10-15-2019 02:24 AM
Hi Experts,
Have Cisco ASA multicontext firewall, exiting default route(Outside Interface, vlan 637) to Internet. I want to set rate limit for the Internet traffic and give preference for connectivity to specific Internet destination. Attaching the topology. Kindly assist in achieving the solution.
Thanks
Sreeraj
10-15-2019 03:28 AM
Hello,
I would recommend shaping instead of policing. The below should do the job:
access-list SHAPE_750_ACL permit ip any host 1.2.3.4
!
class-map SHAPE_750_CM
match access-list SHAPE_750_ACL
!
policy-map SHAPE_INTERNET_PM
class SHAPE_750_CM
shape average 750000000
class class-default
shape average 250000000
!
service-policy SHAPE_INTERNET_PM interface outside
10-15-2019 11:44 PM
Thanks a lot for the solution. Have a question, which came to my mind. Do i need to apply this configuration on all ASA contexts separately ? and Also, we are going to apply this traffic shaping on ASA level, which has 2 1 Gig interface bundled as port channel-which is used for OUTSIDE traffic. So what will happen, after it crosses ASA and reach the WAN Edge switch and gateway switch. Will it maintain the shaped bandwidth after leaving ASA?
Kindly advice.
Thanks
Sreeraj
10-16-2019 01:58 AM
Hello,
actually, and unfortunately, QoS is not supported at all on the ASA in multiple context mode. So the solution I suggested doesn't work. That said, what is the edge device in your drawing (the one connected to the Internet), is that an ASA as well ?
10-16-2019 02:19 AM
The Edge switch is Nexus 7k-vdc switch, which takes the input from ASA virtual Outside interface from each context (which is a single Port channel interace with 2 physical interface bundled).
Can we do a Rate limiting/preference setting on Nexus 7k Edge switch level and give prefernce for migration traffic with out affecting existing customer web traffic.
--------------|
ASA context 1 |
--------------|===Gig 0/4===| -----------------------|---------
| (Po 10) | Nexus7k-VDC(EdgeSw) |--------- +++++++++++
ASA context 2 |===Gig 0/5===|------------------------|--------- WAN switch ======>Provider------>
--------------| |---------++++++++++++
ASA context 3 |
--------------|
Please advice
Thanks
Sreeraj
10-16-2019 02:32 AM
Hello,
sorry for the confusion, I meant the WAN switch. Is that under your control, and if so, what model/platform is that ?
10-16-2019 02:54 AM
I believe, WAN Switch is an 3750 stack, which is not in my control. But the Edge switch, is under my control, Can we do some configuration settings on Edge switch. Also, suggest the configuration we can do on 3750 stack to make this solution work.
10-16-2019 03:08 AM
Hello,
the thing is: whatever you configure on the devices that are in front of the Internet edge device doesn't matter if everything goes out through a single 1Gbps pipe.
Are you using some sort of MPLS for the WAN ? The 3750 doesn't support NAT, so if that is the device connected to the 'Internet', there must be something else, probably provided by the ISP, in front of it.
I think your only option is to get with your ISP and ask them to implement something similar to what I have initially suggested...
10-16-2019 07:35 PM
Thank you. Will the service provider will agree and be able to give rate limit traffic for the default internet traffic and give preference/definite value for specific traffic ? Please suggest.
And also, i believe, we should be able to set Rate limit of the Edge switch, am not sure, how to achieve here, since there is only a single vlan which is consolidated for all customer internet traffic.
10-17-2019 07:23 AM
Hello,
setting any sort of QoS on your Nexus will only affect the link between the Nexus and the WAN switch, so it would not make any sense to configure it there. Most providers are probably willing to implement what you want, after all, you are the paying customer...
10-23-2019 07:10 AM
Thanks for the help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide