topic Traffic shaping and rate limit in ASA Firewall in Network Security

Traffic shaping and rate limit in ASA Firewall

ahmedeshtiwi — Tue, 12 Mar 2019 08:09:42 GMT

Hello,

We have a server that we would like to dedicate a 2Mbps bandwidth to (out of 10Mbps dedicated link). We had configured the ASA firewall as following:

!
access-list Srvr permit ip host 172.x.x.x any
!
class-map Server
match access-list Srvr
exit
!
access-list users permit ip any any
!
class-map users
match access-list users
exit
!
policy-map Traffic
class Server
police output 2000000 conform-action transmit exceed-action drop
class users
police output 10000000 conform-action transmit exceed-action drop
exit
!
service-policy Traffic interface outside

This is to divide the bandwidth between the Server (2Mbps) and the rest of the network hosts (8Mbps), and after applying this, I can not see any difference in the server's speed.

any ideas please.

Help is highly appreciated.

All the best.
Ahmed Eshtiwi.

Are you sure that you applied

Karsten Iwen — Mon, 22 Aug 2016 15:32:29 GMT

Are you sure that you applied the policy in the right direction? The way you configured it, you limit the traffic from your internal network to the internet (upload), but not the traffic from the internet to your network.

Hello ahmedeshtiwi. Maybe you

Matias Ortiz — Mon, 22 Aug 2016 23:18:49 GMT

Hello ahmedeshtiwi. Maybe you should check if addresses are ok.

You can check with show service-policy police and see if the traffic are matching with your configuration.

For example:

Interface XXX:
Service-policy: XXX-policy
Class-map: XXX-class
Output police Interface XXX:
cir 2000000 bps, bc 1500 bytes
conformed 4512797 packets, 726754498 bytes; actions: transmit
exceeded 1192 packets, 1697677 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Input police Interface XXX:
cir 2000000 bps, bc 1500 bytes
conformed 1434714 packets, 1091100922 bytes; actions: transmit
exceeded 23008 packets, 29515174 bytes; actions: drop
conformed 0 bps, exceed 0 bps

Regards.-

I have changed the

ahmedeshtiwi — Tue, 23 Aug 2016 07:04:51 GMT

I have changed the configurations to the following:

policy-map Traffic
class Server
police output 2000000
police input 2000000
class users
police output 8000000
police input 8000000

So that it shapes both input and out put traffic, But failed as well!

I have also applied the

ahmedeshtiwi — Tue, 23 Aug 2016 07:10:50 GMT

I have also applied the policy on the inside interface as well:

here is a show service-policy police command output:

Interface outside:
Service-policy: Traffic
Class-map: Server
Output police Interface outside:
cir 2000000 bps, bc 62500 bytes
conformed 42 packets, 4893 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Input police Interface outside:
cir 2000000 bps, bc 62500 bytes
conformed 0 packets, 0 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Class-map: users
Output police Interface outside:
cir 8000000 bps, bc 250000 bytes
conformed 3491 packets, 459503 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 24 bps, exceed 0 bps
Input police Interface outside:
cir 8000000 bps, bc 250000 bytes
conformed 3029 packets, 2642867 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 136 bps, exceed 0 bps

Interface inside:
Service-policy: Traffic
Class-map: Server
Output police Interface inside:
cir 2000000 bps, bc 62500 bytes
conformed 0 packets, 0 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Input police Interface inside:
cir 2000000 bps, bc 62500 bytes
conformed 23194 packets, 7302249 bytes; actions: transmit
exceeded 677 packets, 964394 bytes; actions: drop
conformed 8536 bps, exceed 0 bps
Class-map: users
Output police Interface inside:
cir 8000000 bps, bc 250000 bytes
conformed 2856926 packets, 1655405052 bytes; actions: transmit
exceeded 309546 packets, 408742456 bytes; actions: drop
conformed 8001176 bps, exceed 2637592 bps
Input police Interface inside:
cir 8000000 bps, bc 250000 bytes
conformed 3086795 packets, 661302788 bytes; actions: transmit
exceeded 805 packets, 1143696 bytes; actions: drop
conformed 3092456 bps, exceed 0 bps

But when the policy is

Karsten Iwen — Tue, 23 Aug 2016 07:36:01 GMT

But when the policy is applied on the outside interface, your ACL Srvr doesn't match the traffic for this policy any more. You need to change your ACL or also apply this policy to the inside interface.

I have done that but failed

ahmedeshtiwi — Tue, 23 Aug 2016 09:28:45 GMT

I have done that but failed as well:

service-policy Traffic interface outside
service-policy Traffic interface inside

How do you test it? You have

Karsten Iwen — Tue, 23 Aug 2016 09:34:35 GMT

How do you test it? You have to transfer a big file to see it working.

tested with speed test.

ahmedeshtiwi — Tue, 23 Aug 2016 10:28:47 GMT

tested with speed test.

the server spikes to more than 5Mbps sometimes, and terribly slow when browsing and downloading some other times.

as if it is not getting its dedicated share of BW!

The server is allowed to

Karsten Iwen — Tue, 23 Aug 2016 10:53:47 GMT

The server is allowed to burst traffic over the rate of 2MBit/s. Thats normal. But if the traffic keeps being over 2 MBit, the excess traffic is dropped and has to be retransmitted which can slow down some operations. So what you describe can be normal operation on the ASA. Keep in mind that the ASA is quite limited with QoS.

Hi ahmedeshtiwi, it's looks

Matias Ortiz — Tue, 23 Aug 2016 14:12:57 GMT

Hi ahmedeshtiwi, it's looks like some work well but not all.

If you're checking with speed test then you will need consider burst bytes on policy-map.

At the show service-policy police you're seeing that Class-map: users is work fine on interface inside but not Class-map: Server.

If you run now access-list Srvr and access-list users you will see if ACL are matching or not, or you need add more lines.

On the other hand, if you like QoS for Internet you can use only ACL with tcp/80 and tdp/443 instead all IP

Interface outside:
Service-policy: Traffic
Class-map: Server
Output police Interface outside:
cir 2000000 bps, bc 62500 bytes
conformed 42 packets, 4893 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps

Input police Interface outside:
cir 2000000 bps, bc 62500 bytes
conformed 0 packets, 0 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps

Class-map: users
Output police Interface outside:
cir 8000000 bps, bc 250000 bytes
conformed 3491 packets, 459503 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 24 bps, exceed 0 bps

Input police Interface outside:
cir 8000000 bps, bc 250000 bytes
conformed 3029 packets, 2642867 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 136 bps, exceed 0 bps

Interface inside:
Service-policy: Traffic
Class-map: Server
Output police Interface inside:
cir 2000000 bps, bc 62500 bytes
conformed 0 packets, 0 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps

Input police Interface inside:
cir 2000000 bps, bc 62500 bytes
conformed 23194 packets, 7302249 bytes; actions: transmit
exceeded 677 packets, 964394 bytes; actions: drop
conformed 8536 bps, exceed 0 bps

Class-map: users
Output police Interface inside:
cir 8000000 bps, bc 250000 bytes
conformed 2856926 packets, 1655405052 bytes; actions: transmit
exceeded 309546 packets, 408742456 bytes; actions: drop
conformed 8001176 bps, exceed 2637592 bps

Input police Interface inside:
cir 8000000 bps, bc 250000 bytes
conformed 3086795 packets, 661302788 bytes; actions: transmit
exceeded 805 packets, 1143696 bytes; actions: drop
conformed 3092456 bps, exceed 0 bps

Other point, If you limit to 2 MB and 8 MB and you are not using all at the same time you will lost part of 10 mb of your link.

Regards.-