10-11-2011 12:19 AM
Hi,
We have a single Internet connection which is shared by 2 DMZs, LAN and VPN to DR (remote site). The web servers in DMZ suffer when traffice utilisation is heavy due to user or remote site activity.
We would like to implement strategy to reserve/dedicate specific bandwidth for each subnet, eg as below:
DMZ1 = 10 Meg
DMZ2 = 5 Meg
DR = 10 MB
LAN = 25 MB
Is it possible and how can this be achieved?
What additional hardware/software is required?
Currently we have following configuration:
10 Meg Internet Bandwidth - will increase to 50 MB.
2 x ASA5510 devices in primary/standby configuration.
3 x Subnets (DMZ1, DMZ2 and LAN) - Each subnet on separate ASA Interface.
VPN to remote site via ASA.
Thank you
Tez
10-17-2011 11:35 PM
Any body got any clue on this?
10-20-2011 08:59 AM
hi terry ,
you can do that with policy-map implementation in the router . briefly i will tell you how can this done :
1. put each subnet belong to differennt ip access-list or ip prefix-list ..
2 . configure policy-map with help of class-map for each subnet .. according to this , you can configure each policy-map
you want with how much you want to give this subnet ....
for example ...
DMZ1 = 10 Meg ..... has policy-map name DMZ1
DMZ2 = 5 Meg ..............has policy-map name DMZ2 .......and so on for each policy ..
DR = 10 MB
LAN = 25 MB
actually ,,, i'm not professional on this , because this called QoS in cisco .. hence you can get more help from experts
in this regard ..
rgds.
majed
10-20-2011 09:51 AM
Hi Majed,
Thanks for the info, yes each subnet is already in separate access-list and on separate interface, so that bit is ok. I'm not sure if ASA 5510 got this functionality or will need to install a router infront of ASA... I will do some research on that...
Thanks,
Tez
10-20-2011 10:15 AM
Tez,
Yes the policy map and class maps will need to be on a router (or L3 switch with routing features). There should be one already between the ASA and your Internet provider. Assuming it's under your control, that's where you would put the policy maps Majed described.
You could potentially achieve something similar with use of QoS and shaping directly on the ASA but a router is much better suited for this function than a security device.
Hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide