Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
448
Views
0
Helpful
1
Replies

ASA qos Rate limit

ROBERTO TACCON
Level 4
Level 4

‎10-04-2006 12:24 AM - edited ‎02-21-2020 01:12 AM

Hi,

I have a problemm i need to crete the following qos rate limit on 2 asa 7.2: the configuration is corretct ? Any and all help is appreciated..

- topology -

2 ASA version 7.2(1) connected to internet each with 5 Mbps of internet bandwidth and established with one another a L2L IPSec VPN tunnel.

- request -

need to configure qos only across this Lan to Lan IPSec tunnel with the following mode:

with 5 Mbps total bandwidth need to rate 3,5 Mbps for L2L VPN with a rate limit policy.

In particular need to configure for this IPSec tunnel a policy that set:

2 Mbps for the http traffic vs 192.168.10.10,

1 Mpbs for the https vs 192.168.10.10

and 500 kbps for all the other traffic inside the L2L IPSec.

--------------------------------------------------------------------------------------------

hostname(config)# access-list host-over-l2l-http extended permit tcp any host 192.168.10.10 eq 80

hostname(config)# class-map l2l-host-specific-80

hostname(config-cmap)# description "This class-map matches http traffic for the host on the private side of the remote tunnel"

hostname(config-cmap)# match access-list host-over-l2l-http

hostname(config)# access-list host-over-l2l-https extended permit tcp any host 192.168.10.10 eq 443

hostname(config)# class-map l2l-host-specific-443

hostname(config-cmap)# description "This class-map matches https traffic for the host on the private side of the remote tunnel"

hostname(config-cmap)# match access-list host-over-l2l-https

hostname(config)# access-list host-over-l2l-any extended deny tcp any host 192.168.10.10 eq 80

hostname(config)# access-list host-over-l2l-any extended deny tcp any host 192.168.10.10 eq 443

hostname(config)# access-list host-over-l2l-any extended permit ip any any

hostname(config)# class-map l2l-host-specific-any

hostname(config-cmap)# description "This class-map matches all other traffic for the host on the private side of the remote tunnel"

hostname(config-cmap)# match access-list host-over-l2l-any

hostname(config-cmap)# class-map l2l-tunnel-grp1

hostname(config-cmap)# description "This class-map matches all best-effort traffic for tunnel IPsec grp1"

hostname(config-cmap)# match tunnel-group tunnel-grp1

hostname(config-cmap)# match flow ip destination-address

--------------------------------------------------------------------------------------------

hostname(config)# policy-map qos

hostname(config-pmap-c)# class l2l-tunnel-grp1

hostname(config-pmap-c)# police output 3500000 37500

hostname(config-pmap-c)# class l2l-host-specific-80

hostname(config-pmap-c)# police output 2000000 37500

hostname(config-pmap-c)# class l2l-host-specific-443

hostname(config-pmap-c)# police output 1000000 37500

hostname(config-pmap-c)# class l2l-host-specific-any

hostname(config-pmap-c)# police output 500000 37500

--------------------------------------------------------------------------------------------

hostname(config)# service-policy qos interface outside

0 Helpful
1 Reply 1

beth-martin
Level 5
Level 5

‎10-10-2006 06:08 AM

The number of traffic classes, policy maps, and service policies needed to implement QoS varies depending upon the requirements of your network. Analyze your network and determine how many traffic classes, policy maps, and service policies needed on the security appliance you are configuring, and then use this procedure in the below link

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b9a.html

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card