09-16-2008 05:21 AM - edited 03-06-2019 01:24 AM
I trying to determine the best place to limit traffic. I have a host on a 6509 that replicates data to another host on the other end of a site-to-site VPN:
HOST>ASA5520>20mb Internet---10mb Internet>ASA5520>HOST
I would like to limit the rate to 8mb during business hours.
Where is the best place to apply the policy?
Thanks
09-16-2008 05:37 AM
Because policing drops packets, resulting in retransmissions, it is recommended for use
on higher-speed interfaces..
So it will be better if you apply the policy on 20Mbps connection..
HTH...rate if helpful...
09-16-2008 06:04 AM
i would say u need to make the limit as close to the source as possible so it it is on the 20 M side then make on that ASA on the outsid einterface on the outbound direction
also for spisific time u can do the trick with time-based ACL that match the traffic to be policed
and the following link will help u alot with ASA config :
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml
good luck
if helpful Rate
09-16-2008 06:08 AM
As close to the sending host as possible. For instance a policer on the 6509. Ideally one with a timed based ACL, if supported.
09-16-2008 06:13 AM
hi Joseph thats exactly what i meant by the source word :)
as he said replication then the sending will be the source of repilication!
09-16-2008 06:48 AM
Thanks for all the replies.
It looks like the best place for the policy is on the 6509 where the host is connected. Should I do a rate-limit or shaping? From what I understand a traffic shape results in less dropped packets ?
09-16-2008 07:27 AM
Shaping usually results in less dropped packets because of its default buffering. Policing can provide about the same drop rate, but the default burst sizes often need to be adjusted. However, shaping also offers the advantage that the bandwidth hog's packets are "metered" into the other traffic, where policing will allow bursts through.
I.e. If available, I would prefer shaping. Unsure how extensive a 6500's shaping features are. Also, generally you can only shape outbound, but you can often police either inbound or outbound.
PS:
If your devices support it, it's possible to both police early to control the sender's transmission rate via policing and later manage possible congestion with a shaper or other queuing.
PPS:
For another approach, if instead of 8 Mbps, 10 Mbps was acceptable, you might also configured Ethernet at 10 Mbps on the source's Ethernet port. (Might even be doable with timed scripts.)
09-16-2008 07:12 AM
Marwan, yup, I understood what you meant, but from your second post, I presume you didn't realize I didn't see your post until after I had posted mine. I had considered, after seeing yours, adding a postscript acknowledgment of your post to my post, but figured the close post times, 4 minutes, showed what likely happened (i.e. I'm a slow typist).
Another reason I didn't amend my post, I thought there was some value in my suggesting doing the policing on the 6509, rather than later downstream such as your suggestion of policing on the ASA's outside interface.
Of course, it's likely bandwidth is less an issue until you get closer to the WAN bottleneck, but in principle, I'm sure you'll agree that perhaps an (inbound) policer on the 6509 would be even closer to the source, as described in the OP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide