cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
818
Views
0
Helpful
4
Replies

Rate-limit seems to not work

Dru Goradia
Level 1
Level 1

When we use Aspera, it maxes out our bandwidth and we cannot do anything else while the download is going on.

3220ASA1# sh conn add 192.168.0.105 prot udp

110 in use, 509 most used

UDP outside 153.7.233.153:33001 inside 192.168.0.105:60064, idle 0:00:00, bytes 573048376, flags -

I want to rate-limit the UDP port 33001 that aspera uses, here is that part of my config. I applied the QoS to both the inside and outside interface for port 33001.

ASA Version 8.6(1)

access-list outside_mpc extended permit udp any any eq 33001

access-list inside_mpc_1 extended permit udp any any eq 33001

!

class-map inside-class

match access-list inside_mpc_1

class-map outside-class

match access-list outside_mpc

!

policy-map outside-policy

class outside-class

  police input 100000 1500

  police output 100000 1500

policy-map inside-policy

class httptraffic

  inspect http http_inspection_policy

class inside-class

  police input 100000 1500

  police output 100000 1500

!

service-policy outside-policy interface outside

service-policy inside-policy interface inside

Do I have this wrong? The ASDM is still showing traffic as much higher than the 100kbps I want to limit to.

4 Replies 4

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Dru,

I would actually do it like this

policy-map outside-policy

class outside-class

  police output 100000 1500

policy-map inside-policy

class httptraffic

  inspect http http_inspection_policy

class inside-class

  police input 100000 1500

Then I would apply the service-policy and then do clear local-host

Let me know how it goes

Regards,

Jcarvaja

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Dru Goradia
Level 1
Level 1

After speaking with TAC we were able to police the traffic internally but as it's UDP the source server just kept throwing the packets at us, maxing out the bandwith. I was told that the only workaround is to get the ISP to limit it.

Hello Dru,

What do U mean?

Who is the one that innitiates the connection, the server on the inside of an outside user???

Did u Try what I suggested?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Todd Kelly
Level 1
Level 1

Having the same issues. Did the recommendation from Julio help you? I would like to know if this has resolved your issue.

Thanks.

Todd

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: