cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2110
Views
0
Helpful
9
Replies

ASA 5510 traffic policing

itadmin
Level 1
Level 1

I am trying to set up policing from 3 particular servers. The traffic that I want to limit is https (443) connections. The service policy rules that I have set up so far seem to have no effect at all. I'm using the traffic match criteria source and destination IP address, I have the source and destination configured, and I've tried several different services. Under rule actions, protocol selection is set to DCERPC selected, QoS is set to enable policing on input and output, rate is set to 250000.

What am I missing.

Thanks

Mike

9 Replies 9

mirober2
Cisco Employee
Cisco Employee

Hi Mike,

Do you have priority queueing enabled as well? This link may help you fix the problem:

https://supportforums.cisco.com/docs/DOC-1230

NOTE 2: Priority queueing needs to be used with policing or traffic shaping. The reason is that unless the link that LLQ is saturated the packets will not be prioritized. Usually the interfaces of the ASA can be 100Mbps or 1Gbps or more, so saturating these links isn't something that will happen often . But implementing policing or traffic shaping along with LLQ actually makes LLQ kick in at the point the policing or shaping limits are met.

Hope that helps.

-Mike

Panos Kampanakis
Cisco Employee
Cisco Employee

Please also send us the "sh run class-map", "sh run policy-map", "sh run service-policy" and the ACLs used in the class-maps in order to do a sanity check on the config.

PK

How do I show the ACL's? I attached the other files..

Hi Mike,

To see the ACLs used for this config, you can use the following command:

show run access-list inside_mpc

-Mike

File as requested. I really appreciate the help

Mike

I see the ACL lines being inactive. These will not be matching traffic.

Please put them in again without the inactive keyword.

PK

When they were active, it didn't have an effect..

You are applying your policy on the inside interface policing at 250kbps for traffic from your 172.... hosts to the 65.... hosts on port 443.

When the lines were active did you see hitcounts on them "sh access-list . If yes, they you were policing.

do you want to policy https download from the hosts, or http uploads? If it is uploads the source port of the ACL should be https, and not the destination.

I hope it helps.

PK

Hitcount was 0 after I just re-enabled them, I want incoming and out going traffic from the 172.16.10.81-83 IP's to be policed.

Review Cisco Networking for a $25 gift card