Re: Setup Bandwidth Limit on V-Lans

ray_stone · ‎06-08-2009

Hi, I am wondering of how to setup the bandwidth limit on following V-LANS. We have 2 MBPS 1:1 lease line and the downloading speed comes max upto 180 to 200 KB.

1) NOC (192.168.12.0/24)

2) DEV (192.168.13.0/24)

3) QA (192.168.14.0/24)

4) Tech(192.168.15.0/24)

Now, Internet is on and when users downloading anything from any V-lans then it consumes higher bandwidth which could have resulted Network gets chowk and it affects buisness production activities. Now I want to setup a limited bandwidth for entire V-lan like assign only upto 30kb downloading for QA V-Lan and same for other except NOC V-LAN. Can anyone suggest is it possible as I know it can be done by QOS but I am not so much perfect in QOS commands so I would request to experts please expain briefly with commands, if possible.

Thanks

1)

Pravin Phadte · ‎06-10-2009

I would suggest to do a QOS or Rate-limit would be the easy way to get this done.

If this is a router or switch. If ASA you will have to do QOS.

BrinksArgentina · ‎06-11-2009

With this config, QA VLAN will get only 30KB, but the usage of WAN link may be bigger, because you can only limit traffic when egress from ASA.

access-list traffic_QA extended permit ip any 192.168.14.0 255.255.255.255

class-map traffic_QA

match access-list traffic_QA

policy-map limit_QA_out

class traffic_QA

police output 30000 60000

service-policy limit_QA_out interface VL_QA

Guido.

Please rate all the helpful comments.

ray_stone · ‎06-11-2009

Hi, Thank you for your responses.

"but the usage of WAN link may be bigger, because you can only limit traffic when egress from ASA"

I didn't understand the meaning of above sentence. Can you pls expain it briefly.

Thanks

BrinksArgentina · ‎06-12-2009

QoS for inbound traffic

Ok, I review all and make some testing and finally found how this must be done.

Yes, you CAN throttle down inbound traffic.

The only consideration is that you must specify the outside address, so you must create a different pool for each VLAN.

global (outside) 1 200.1.1.2

global (outside) 2 200.1.1.3

nat (NOC) 1 192.168.12.0 255.255.255.0

nat (QA) 2 192.168.14.0 255.255.255.0

access-list traffic_wwwNOC extended permit ip any host 200.1.1.2

access-list traffic_wwwQA extended permit ip any host 200.1.1.2

class-map class_wwwNOC

match access-list traffic_wwwNOC

class-map class_wwwQA

match access-list traffic_wwwQA

policy-map limit_outside

class class_wwwNOC

police input 1500000 60000

class class_wwwQA

police input 300000 30000

service-policy limit_outside interface outside

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/qos.html

Guido.

Please rate all the helpful comments.

ray_stone · ‎06-12-2009

Hi, If I am using below commands in my configuration:

global (outside) 1 interface outside

global (outside) 2 interface outside

What commands needs to be changed???

Pls explain.

BrinksArgentina · ‎06-13-2009

You need a public address for each VLAN with a different policy shaping.

For instance, if your outside ip address is 200.1.1.2 255.255.255.248, you can use:

global (outside) 1 interface outside

global (outside) 2 200.1.1.3

access-list traffic_wwwNOC extended permit ip any host 200.1.1.2

access-list traffic_wwwQA extended permit ip any host 200.1.1.3

You can use for the global pool, an address curently used for PAT. For example if you have something like that:

static (inside,outside) tcp 200.1.1.3 80 192.168.12.20 80 netmask 255.255.255.255

... this is not a problem.

Witch is the netmask of your public address?

Please note that I made a mistake in the acl of the previus post. Each acl must point to the correspondig public address of the global pool.

Guido.

Please rate all the helpful comments.

ray_stone · ‎08-06-2009

Hi,

We have 2mbps link and 4 vlans are placed on ASA FW.

1) NOC 192.168.12.0

2) QA 192.168.15.0

3) Tech 192.168.21.0

4) DEV 192.168.14.0

Now I want to set the download speed 30 kb for entire V-LAN. I want to allow 150 KB bandwith for QA V-lan for STS DC Tunnel. I want to allow 150 KB Bandwidth for Techsol V-LAN for 192.168.59.109 host which is placed Sterling STS Tunnel.

Pls. explain the commands. Thnaks

ray_stone · ‎08-06-2009

Pls. advice!

BrinksArgentina · ‎08-07-2009

How many public IP addresses do you have?

You need a /28 at least. One public IP for each global nat pool.

Guido

ray_stone · ‎08-07-2009

Yes, we have 16 public IP

ray_stone · ‎08-07-2009

??

BrinksArgentina · ‎08-09-2009

Do you have tested the previously posted commands?

(replace 200.1.1.x with you public address)

global (outside) 1 200.1.1.2

global (outside) 2 200.1.1.3

nat (NOC) 1 192.168.12.0 255.255.255.0

nat (QA) 2 192.168.14.0 255.255.255.0

access-list traffic_wwwNOC extended permit ip any host 200.1.1.2

access-list traffic_wwwQA extended permit ip any host 200.1.1.3

!identify traffic:

class-map class_wwwNOC

match access-list traffic_wwwNOC

class-map class_wwwQA

match access-list traffic_wwwQA

!apply different shaping to each class of traffic:

policy-map limit_outside

class class_wwwNOC

police input 1500000 60000

class class_wwwQA

police input 300000 30000

!enable service-policy on the interface:

service-policy limit_outside interface outside