cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3045
Views
5
Helpful
8
Replies

Bandwidth Management(Rate Limit) Using QoS Policies

Delouah Todd
Level 1
Level 1

Hello,

I need some advice. We have an ASA 5525 running version 8.6(1)2 and a 10 MG pipe. I have execs that want to limit bandwidth on users for stuff like youtube, stream media, and downloads. I found the article on ‘Bandwidth Management(Rate Limit) Using QoS Policies’ so it appears our firewall can do what we want. I’m not a cisco person. My knowledge is limited when it comes to configuration – that’s why we have SmartNet :). The advice I need is what to ask for, so to speak, when I put a case in. Can bandwidth be limited on end users and/or can they limit the ‘bandwidth rate limit’ to just youtube, steaming media, and downloads? If so, what should the limit be? and I’m assume this would be for ‘incoming’ traffic only? we’re running into some bandwidth hogs – usually youtube and/or streaming media. We have a Barracuda web filter which we’ve used to block and monitor activity but I simply do not have time to babysit this all day. I should also mention we do have critical data running up and down the pipe; such as credit card processing, DB replication between in house DB and hosted website, TPCx and EDI, FTP, and such that we don’t want restricted.

Need input please,

Thanks,

D

8 Replies 8

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Delouah,

You can certanly limit the amount of bandwith you provide to certain traffic across the ASA,

The thing is that you will only be able to match certain parameters (no one can match the HTTP header host value or the header URI value)

So you could do it to all the HTTP/HTTPS traffic or based on the source IP addresses restrict the traffic.

Do you follow me?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I follow.  so could we do rate limit on HTTP/HTTPS on a range of IP's? 

Hello Delouah,

Yes you could, with no issues at all

What you now must do is determine how much bandwith you want to provide to this traffic

Then determine whether you will use traffic shapping or policing and afterwards you will be ready to open the case.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

Does the rate in traffic policing mean the total rate combined or a single connection? For example, I have the following command configured on my ASA. Does it mean every single connection get  maximum 3000000 or the total traffic rate is 3000000? Is there any way to limit the rate per connection or ip ? Thanks.

access-list rate-limit extended permit ip any any

class-map rate-limit

match access-list rate-limit

 

policy-map rate-limit

class rate-limit

police output 3000000

police input 3000000

 

service-policy rate-limit interface outside

another questions jcarvaja....what would be the best rate to limit it too?  3 MB?  5 MB? 

Hello,

That's a question that you as the network admin of that organization could answer.

How much traffic for business purposes must travel via HTTP/HTTPS?

How much bandwith are you willing to provide to this 2 protocols?

Those are the kind of answers you need to answer before setting the number

Regards

Remember to rate all of the helpful posts, Just click the 5 stars at the left of each post

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

so it looks like policing is going to be the fit for us.  It's the inbound traffic that pegs out and it looks like shaping is for outbound only.  and I'm thinking 3 MG will work. 

Thanks much for the info Julio!

Hey man my pleasure,

Just remember to rate all of  the helpful posts and mark the question as anwered, as important as a thanks

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card