On 17 Nov, 01:27, Noah <n...@noah.org> wrote:
> Is it possible to throttle a given internal IP address to
> some maximum bandwidth? I have a 3 Mbit/s link and I want to make
> sure
> that our database replication system doesn't try to take more than 2
> Mbit/s.
> Unfortunately the replication goes over SSH, so I can't easily
> separate
> it from developer's SSH terminal sessions. I want them to have
> low latency terminals, but I want bulk traffic also going over SSH to
> have
> a lower priority. I can mark the database replication SSH traffic
> based on
> the IP of the database. I toyed around with using trickle, but
> I would rather just have the firewall handle this detail.
>
> Sometimes developers will do a bulk copy of data with SCP.
> If possible I would like to make sure that any one IP address on
> our network cannot slow everyone else down. ... of course, you can't
> look into an SSH stream and easily categorize the content; although,
> it
> seems to me that SSH streams that have not been using much bandwitdh
> should be rewarded with a higher-priority. Maybe this type of QOS is
> too
> sophisticated for the ASA.
>
> I've been going over the QOS documentation and I understand how
> I can assign priority to certain categories of traffic, but I'm not
> sure
> how to get from there to solving my problem.
> The information might be here in the docs, but I'm missing the
> terminology.
> Correct me if I'm just using the wrong terms to ask what I want or if
> I'm looking at this in the wrong way.
>
> Any pointers or examples?
>
> --
> Noah
Hi Noah,
I am going to cheat a little here and refer to a QoS example in an ASA
book I have from Cisco Press.
It reads:
class-map mail-pop
match access-list Mail-ACL-Out
class-map web
match access-list web-out
class-map voip-sig
match dscp af31
class-map voip-rtp
match dscp ef
policy map voip-mail-qos-policy
!POP Mail resticted to 56kbps
class-map pop
police 56000 10500
!Voip Siganlling is prioritised
class voip-sig
priority
!Voip Data is prioritised
class voip-rtp
priority
!Web Mail is rate limited to 56kbps
class web
police 56000 10500
service-policy voip-mail-qos-policy interface outside
So in summary, define your class maps and classify on ACL if you want
to trap certain traffic. I included voice above so you could see an
alternative way to prioritise other than policing. There is also
traffic shaping and other QoS tools available no doubt.
In your scenario:
I can't quite determine from reading your post how you want the
traffic splitting. I think you are saying that database replication
uses SSH as do developers terminals. In addition developers also use
SCP.
This being the case you would have class-maps for
developer-ssh
match developer-ssh-acl
data-replication-ssh
match data-replication-acl
developer-rcp
match developer-rcp-acl
If this is the case, data replication will go back to a storage host /
server won't it. That being the case use and extended ACL to classify
the source & destination host + additionally port number if the ASA
will let you.
Darren
|
Similar Threads
