02-12-2014 01:37 AM - edited 03-11-2019 08:44 PM
Hi, i am using asa5510 and i want to configure QOS,in particular a limited Bandwith rate on a specific IP address.
For example, I have a 4Mbits SDSL internet access and I want to dedicate to one IP a limited bandwith ( 2Mbits for example) on http protocol. I try to configure my ASA with ASDM and Service Policy Rule but it doesn'work. Can you Help me ?
Thank you.
This is my configuration :
access-list WAN_mpc extended permit object-group TCPUDP host 192.168.1.6 any eq www
class-map WAN-class
match access-list WAN_mpc
policy-map WAN-policy
class WAN-class
police input 2000000 1500
police output 2000000 1500
service-policy WAN-policy interface WAN
02-12-2014 03:34 AM
What does show service-policy police say?
Daniel Dib
CCIE #37149
Please rate helpful posts.
02-12-2014 06:15 AM
result of show service-policy police :
Interface WAN:
Service-policy: WAN-policy
Class-map: WAN-class
Input police Interface WAN:
cir 2000000 bps, bc 1500 bytes
conformed 0 packets, 0 bytes; actions: drop
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Output police Interface WAN:
cir 2000000 bps, bc 1500 bytes
conformed 0 packets, 0 bytes; actions: drop
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
02-12-2014 08:04 AM
I would have expected the input to have 0 and output to match, but strange that neither has matched. First off your commited burst (bc) rate is very low, I suggest increasing this to 375000. In the future keep this formula in mind when calculating commited burst rate:
bc = (cir/8) x 1.5
(2000000/8) x 1.5 = 375000
It would seem that the traffic from the LAN is not being matched for some reason. What version ASA are you running? I do you have NAT configured?
--
Please remember to rate and select a correct answer
02-12-2014 08:33 AM
I use ASA Version 8.2 and yes I use NAT :
global (WAN) 1 interface
nat (LAN) 0 access-list LAN_nat0_outbound
nat (LAN) 1 192.168.1.0 255.255.255.0
nat (DMZ) 0 access-list DMZ_nat0_outbound_1 outside
static (DMZ,LAN) 194.206.x.x 10.1.1.2 netmask 255.255.255.255
static (DMZ,LAN) 194.206.y.y 10.1.1.3 netmask 255.255.255.255
static (DMZ,WAN) 194.206.x.x 10.1.1.2 netmask 255.255.255.255
static (DMZ,WAN) 194.206.y.y 10.1.1.3 netmask 255.255.255.255
static (LAN,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.248.0
02-12-2014 09:15 AM
In this case you would need to use the public IP of the host for a match to occur. as of 8.3 and higher you would use the private IP.
You would also need to amend the ACL so that inbound is also matched:
access-list WAN_mpc extended permit object-group TCPUDP host
access-list WAN_mpc extended permit object-group TCPUDP any host
--
Please remember to rate and select a correct answer
02-13-2014 01:39 AM
To go on the Internet I use one public IP ( the interface WAN ip ) for all the LAN hosts in 192.168.1.0/24 with :
global (WAN) 1 interface
nat (LAN) 1 192.168.1.0 255.255.255.0
I don't want to limit the bandwith to all the hosts in LAN, i just want to limit one IP : 192.168.1.6
How can I do?
Thank you
02-13-2014 02:28 AM
I do not think this is possible without having a dedicated public IP for 192.168.1.6 client machine. At least not on the 8.2 ASA software.
--
Please remember to rate and select a correct answer
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide