Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA qos Rate limit

Hi,

I have a problemm i need to crete the following qos rate limit on 2 asa 7.2: the configuration is corretct ? Any and all help is appreciated..

- topology -

2 ASA version 7.2(1) connected to internet each with 5 Mbps of internet bandwidth and established with one another a L2L IPSec VPN tunnel.

- request -

need to configure qos only across this Lan to Lan IPSec tunnel with the following mode:

with 5 Mbps total bandwidth need to rate 3,5 Mbps for L2L VPN with a rate limit policy.

In particular need to configure for this IPSec tunnel a policy that set:

2 Mbps for the http traffic vs 192.168.10.10,

1 Mpbs for the https vs 192.168.10.10

and 500 kbps for all the other traffic inside the L2L IPSec.

--------------------------------------------------------------------------------------------

hostname(config)# access-list host-over-l2l-http extended permit tcp any host 192.168.10.10 eq 80

hostname(config)# class-map l2l-host-specific-80

hostname(config-cmap)# description "This class-map matches http traffic for the host on the private side of the remote tunnel"

hostname(config-cmap)# match access-list host-over-l2l-http

hostname(config)# access-list host-over-l2l-https extended permit tcp any host 192.168.10.10 eq 443

hostname(config)# class-map l2l-host-specific-443

hostname(config-cmap)# description "This class-map matches https traffic for the host on the private side of the remote tunnel"

hostname(config-cmap)# match access-list host-over-l2l-https

hostname(config)# access-list host-over-l2l-any extended deny tcp any host 192.168.10.10 eq 80

hostname(config)# access-list host-over-l2l-any extended deny tcp any host 192.168.10.10 eq 443

hostname(config)# access-list host-over-l2l-any extended permit ip any any

hostname(config)# class-map l2l-host-specific-any

hostname(config-cmap)# description "This class-map matches all other traffic for the host on the private side of the remote tunnel"

hostname(config-cmap)# match access-list host-over-l2l-any

hostname(config-cmap)# class-map l2l-tunnel-grp1

hostname(config-cmap)# description "This class-map matches all best-effort traffic for tunnel IPsec grp1"

hostname(config-cmap)# match tunnel-group tunnel-grp1

hostname(config-cmap)# match flow ip destination-address

--------------------------------------------------------------------------------------------

hostname(config)# policy-map qos

hostname(config-pmap-c)# class l2l-tunnel-grp1

hostname(config-pmap-c)# police output 3500000 37500

hostname(config-pmap-c)# class l2l-host-specific-80

hostname(config-pmap-c)# police output 2000000 37500

hostname(config-pmap-c)# class l2l-host-specific-443

hostname(config-pmap-c)# police output 1000000 37500

hostname(config-pmap-c)# class l2l-host-specific-any

hostname(config-pmap-c)# police output 500000 37500

--------------------------------------------------------------------------------------------

hostname(config)# service-policy qos interface outside

1 REPLY
Bronze

Re: ASA qos Rate limit

The number of traffic classes, policy maps, and service policies needed to implement QoS varies depending upon the requirements of your network. Analyze your network and determine how many traffic classes, policy maps, and service policies needed on the security appliance you are configuring, and then use this procedure in the below link

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b9a.html

177
Views
0
Helpful
1
Replies
CreatePlease login to create content