy-map outside-policy
class outside-class
  police output 500000 1500

The main question I have is this limiting the traffic over the VPN to 500K or is it reserving 500K for the VPN traffic?  I have kind of seen it described both ways and even a description that indicated maybe the 5505 does it differently from anything else.  The ASAs in question here are currently running 8.2(2).

Thanks

Mike

3 REPLIES
Community Member

Re: guaranteeing bandwidth on ASA 5505

It should limit the traffic to 500K, basically anything that matches your class maps gets policed to the speed you set.

If you want to reserve 500K you have to limit everything else to 500K less than your max bandwidth.

Here is a good link for the QoS config:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml#rate

Community Member

Re: guaranteeing bandwidth on ASA 5505

Ok....So I changed it to something like:

!
access-list outside_mpc extended deny ip any host 1.1.1.1
!
class-map outside-class
match access-list outside_mpc
!
!
policy-map outside-policy
class outside-class
  police output 800000 1500
!

It is a T-1 and comes through Cbeyond which they have there IAD out front that does voice and data.  So, I figure 800Kb for everything then that leaves 700Kb for everything else including the voice and VPN.  The IAD that Cbeyond has in place will handle any QOS requirements for the voice once it gets out there.

Also, you can't relly specify anything NOT part of a tunnel group so I just used the endpoint of the VPN for the ACL.

Community Member

Re: guaranteeing bandwidth on ASA 5505

This seems fine to me although I have never tinkered with only VPN traffic. The one thing I notice wrong is that you don't have a second part to your access-list. If you only have one deny, then by the rules of the access-list everything else is implicitly denied as well.

so it should be like:

access-list outside_mpc extended deny ip any host 1.1.1.1 //Deny the traffic we don't want to limit

access-list outside_mpc extended permit ip any any //Permit the traffic we do want to limit

456
Views
0
Helpful
3
Replies
CreatePlease to create content