Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

QoS with Police

I'm trying to get a service-policy setup that rate-limits the http traffic our users are creating by surfing the net. In our case, our asa actually sits with our ISP, so I'm trying to cut down on the bandwidth costs the http traffic is taking up from the inside interface of the asa across our wan link to our home office.

We have an internal proxy server that all the users in the company use for accessing the internet. This is perfect, cause it's only the traffic to this proxy server that I want to limit.

Proxy server: 192.168.1.5 (is on the inside interface of the asa)

Our ASA already has the default "service-policy global_policy global" command in there along with the default-inspection and I don't intend on changing that unless I have to.

So, I've created this:

!

access-list in_http extended permit tcp any host 192.168.1.5

!

!

class-map in_http

match access-list in_http

!

policy-map in_http

class in_http

police output 500000 50000

!

service-policy in_http interface inside

!

My question is, on the service-policy command, should I apply that policy to the inside interface of the asa or the outside interface? I want to police the traffic coming into our firewall destined for 192.168.1.5 (our proxy server) on the inside interface. I'm hoping the ACL I created there matches all the traffic destined for the server..

Here's a clip from a "show connection" on the asa that shows an internet connection from the proxy server:

TCP out xxx.xxx.xxx.xxx:80 in 192.168.1.5:4301 idle 0:00:07 bytes 3763 flags UIO

1 REPLY
Bronze

Re: QoS with Police

QoS is a traffic-management strategy that lets you allocate network resources for both mission-critical and normal data, based on the type of network traffic and the priority you assign to that traffic. In short, QoS ensures unimpeded priority traffic and provides the capability of rate-limiting (policing) default traffic.

For example, video and voice over IP (VoIP) are increasingly important for interoffice communication between geographically dispersed sites, using the infrastructure of the Internet as the transport mechanism. Firewalls are key to securing networks by controlling access, which includes inspecting VoIP protocols. QoS is the focal point to provide clear, uninterrupted voice and video communications, while still providing a basic level of service for all other traffic passing through the device.

Refer to Applying QoS Policies for more information

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/qos.html

222
Views
4
Helpful
1
Replies
CreatePlease to create content