Hi Joseph,

The download for the client in 10.1.1.0/24 5Mb and 10.1.2.0/24 10Mb, for the upload I know how to configure, the problem is when de client make a download fron internet.

How can I limit the traffic from internet to that subnet (10.1.1.0/24 and 10.1.2.0/24)

PD: sorry for my English ,
I am from paraguay

:-D

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Trying to effectively manage ingress bandwidth, especially from the Internet, is difficult to impossible on "ordinary" Cisco routers and/or switches.  You might police Internet traffic to your VLANs.

If both VLANs are "hidden" behind the same public IP, then you would need to police internally; but your didn't describe you equipment, so don't know if that's doable.

Check out the link below may be helpfull.

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note09186a0080883f9e.shtml

Joseph,

The router I have is a 2951, behind the router is the ASA 5525 and behind the ASA the Switch 3750.

The ISP is conected to the 2951.

That two subnet are NATed to my IP public, (both VLANs are hidden as you mentioned.)

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

I'm not too familiar with ASAs, but you could be able to define an ingress policy, that polices, on the 3750's interface to ASA.

The best is to configure to the router?

because the ISP is connected to the router and the NAT is made in the router?

Hello Joseph,

I think there is a misunderstanding , the NAT was performed in the router and not on the ASA, 

interface GigabitEthernet0/0.631
description $ ISP $
encapsulation dot1Q 631
ip address X.X.X.X 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast source reachable-via rx allow-default 100
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly
ip policy route-map CiscoVPNclient
no cdp enable
crypto map VPN-CRYPMAP

!

interface GigabitEthernet0/1
description  ASA - Outside
ip address 192.168.254.130 255.255.255.128
no ip unreachables
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled

!

ip route 0.0.0.0 0.0.0.0 x.x.x.x name DEFAULT

ip route 10.1.1.0 255.255.255.0 192.168.254.129

ip route 10.1.2.0 255.255.255.0 192.168.254.129

!

ip nat inside source list TO-INTERNET interface GigabitEthernet0/0.631 overload

That is my config, the outiside ASA ip address is 192.168.254.129.

not have any nat on the ASA, only rules and route.

is more clear?

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Yes, I did misunderstand.

If the NAT is on the router, than yes, you should be able to police to your VLANs on it.

NAT might still be an issue on the external interface, matching your internal subnets, but you're inside facing interface should be okay.  I.e. rather than using an ingress policy on your external facing interface, you use an egress policy on your internal facing interface.  That policy would be where you would police your 5 and 10 Mbps per subnet (VLANs 2 and 3).

Again, be aware, that policing downstream isn't as effective as really desired (NB: it will insure your VLANs only obtain their respective allowed bandwidths, but it won't guarantee the ISP link won't congest - because the congestion is "before" the policers).

Joseph

Do you have some example config of how to do?? 

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

(Sorry for delay getting back to you.)

Pseudo-config

ip access-list extended vlan2

 permit ip any 10.1.1.0 255.255.255.0

ip access-list extended vlan3

 permit ip any 10.1.2.0 255.255.255.0

class-map vlan2

 match access-group name vlan2

class-map vlan3

 match access-group name vlan3

policy-map egress_sample

 class-map vlan2

  police average 5000000

 class-map vlan3

  police average 10000000

Apply policy map in Ethernet interface facing ASA

int x

 service-policy output egress-sample