Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Is QoS appropriate for this situation

Over the past couple of days I have read numerous articles and threads on QoS for the ASA 5510.  Here is my scenario that I am looking for information about.  My management will not allow me to block certain websites such as facebook, youtube, myspace etc.  Is there a way in the ASA 5510 running Software 8.0(2) to limit the about of bandwidth these users receive while visiting these websites? ie If a set of users visit facebook, can I limit their bandwidth to 512k instead of letting them eat up all 5 of my t1's?

Thanks in Advance

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Is QoS appropriate for this situation

Hi,

I would agree with the QoS configuration on the ASA.

You can use the MPF to configure QoS features such as policing and shaping very similar to an IOS router.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_qos.html

Federico.

5 REPLIES

Re: Is QoS appropriate for this situation

Hi,

I would agree with the QoS configuration on the ASA.

You can use the MPF to configure QoS features such as policing and shaping very similar to an IOS router.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_qos.html

Federico.

Community Member

Re: Is QoS appropriate for this situation

Federico,

Thank you for your reply.  I will review the link you posted as a solution.

Thank You

Community Member

Re: Is QoS appropriate for this situation

Federico had the first correct answer to this solution.  I have spent the last couple of days deciphering the instructions and laying out the command structure to implement this solution.  I really apprecaite everyones help and new the community would not let me down.

Thanks for all the great suggestions.

Cisco Employee

Re: Is QoS appropriate for this situation

You cannot do it exactly as you would like. You can match on HTTP GET field but those cannot be used for QoS.

In other words you would only be able to do it by matching the traffic to these website according to their ip after resolving their ip.

Here is a link that has examples http://supportforums.cisco.com/docs/DOC-1230

I hope it helps

PK

Community Member

Re: Is QoS appropriate for this situation

Yes, I think it is.

The best way to do this is to look at the QoS guide at

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_qos.html

What you need to do is:

Define class-map for the traffic that you wish to limit.

     You can fix YouTube, MySpace etc by doing a class map on the URL

     BitTorrent & SkyPe requires a bit more native cunning, You need to look for the TCP ports. Blocking the TCP ports doesn't work, as they then jump onto port 80 and give you even more headache.

Then define the policy-map.

     In preference to most of the examples, you need to SHAPE the traffic rather than Policing. Shaping allows the application to gracefully throttle the traffic, rather than policing which just kills the session.

Apply the policy to the inside interface of the ASA for traffic going into your network.

Try to keep the class map as simple as possible to avoid potential loading problems. Please tell me how you get on.

Best regards

Peter

474
Views
0
Helpful
5
Replies
CreatePlease to create content