11-29-2017 02:49 PM - edited 03-03-2019 08:41 AM
Hi all,
please for your valuable help in making some things clear for me regarding QoS rate-limiting and traffic shaping. Please share your feedback and any suggestions for the following scenario.
Consider the below topology:
Let's say User A (192.168.1.25/24) wants to download some data from the FTP server over at the right. He initiates the download and chokes Acme's network by consuming all available WAN bandwidth which is 50/50Mbps (symmetrical). The administrator needs to:
A. Rate-limit that flow to a maximum of 5Mbps to allow bandwidth available for other Acme needs.
B. Rate-limit any inbound traffic (FTP, HTTP, P2P, etc.) from the Internet to the whole user's subnet to a maximum of 40Mbps to allow 10Mbps free bandwidth for Acme's Servers hosted on DMZ.
What is the best way to configure this? On which device/interface/direction should a policer or shaper be configured (use the A-G points in the topology in your answer) by the admin to achieve A and B, if any of the two options could really achieve the above needs. Please share your thoughts/suggestions from real implementations of your own.
My thinking is as follows:
Since FTP downloading data (or any other incoming packet) is inbound traffic from the Internet (ISP router) to Acme router, the admin has no control and cannot rate-limit the incoming data. This is only something the ISP can do (before packets are sent over the WAN link to Acme). So in my view if the admin sets a policer at point E with direction input it won't do anything, since the packets have already traversed the WAN link and consumed bandwidth. This totally agrees with the same claim on https://supportforums.cisco.com/t5/security-documents/asa-qos/ta-p/3115852 (NOTE 1).
If this thinking is correct, can someone explain why Cisco says otherwise here
where it is stated: "a single user might be able to absorb most, if not all, of the available bandwidth, thus starving the other users. In order to prevent any one user or site-to-site connection from consuming more than its fair share of bandwidth, QoS provides a policing feature that regulates the maximum bandwidth that any user can use. The primary goal of QoS in the security appliance is to provide rate limiting on selected network traffic for both individual flow or VPN tunnel flow to ensue that all traffic gets its fair share of limited bandwidth."
Q1: Is there any point for the admin to set a policer at point A of the ASA with direction input, to limit the FTP bandwidth consumption on the WAN link for User A? As far as I understand this would only drop any packets exceeding the 5Mbps limit as they egress the ASA towards Acme router. But this is upload traffic from user A to the FTP server, not the actual FTP download data. Am I right?
Q2: Same as above but instead of setting the policer to point A of the ASA with direction input, what if the admin sets the policer at point D. Wouldn't the same as Q1 apply?
Q3: I have read in various documentation that policing is best and usually configured in the input direction on an interface. Traffic shaping on the other hand is usually configured on the outbound direction. Is that true? Why only policing inbound, what sense does it make?
Q4: To rate-limit the whole user's subnet (192.168.1.0/24) up to 40Mbps for their Internet access, can the admin configure a traffic shaper of 40Mbps average on point E? Would it do any good? What is the best way to implement this requirement?
Thanks all and sorry for the long post
12-04-2017 07:30 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide