Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
361
Views
4
Helpful
1
Replies

QoS with Police

snooter
Level 1
Level 1

‎04-01-2008 12:08 PM - edited ‎03-09-2019 08:25 PM

I'm trying to get a service-policy setup that rate-limits the http traffic our users are creating by surfing the net. In our case, our asa actually sits with our ISP, so I'm trying to cut down on the bandwidth costs the http traffic is taking up from the inside interface of the asa across our wan link to our home office.

We have an internal proxy server that all the users in the company use for accessing the internet. This is perfect, cause it's only the traffic to this proxy server that I want to limit.

Proxy server: 192.168.1.5 (is on the inside interface of the asa)

Our ASA already has the default "service-policy global_policy global" command in there along with the default-inspection and I don't intend on changing that unless I have to.

So, I've created this:

!

access-list in_http extended permit tcp any host 192.168.1.5

!

!

class-map in_http

match access-list in_http

!

policy-map in_http

class in_http

police output 500000 50000

!

service-policy in_http interface inside

!

My question is, on the service-policy command, should I apply that policy to the inside interface of the asa or the outside interface? I want to police the traffic coming into our firewall destined for 192.168.1.5 (our proxy server) on the inside interface. I'm hoping the ACL I created there matches all the traffic destined for the server..

Here's a clip from a "show connection" on the asa that shows an internet connection from the proxy server:

TCP out xxx.xxx.xxx.xxx:80 in 192.168.1.5:4301 idle 0:00:07 bytes 3763 flags UIO

Labels:
0 Helpful
1 Reply 1

jbayuka
Level 5
Level 5

‎04-08-2008 05:55 AM

QoS is a traffic-management strategy that lets you allocate network resources for both mission-critical and normal data, based on the type of network traffic and the priority you assign to that traffic. In short, QoS ensures unimpeded priority traffic and provides the capability of rate-limiting (policing) default traffic.

For example, video and voice over IP (VoIP) are increasingly important for interoffice communication between geographically dispersed sites, using the infrastructure of the Internet as the transport mechanism. Firewalls are key to securing networks by controlling access, which includes inspecting VoIP protocols. QoS is the focal point to provide clear, uninterrupted voice and video communications, while still providing a basic level of service for all other traffic passing through the device.

Refer to Applying QoS Policies for more information

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/qos.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents