Re: rate limit in ASA

jvardhan29 · ‎01-14-2011

hi

i have 2 ques for qos featue in firewall. i have gone thru qos guide but was not able to figure out

1) how can we control or limit the amount of bandwidth for a single host in both inbound and outbound direction . also if the same IP Address is getting PATTED to the external interface IP of ASA , will ASA assume the other (entire range) inside hosts (getting PATTED to that) as well for policing .if yes , do we need to apply a seperate static for the single host?

2) also if the traffic is incoming to the ASA to a public FTP server hosted inside and we want that outside users should not exceed a particular limit and apply the policing then in which direction and on which interface we should do that ?(considering that we may have active or passive ftp clients so there might be a scenario where the FTP control channel is from outside but data channel frm inside to outside)

Nagaraja Thanthry · ‎01-14-2011

Hello,

If you are just concerned about one specific internal device, then you can configure rate limiting to that host on the inside interface. But if you are looking at controling bandwidth for every host in the network, then you cannot do it on the firewall. You should look at the switch that connects all hosts to the firewall. Other thing is that, you cannot actually control the bandwidth from internet to your hosts as that should be controlled by your ISP. The same thing applies to your FTP traffic. If the ISP has already delivered the packets to your firewall, then there is no point in dropping some of those to throttle the bandwidth. If you want, you can talk to the ISP and see if they can rate limit FTP traffic and make sure that it fits within a specific bandwidth limit.

Hope this helps.

Regards,

NT

Panos Kampanakis · ‎01-14-2011

To answer your questions:

1) You can police on a per host basis. Policing is happening before NAT, so you would need to match on the private ip. You can do it both inbound ad outbound (in police command). Inbound you would need to police at a level a little less than what you want to give so that TCP will start converging to the value you want. If you want to police only one host and it is patted with other hosts, then it is ok, you will police based on private ip. https://supportforums.cisco.com/message/3270296#3270296 has an example for policing traffic on the ASA.

2) You can police everything from the server, since we know the chunks of data will be going to and from him. But if you want to have for example 1000 users downloading from the server you can't say police each user at 1Mbps. You can't police on a per-host basis unless you match in a class-map.

I hope it clarifies it.

PK

jvardhan29 · ‎01-17-2011

hi nagaraja,

As per your stamement : "If you are just concerned about one specific internal device, then you can configure rate limiting to that host on the inside interface."

ques: if i apply policing on the inside interface (police input ....and then service-policy inside) then wont it effect for other interface as well ? i.e from inside to dmz and inside to outside . I mean why even firewall should process from inside to dmz even though i understand that the traffic is not meant for going to that interface ? so why its not recommended to apply service-policy on outside ?

hi pk,

i was not able to clearly understand

1) the below is for outbound traffic (inside to outside via firewall)

https://supportforums.cisco.com/message/3270296#3270296 is redirecting me to my thread itself . also if you can give me an example as i want to understand whether one host (from inside) getting NATTED to public interface , so will ASA the assume the other (entire range) i.e other inside hosts (getting PATTED to that) as well for policing or not (considering i have applied policing to outside interface)? .

if yes , do we need to apply a seperate static for the single host if i dont want the other users

2) for point 2 request to give an example

Panos Kampanakis · ‎01-17-2011

1.

I meant to send the link https://supportforums.cisco.com/docs/DOC-1230

Again, if you want to police one inside host that is PATted, in your ACL that will me matched for policing you will use the private ip, not the public.

2.

access-list ftp-traffic-acl permit tcp host  any eq 21
access-list ftp-traffic-acl permit tcp host  any eq 20
class-map ftp-class
  match access-list ftp-traffic-acl
policy-map police-policy
  class ftp-class
    police output 500000
    police input 500000
service-policy police-policy interface outside

That will policy the aggregate FTP traffic to the server, not the ftp traffic to the server for each host that is connecting to it.

Let us know if it answers your question.

PK

jvardhan29 · ‎01-22-2011

hi PK,

Thanks for replying , in your one of the previous statement stated below

"if you want to have for example 1000 users downloading from the server you can't say police each user at 1Mbps. You can't police on a per-host basis unless you match in a class-map."

does that mean that in the ACL which will be binded to the class map , i should specify either "Any" or network range of the outside as source to the destination as "ftp server" .so with this is it possible to police on a per host basis ?

in your last reply

1) i have read the link but it is moreover giving vpn example.also i think there is a point which i was expecting if you could answer

a) consider fw has 3 interfaces :inside , dmz , outside

nat (inside) 1 0 0

global (outside) 1 interface

global (dmz) 1 interface

access-list outbound-acl permit tcp host 10.10.10.1 any eq 80
class-map http-class
match access-list outbound-acl

policy-map httppolicy
class http-class
police output 300000
police input 300000

service-policy httppolicy interface inside

if i apply policing on the inside interface for 10.10.10.1 for the outbound traffic then wont it apply for other interfaces as well ? eg: with policing applied on inside i/f (in to out ) dont you think that it will limit the traffic from inside to dmz as well (as in the ACL i have specified "any" as destination) though i know that there is no existence of web server in dmz but still fw will process the traffic which i dont want.

so in this case isnt it recommended to apply service-policy on outside ?

b) also ,in continuation with above if 10.10.10.1 is getting PATTED to the external i/f IP of fw , will fw assume the other (entire range) inside hosts (also getting PATTED to ext i/f) as well for policing , (considering the above scenario) with the service-policy applied on outside . this way the traffic of other hosts which is not suppose to be policed , will unintentionally gets policed . if yes , do we need to apply a seperate static for the single host (10.10.10.1) to get source translated to any other public ip

2) i am not able to undedstand meaning of aggregate FTP traffic for the " inbound traffic to FTP server " example

Kureli Sankar · ‎01-23-2011

On the acl applied in the policy applied on the inside interface, before the permit deny the inside to dmz traffic so, that will not be throttled.

You are correct. For inividual clients to be policed you need a class-map for each IP address. There is a limit of only 255 class-maps though.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c1.html#wp2110928

-KS

jvardhan29 · ‎01-25-2011

hi KS ,

thanks for answering , i was wondering if you have a explanation for my prev. ques . related to rate limit

jvardhan29 · ‎01-29-2011

hi pk,

i was just looking for your valuable suggestions on ths ,

Kureli Sankar · ‎01-29-2011

Jayesh,

Sorry I thought I had answered your question. Did my answer not answer the rest of the questions as well?

What other questions do you have?

-KS

jvardhan29 · ‎01-29-2011

thanks KS ,appreciate all ur help till now

one of the question for which i still have confusion is this :

access-list ftp-traffic-acl permit tcp host any eq 21
access-list ftp-traffic-acl permit tcp host any eq 20
class-map ftp-class
match access-list ftp-traffic-acl

policy-map police-policy
class ftp-class
police output 500000
police input 500000

service-policy police-policy interface outside

- what will the above config do considering it is for an inbound traffic coming for an inside Public FTP server ? what all it will limit ?

for my second doubt you replied :

"On the acl applied in the policy applied on the inside interface, before the permit deny the inside to dmz traffic so, that will not be throttled."

your reply was clear , my related ques to this is that rather than denying the inside to dmz traffic can i consider to apply service-policy on outside as well?

one more important thing which is not clear till now is this because this will involve firewall external interface ip :

in continuation with above eg of outbound traffic, 10.10.10.1 is getting PATTED to the external i/f IP of fw [eg mentioned below ], here i sense that if i want to use service policy on outside interface for this host , i have to use a public ip in the acl "outbound-acl" instead of private and that will be external interface IP ? correct ?

But due to this fw will assume the other inside hosts (also getting PATTED to ext i/f) as well for policing with the service-policy outside . if yes , do we need to apply a seperate static for host (10.10.10.1) and put that in acl if i want to apply outside servic polcy ? if no , is it possible to use the below acl with the prvate ip and still apply service-policy on the outside interfcae

nat (inside) 1 0 0
global (outside) 1 interface
global (dmz) 1 interface

access-list outbound-acl permit tcp host 10.10.10.1 any eq 80
class-map http-class
match access-list outbound-acl

policy-map httppolicy
class http-class
police output 300000
police input 300000