Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1852
Views
0
Helpful
5
Replies

ASA rate-limit via QoS doesn't work ?

mchemsi28
Level 1
Level 1

‎04-26-2011 03:25 AM - edited ‎03-11-2019 01:25 PM

Hello,

I wanted to rate-limit download traffic passing through my ASA5520, Software Version 8.2(1). I used configuration based on the offical documentation.
I tried two configurations, one at a time: "inbound based" where I limit the traffic entering my OUTSIDE interface; and "outbound based" where I throttle traffic leaving my INSIDE interface.

Both of them didn't work: wanted to throttle the traffic to 512 kbps. Sometimes, it got throttled around 2

Mbps, others to 6 Mbps.

The inside subnet: 172.18.1.0/24, PATed to a public adress P.P.P.P/32

!---"inbound based" configuration :
!
!
access-list OUTSIDE-TO-INSIDE extended permit ip any host P.P.P.P
!
class-map CM-OUTSIDE-TO-INSIDE
match access-list OUTSIDE-TO-INSIDE
!
policy-map PLC-OUTSIDE-INCOMING
class CM-OUTSIDE-TO-INSIDE
  police input 512000 96000 conform-action transmit exceed-action drop
!
service-policy PLC-OUTSIDE-INCOMING interface OUTSIDE

!---"outbound based" configuration :
!
!
access-list INSIDE-OUTGOING extended permit ip any 172.18.1.0 255.255.255.0
!
class-map CM-INSIDE-OUTGOING
match access-list INSIDE-OUTGOING
!
policy-map PLC-INSIDE-OUTGOING
class CM-INSIDE-OUTGOING
  police output 512000 96000 conform-action transmit exceed-action drop
!
service-policy PLC-INSIDE-OUTGOING interface INSIDE


I have doubts that ASA doesn't performe QoS well. I tried an equivalent configuration on a Cisco3845

router and it performed well.

Does anyone here tried rate-limiting on ASA ?

Labels:
0 Helpful
5 Replies 5

sean_evershed
Level 7
Level 7

‎04-26-2011 06:54 AM

Hi, Try just one policy map applied to the inside interface. This should police traffic in both directions.

!

access-list INSIDE-OUTGOING extended permit ip 172.18.1.0 255.255.255.0 any

access-list INSIDE-OUTGOING extended permit ip any 172.18.1.0 255.255.255.0

class-map CM-INSIDE-OUTGOING
match access-list INSIDE-OUTGOING
!
policy-map PLC-INSIDE-OUTGOING
class CM-INSIDE-OUTGOING
  police output 512000 96000 conform-action transmit exceed-action drop

  police input 512000 96000 conform-action transmit exceed-action drop
!
service-policy PLC-INSIDE-OUTGOING interface INSIDE

See below a recent post on the issue:

https://supportforums.cisco.com/message/3270296#3270296

0 Helpful

mchemsi28
Level 1
Level 1
In response to sean_evershed

‎04-27-2011 02:56 AM

Hi Sean,

It doesn't work either. When I try to throttle the traffic to 512 kbps, it stabilizes at 2~3 Mbps. Here's the interface graph from ASDM:

1) When I throttle the traffic:

2) when I undo the configuration:

0 Helpful

sean_evershed
Level 7
Level 7
In response to mchemsi28

‎04-27-2011 05:41 AM

Hi,

Is 172.18.1.0/24 the only subnet on the inside of your network or are there other subnets as well?

Can you post the output of the command show service-policy police when the policing config is applied?

0 Helpful

mchemsi28
Level 1
Level 1
In response to sean_evershed

‎04-28-2011 03:24 AM

Hello,

172.18.1.0/24 is the only subnet.

Here's the command output:

firewall# show service-policy police

Interface INSIDE:
  Service-policy: PLC-INSIDE-OUTGOING
    Class-map: CM-INSIDE-OUTGOING
      Output police Interface INSIDE:
        cir 256000 bps, bc 48000 bytes
        conformed 59550 packets, 23211557 bytes; actions:  drop
        exceeded 11107 packets, 8166955 bytes; actions:  drop
        conformed 256080 bps, exceed 102712 bps
      Input police Interface INSIDE:
        cir 256000 bps, bc 48000 bytes
        conformed 40306 packets, 7669708 bytes; actions:  drop
        exceeded 855 packets, 1159677 bytes; actions:  drop
        conformed 114104 bps, exceed 28520 bps


firewall# sh interface inside    
Interface GigabitEthernet0/1 "INSIDE", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
        Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
        MAC address 5475.d050.810b, MTU 1500
        IP address 172.18.1.1, subnet mask 255.255.255.0
        290353554 packets input, 97680141161 bytes, 0 no buffer
        Received 1352633 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        441092658 packets output, 340102122438 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops, 0 tx hangs
        input queue (blocks free curr/low): hardware (255/230)
        output queue (blocks free curr/low): hardware (255/186)
  Traffic Statistics for "INSIDE":
        289228444 packets input, 91498537029 bytes
        441092658 packets output, 331958563519 bytes
        4801531 packets dropped
      1 minute input rate 154 pkts/sec,  43510 bytes/sec
      1 minute output rate 297 pkts/sec,  155026 bytes/sec
      1 minute drop rate, 4 pkts/sec
      5 minute input rate 199 pkts/sec,  55076 bytes/sec
      5 minute output rate 331 pkts/sec,  155714 bytes/sec
      5 minute drop rate, 11 pkts/sec

0 Helpful

davemit
Level 1
Level 1

‎10-06-2011 10:30 AM

I just started messing around with this trying to get it to work and am running into the same problem.  There doesn't seem to be any effect at all after applying the policies to either interface in either direction.

Has anyone got this working?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card