Lots of ASA 5505 throttle questions

Discussion in 'Cisco' started by Noah, Nov 17, 2007.

  1. Noah

    Noah Guest

    Is it possible to throttle a given internal IP address to
    some maximum bandwidth? I have a 3 Mbit/s link and I want to make
    that our database replication system doesn't try to take more than 2
    Unfortunately the replication goes over SSH, so I can't easily
    it from developer's SSH terminal sessions. I want them to have
    low latency terminals, but I want bulk traffic also going over SSH to
    a lower priority. I can mark the database replication SSH traffic
    based on
    the IP of the database. I toyed around with using trickle, but
    I would rather just have the firewall handle this detail.

    Sometimes developers will do a bulk copy of data with SCP.
    If possible I would like to make sure that any one IP address on
    our network cannot slow everyone else down. ... of course, you can't
    look into an SSH stream and easily categorize the content; although,
    seems to me that SSH streams that have not been using much bandwitdh
    should be rewarded with a higher-priority. Maybe this type of QOS is
    sophisticated for the ASA.

    I've been going over the QOS documentation and I understand how
    I can assign priority to certain categories of traffic, but I'm not
    how to get from there to solving my problem.
    The information might be here in the docs, but I'm missing the
    Correct me if I'm just using the wrong terms to ask what I want or if
    I'm looking at this in the wrong way.

    Any pointers or examples?
    Noah, Nov 17, 2007
    1. Advertisements

  2. Noah

    Darren Green Guest

    Hi Noah,

    I am going to cheat a little here and refer to a QoS example in an ASA
    book I have from Cisco Press.

    It reads:

    class-map mail-pop
    match access-list Mail-ACL-Out
    class-map web
    match access-list web-out
    class-map voip-sig
    match dscp af31
    class-map voip-rtp
    match dscp ef

    policy map voip-mail-qos-policy
    !POP Mail resticted to 56kbps
    class-map pop
    police 56000 10500
    !Voip Siganlling is prioritised
    class voip-sig
    !Voip Data is prioritised
    class voip-rtp
    !Web Mail is rate limited to 56kbps
    class web
    police 56000 10500

    service-policy voip-mail-qos-policy interface outside

    So in summary, define your class maps and classify on ACL if you want
    to trap certain traffic. I included voice above so you could see an
    alternative way to prioritise other than policing. There is also
    traffic shaping and other QoS tools available no doubt.

    In your scenario:

    I can't quite determine from reading your post how you want the
    traffic splitting. I think you are saying that database replication
    uses SSH as do developers terminals. In addition developers also use

    This being the case you would have class-maps for

    match developer-ssh-acl

    match data-replication-acl

    match developer-rcp-acl

    If this is the case, data replication will go back to a storage host /
    server won't it. That being the case use and extended ACL to classify
    the source & destination host + additionally port number if the ASA
    will let you.

    Darren Green, Nov 17, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.