Unable to traffic police small file copies

Hes · ‎01-25-2016

Hello there!
I am trying to limit bandwidth use using a traffic policing on a ASA firewall.
Simply using the ASDM under Configuration > Firewall > Service Policy Rules I match for source and destination IP addresses (uses ACL), enable policing under Rule Actions > QoS and set the input and output policing to:
Commited Rate: 45000000 (which is roughly 45 Mbps)
Conform Action: transmit
Exceed Action: drop
Burst Size: 22500 (recommended size by ASDM, unable to set lower value)

The source and destination addresses are in different subnets in different offices connected via 100Mbps metro-ethernet.
When I copy a 100 Megabyte file from source to destination address the bandwidth limit works perfectly, it copies roughly at 45 Mbps.
When I now copy a 8 Megabyte file from source to destination address the bandwidth limit doesn't work, it copies it at 90 Mbps which is pretty close to the entire available bandwidth.

So I think I am not fully understanding how traffic policing works. Is it due to the burst size that small files can be copied at higher bandwidths or am I hitting some sort of bug?
How can I set up the ASA so it will also limit the bandwidth of these smaller files are there other options available?

Philip D'Ath · ‎01-25-2016

I'm going to guess you are using the Windows dialogue to measure the throughput? If so, that is your issue. :-)

My bet is it is working fine. Very small transfers might start faster, but only for a very short period of time. I would be looking at the measurement technique more.

If in doubt, copy the file and use a stop watch and calculate the average rate over the whole 8MB transfer yourself.