12-30-2017 12:58 PM - edited 02-21-2020 07:03 AM
Hi,
Our customer has a 50/50 internet connection, but they reach only 50 down / 12 up.
The ISP told me that we need to configure bandwidth throttling on the outside interface to 48/48 to prevent this from happening.
I added the following in the ASA5506 config (for testing purposes, I want to limit the internet connection to 5mbit):
class-map outside-class
match any
!
!
policy-map outside-policy
class outside-class
police input 50331500 9437184
police output 50331500 9437184
!
service-policy outside-policy interface outside
However, this is not working! speedtest.net still shows me 48 down / 13 up instead of 5/5.
Please help me out, why isn't this working?
The command "show service-policy"shows the following:
Result of the command: "show service-policy"
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 703652, lock fail 0, drop 141, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
Inspect: ftp, packet 55, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
Inspect: h323 h225 _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 ras _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
Inspect: rsh, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
Inspect: rtsp, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: esmtp _default_esmtp_map, packet 82287, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
Inspect: sqlnet, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
Inspect: skinny , packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: sunrpc, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: xdmcp, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
Inspect: netbios, packet 18, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
Inspect: tftp, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
Inspect: ip-options _default_ip_options_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
Class-map: class-default
Default Queueing Packet recieved 0, sent 0, attack 0
Interface outside:
Service-policy: outside-policy
Class-map: outside-class
Input police Interface outside:
cir 50331500 bps, bc 9437184 bytes
conformed 74017 packets, 98017630 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 11632 bps, exceed 0 bps
Output police Interface outside:
cir 50331500 bps, bc 9437184 bytes
conformed 60403 packets, 7772432 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 6896 bps, exceed 0 bps
01-01-2018 02:10 AM
why cant you hardest an bandwidth of 48mbps on the outside interface?
01-01-2018 03:24 PM
Hi Dennis,
Is that possible too? Please tell me how to do that in the ASA config.
Greets, Marco
01-01-2018 06:51 AM
If you want to test 5 Mbps cap, then your values are incorrect.
You have:
police input 50331500 9437184 police output 50331500 9437184
...which is an input and output rate of ~50 Mbps (with a conform burst size of 9.4 MB). Try the following instead:
police input 5000000 exceed-action drop police output 5000000 exceed-action drop
References:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/p2.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide