QOS limited bandwith on specific ip adress

avburren1 · ‎02-12-2014

Hi, i am using asa5510 and i want to configure QOS,in particular a limited Bandwith rate on a specific IP address.

For example, I have a 4Mbits SDSL internet access and I want to dedicate to one IP a limited bandwith ( 2Mbits for example) on http protocol. I try to configure my ASA with ASDM and Service Policy Rule but it doesn'work. Can you Help me ?

Thank you.

This is my configuration :

access-list WAN_mpc extended permit object-group TCPUDP host 192.168.1.6 any eq www

class-map WAN-class

match access-list WAN_mpc

policy-map WAN-policy

class WAN-class

police input 2000000 1500

police output 2000000 1500

service-policy WAN-policy interface WAN

daniel.dib · ‎02-12-2014

What does show service-policy police say?

Daniel Dib
CCIE #37149

Please rate helpful posts.

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.

avburren1 · ‎02-12-2014

result of show service-policy police :

Interface WAN:

Service-policy: WAN-policy

Class-map: WAN-class

Input police Interface WAN:

cir 2000000 bps, bc 1500 bytes

conformed 0 packets, 0 bytes; actions: drop

exceeded 0 packets, 0 bytes; actions: drop

conformed 0 bps, exceed 0 bps

Output police Interface WAN:

cir 2000000 bps, bc 1500 bytes

conformed 0 packets, 0 bytes; actions: drop

exceeded 0 packets, 0 bytes; actions: drop

conformed 0 bps, exceed 0 bps

Marius Gunnerud · ‎02-12-2014

I would have expected the input to have 0 and output to match, but strange that neither has matched. First off your commited burst (bc) rate is very low, I suggest increasing this to 375000. In the future keep this formula in mind when calculating commited burst rate:

bc = (cir/8) x 1.5

(2000000/8) x 1.5 = 375000

It would seem that the traffic from the LAN is not being matched for some reason. What version ASA are you running? I do you have NAT configured?

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

avburren1 · ‎02-12-2014

I use ASA Version 8.2 and yes I use NAT :

global (WAN) 1 interface

nat (LAN) 0 access-list LAN_nat0_outbound

nat (LAN) 1 192.168.1.0 255.255.255.0

nat (DMZ) 0 access-list DMZ_nat0_outbound_1 outside

static (DMZ,LAN) 194.206.x.x 10.1.1.2 netmask 255.255.255.255

static (DMZ,LAN) 194.206.y.y 10.1.1.3 netmask 255.255.255.255

static (DMZ,WAN) 194.206.x.x 10.1.1.2 netmask 255.255.255.255

static (DMZ,WAN) 194.206.y.y 10.1.1.3 netmask 255.255.255.255

static (LAN,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.248.0

Marius Gunnerud · ‎02-12-2014

In this case you would need to use the public IP of the host for a match to occur. as of 8.3 and higher you would use the private IP.

You would also need to amend the ACL so that inbound is also matched:

access-list WAN_mpc extended permit object-group TCPUDP host any eq www

access-list WAN_mpc extended permit object-group TCPUDP any host eq www

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

avburren1 · ‎02-13-2014

To go on the Internet I use one public IP ( the interface WAN ip ) for all the LAN hosts in 192.168.1.0/24 with :

global (WAN) 1 interface

nat (LAN) 1 192.168.1.0 255.255.255.0

I don't want to limit the bandwith to all the hosts in LAN, i just want to limit one IP : 192.168.1.6

How can I do?

Thank you

Marius Gunnerud · ‎02-13-2014

I do not think this is possible without having a dedicated public IP for 192.168.1.6 client machine. At least not on the 8.2 ASA software.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts