Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1584
Views
0
Helpful
7
Replies

ASA policing issue

Go to solution
gautamzone
Level 1
Level 1

‎02-16-2011 04:17 AM - edited ‎03-11-2019 12:51 PM

Dear friends,

There is a requirement for a wireless guest subnet to be policed to 600 kbps while sending traffic to Internet.

The wireless guest subnet is 172.20.50.0/24 and is connected to inside interface of ASA.

A point to note is that this subnet is nat'ed out to ASA public interface. So the ASCII diagram would be:

                           Inside             Outside

                                                 PAT

192.168.50.0/24 -------------->ASA--------------->Internet

My config is:

access-list wl-guest extended permit ip host 192.168.50.0 255.255.255.0 any

class-map wireless

match access-list wl-guest

policy-map my-policy

class wireless

police input 600000

service-policy my-policy interface inside

A few points:

1. Since i am nating, i am applying the policy to inside interface. I am not applying the policy to outside interface because that would probably match to the nat'ed ip, not the real ip.

2. I am saying police input. But i am wondering if police output is right? Examples always show that Internet destined traffic is policed using police output on outside interface.

3. I am not trying to control bandwidth inbound because i guess it is not possible? Because by the time traffic reaches the outside interface of ASA, it has consumed the bandwidth of the link.

Can anyone have a look and tell me if the above config is right?

Thanks a lot

Gautam

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5
In response to gautamzone

‎02-17-2011 04:45 AM

Glad to see your reply. I will appreciate if you mark this question as answered.

Sent from Cisco Technical Support iPhone App

View solution in original post

0 Helpful
7 Replies 7

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5

‎02-16-2011 05:58 AM

your configuration looks perfect. It should work correctly.

I want to share to you my running QoS config for my GUEST users. It is a little different but works great.

access-list GUEST extended permit ip any 172.16.138.0 255.255.255.0

class-map GUEST

match access-list GUEST

policy-map global_policy

class GUEST

  police output 512000

service-policy global_policy global

0 Helpful

Go to solution
gautamzone
Level 1
Level 1
In response to PAUL GILBERT ARIAS

‎02-16-2011 06:08 AM

Dear Paul,

Thanks a lot for your kind advise.

In your case,  i believe you are not nating/pating 172.16.138.0 subnet?

And i think that you are trying to police traffic destined to the 172.16.138.0 subnet, not sourced from the 172.16.138.0 subnet?

Thanks a lot

Gautam

0 Helpful

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5
In response to gautamzone

‎02-16-2011 06:28 AM

Hi,

I am doing NAT, in my case my configuration is not the best one because I am applying the police for the returning traffic. It is a waste of resorces but that is just the way I originally made and never fixed it.

Your configuration is the correct config.

Both configs will work.

0 Helpful

Go to solution
gautamzone
Level 1
Level 1
In response to PAUL GILBERT ARIAS

‎02-16-2011 06:49 AM

Dear Paul,

Thanks a lot for your quick clarification.

Just wanted to make sure that i understand this correctly. Please correct me if i am wrong:

1. Police input on inside interface means policing traffic when it enters the inside interface. This policed traffic can be either DMZ or outside destined traffic. Right?

2. Police output on inside interface means policing traffic as it exits inside interface and either goes out to DMZ or outside. Right?

One last question: Does outbound / inbound policing on global or outside interface happen on pre-nat addresses or post-nat addresses?

Thanks a lot

Gautam

0 Helpful

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5
In response to gautamzone

‎02-16-2011 07:00 AM

the answer to the first to questions is yes. You are correct.

On my case I have the configuration applied globally and when you do a show service-policy it shows the following:

   Class-map: GUEST

      Output police Interface outside:

        cir 512000 bps, bc 16000 bytes

        conformed 0 packets, 0 bytes; actions:  transmit

        exceeded 0 packets, 0 bytes; actions:  drop

        conformed 0 bps, exceed 0 bps

      Output police Interface inside:

        cir 512000 bps, bc 16000 bytes

        conformed 126893 packets, 82726717 bytes; actions:  transmit

        exceeded 3722 packets, 4670407 bytes; actions:  drop

        conformed 456 bps, exceed 24 bps

      Output police Interface internet:

        cir 512000 bps, bc 16000 bytes

        conformed 0 packets, 0 bytes; actions:  transmit

        exceeded 0 packets, 0 bytes; actions:  drop

        conformed 0 bps, exceed 0 bps

My police is applied outbound so it will apply that police to all interfaces going out. Since my ACL has the source ANY and destination the Guest subnet it is doing the police on the inside interface going out.
If you want it to do outbound police on the outside interface it will happen Post NAT that is what I wanted to apply it on the inside interface.
0 Helpful

Go to solution
gautamzone
Level 1
Level 1
In response to PAUL GILBERT ARIAS

‎02-16-2011 09:51 PM

Dear Paul,

Thanks a lot for the clarification.

Your answers were very clear and helpful.

Thanks a lot

Gautam

0 Helpful

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5
In response to gautamzone

‎02-17-2011 04:45 AM

Glad to see your reply. I will appreciate if you mark this question as answered.

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card