6

This question is in two parts:

Shape

How can I limit the bandwidth on a ASA5510 to less than 10Mbps?

Currently I have:

policy-map shape_policy
class class-default
 shape average 9000000 36096
!
service-policy shape_policy interface outside

But when I look at the traffic on the outside interface it seems it sometimes busts the 10Mbps.

Police

Also, is it possible to limit the bandwidth taken by each users on the ASA? I've tried something like that (although it is not running at the moment):

police input 3000000 51200 conform-action transmit exceed-action drop
police output 3000000 51200 conform-action transmit exceed-action drop

Is it the way to go or is there a better way?

Thanks!

// Addendum:

I should add I'm using version 8.0(4) of the firmware as it can help provide proper configurations for the latest ASAs.

// Status:

I've opened up a bounty. I got two interesting answers although not definite. One seems to be outdated in terms of supported commands, the other one does not answer the second part of the question and leave me unsatisfied. Cisco experts needed!

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
lpfavreau
  • 439
  • 2
  • 8
  • 19

2 Answers2

4

This:

  shape average 9000000 36096

actually gives your ASA license to burst the the bandwidth you've allocated, if there#s been a suitably quiet period. If you want a guarantee that you never exceed a given bandwidth, using policing is a better option (on the other hand, with policing, any packets that exceed the bandwidth will be dropped instead of delayed).

Vatine
  • 5,440
  • 25
  • 24
  • I thought that using policing would restrict the speed per connection and not for the whole interface? Do you know how I would go to restrict per connection then to avoid having one user taking the whole allocated bandwidth for everyone? – lpfavreau Jun 08 '09 at 11:30
  • The (simple, but not entirely correct) difference between shaping and policing is that shaping delays packets, policing drops them. If you have WFQ enabled (look for "fair-queue" or "no fair-queue" in the interface config), it should preferentially drop packets from more active streams. Unfortunately, there isn't a good way of doing "per-stream" limiting without quite deep packet instpection and state-keeping. – Vatine Jun 11 '09 at 10:48
  • Thanks for the reply. I'm wondering though: it gives the ASA license to burst of how much? I'm not sure to understand the goal of shape in this case. – lpfavreau Jun 14 '09 at 16:22
  • 1
    Off-hand, I don't know how much license it gives the ASA to burst. The goal of a shaper (as opposed to a policer) is to roughly enforce a speed limit, by delaying packets as necessary, in a relatively graceful manner. Very helpful when you have UDP streams you need to cater for. Policing is more useful with TCP streams or when you want instant feedback on UDP streams. If I remember correctly, you should be able to tune to what extent a shaper can borrow unused bandwidth from the past and over-supscribe future bandwidth usage (but on average it won't do more than you've specified as target). – Vatine Jun 15 '09 at 09:45
1

Unfortunately, I don't have an ASA to check/test with but I use the below command on one of my routers to limit the bandwidth to 6Mb. Perhaps something similar will help with your shape question.

interface Serial1/0 
  rate-limit input 6000000 112500 225000 conform-action set-prec-continue 0 exceed-action drop
  rate-limit output 6000000 112500 225000 conform-action transmit exceed-action drop
Peter
  • 5,453
  • 1
  • 26
  • 32
  • Thanks for the answer Peter. I think I saw a similar configuration on the older PIX/ASA, but now seems rate-limit only takes 1 parameter: messages_per_second for the modular policy framework. See command reference: http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/qr.html#wp1761549. – lpfavreau Jun 04 '09 at 00:12