Monday, 22 February 2016

Setting up QoS with the ASA 5510

We can use two methods to control traffic with the ASA - policing the traffic and shaping the traffic - in this post I will describe each method and provide some real-world examples.

Traffic Policing: This allows you to set a limit of throughput (in bits/second) and anything above that will be dropped - it also allows you to set maximum burst limits.

For example we may wish to limit HTTP traffic to a public facing  web server to prevent a specific web server from saturating all of the bandwidth by limiting www traffic to 5mbps - to do this we apply MFP:

access-list WEBSITE-LIMIT permit tcp host any 66.77.88.99 eq www

class-map WEBSITE-TRAFFIC
match access-list WEBSITE-LIMIT
exit

policy-map WEBTRAFFIC-POLICY
class WEBSITE-TRAFFIC
police output 5000000 conform-action transmit exceed- action drop
exit
exit

service-policy WEBTRAFFIC-POLICY interface outside

Traffic Shaping: This allows you to restrict traffic throughput - but rather than dropping it will attempt to buffer the data and send it later on. For example:

access-list SHAPED-ACL permit ip interface DMZ interface OUTSIDE

class-map SHAPED-TRAFFIC
match access-list SHAPED-ACL
exit

policy-map qos_outside_policy
class SHAPED-TRAFFIC
shape average 2000000 
exit
exit

service-policy qos_outside_policy interface outside

0 comments:

Post a comment