Lots of ASA 5505 throttle questions

Discussion in 'Cisco' started by Noah, Nov 17, 2007.

  1. Noah

    Noah Guest

    Is it possible to throttle a given internal IP address to
    some maximum bandwidth? I have a 3 Mbit/s link and I want to make
    sure
    that our database replication system doesn't try to take more than 2
    Mbit/s.
    Unfortunately the replication goes over SSH, so I can't easily
    separate
    it from developer's SSH terminal sessions. I want them to have
    low latency terminals, but I want bulk traffic also going over SSH to
    have
    a lower priority. I can mark the database replication SSH traffic
    based on
    the IP of the database. I toyed around with using trickle, but
    I would rather just have the firewall handle this detail.

    Sometimes developers will do a bulk copy of data with SCP.
    If possible I would like to make sure that any one IP address on
    our network cannot slow everyone else down. ... of course, you can't
    look into an SSH stream and easily categorize the content; although,
    it
    seems to me that SSH streams that have not been using much bandwitdh
    should be rewarded with a higher-priority. Maybe this type of QOS is
    too
    sophisticated for the ASA.

    I've been going over the QOS documentation and I understand how
    I can assign priority to certain categories of traffic, but I'm not
    sure
    how to get from there to solving my problem.
    The information might be here in the docs, but I'm missing the
    terminology.
    Correct me if I'm just using the wrong terms to ask what I want or if
    I'm looking at this in the wrong way.

    Any pointers or examples?

    --
    Noah
    Noah, Nov 17, 2007
    #1
    1. Advertising

  2. Noah

    Darren Green Guest

    On 17 Nov, 01:27, Noah <> wrote:
    > Is it possible to throttle a given internal IP address to
    > some maximum bandwidth? I have a 3 Mbit/s link and I want to make
    > sure
    > that our database replication system doesn't try to take more than 2
    > Mbit/s.
    > Unfortunately the replication goes over SSH, so I can't easily
    > separate
    > it from developer's SSH terminal sessions. I want them to have
    > low latency terminals, but I want bulk traffic also going over SSH to
    > have
    > a lower priority. I can mark the database replication SSH traffic
    > based on
    > the IP of the database. I toyed around with using trickle, but
    > I would rather just have the firewall handle this detail.
    >
    > Sometimes developers will do a bulk copy of data with SCP.
    > If possible I would like to make sure that any one IP address on
    > our network cannot slow everyone else down. ... of course, you can't
    > look into an SSH stream and easily categorize the content; although,
    > it
    > seems to me that SSH streams that have not been using much bandwitdh
    > should be rewarded with a higher-priority. Maybe this type of QOS is
    > too
    > sophisticated for the ASA.
    >
    > I've been going over the QOS documentation and I understand how
    > I can assign priority to certain categories of traffic, but I'm not
    > sure
    > how to get from there to solving my problem.
    > The information might be here in the docs, but I'm missing the
    > terminology.
    > Correct me if I'm just using the wrong terms to ask what I want or if
    > I'm looking at this in the wrong way.
    >
    > Any pointers or examples?
    >
    > --
    > Noah


    Hi Noah,

    I am going to cheat a little here and refer to a QoS example in an ASA
    book I have from Cisco Press.

    It reads:

    class-map mail-pop
    match access-list Mail-ACL-Out
    class-map web
    match access-list web-out
    class-map voip-sig
    match dscp af31
    class-map voip-rtp
    match dscp ef

    policy map voip-mail-qos-policy
    !POP Mail resticted to 56kbps
    class-map pop
    police 56000 10500
    !Voip Siganlling is prioritised
    class voip-sig
    priority
    !Voip Data is prioritised
    class voip-rtp
    priority
    !Web Mail is rate limited to 56kbps
    class web
    police 56000 10500

    service-policy voip-mail-qos-policy interface outside

    So in summary, define your class maps and classify on ACL if you want
    to trap certain traffic. I included voice above so you could see an
    alternative way to prioritise other than policing. There is also
    traffic shaping and other QoS tools available no doubt.

    In your scenario:

    I can't quite determine from reading your post how you want the
    traffic splitting. I think you are saying that database replication
    uses SSH as do developers terminals. In addition developers also use
    SCP.

    This being the case you would have class-maps for

    developer-ssh
    match developer-ssh-acl

    data-replication-ssh
    match data-replication-acl

    developer-rcp
    match developer-rcp-acl

    If this is the case, data replication will go back to a storage host /
    server won't it. That being the case use and extended ACL to classify
    the source & destination host + additionally port number if the ASA
    will let you.


    Darren
    Darren Green, Nov 17, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    3,312
  2. tman
    Replies:
    2
    Views:
    620
    News Reader
    Apr 18, 2008
  3. junk
    Replies:
    0
    Views:
    470
  4. Dogg Child

    Re: ASA 5505 behind ASA 5505

    Dogg Child, Jun 7, 2010, in forum: Cisco
    Replies:
    0
    Views:
    595
    Dogg Child
    Jun 7, 2010
  5. Dogg Child

    ASA 5550 behind ASA 5505

    Dogg Child, Jun 7, 2010, in forum: Cisco
    Replies:
    4
    Views:
    1,034
    Morph
    Jun 8, 2010
Loading...

Share This Page