Cisco :: 5510 Bandwidth Management / Policy Not Working
Jul 27, 2011
We have a Service Policy rule setup on our 5510 for SMTP traffic.
Problem is, this week someone sent a larger email 20+mb to dozens of recipeints and the outside interface was hitting 10mb, which is not what I would have expected with this rule in place, so I'm questioning the configuration. We know it was email because I disabled the server that receices our outbound mail to apply a signature and the traffic dropped immediately.
View 2 Replies
ADVERTISEMENT
Sep 13, 2012
I have some clarifications regarding ASA firewall, it can be support bandwidth management and content security at the same time. we are looking for below features in ASA5510.
IP/Policy based bandwidth management.Controll the bandwidth and allocate the bandwidth to specified users or servers.Content Security. If not, which device I need to set for Internet Bandwidth Management and content security.
View 3 Replies
View Related
Oct 12, 2011
I have a RVS4000 hardware v2 with firmware 2.0.2.7. I have a DSL modem in bridge mode and have the router set to PPPoE. Everything works fine except I want to use QOS which doesn't work fine. I have some vonage boxes set up on a switch set to port 1 trust mode is set to port and level 4 for highest priority. Port 2 I have on another switch set to priority 3. I tried turning bandwidth mangement on which doesn't seem to work at all so I don't even know if they QOS is even working. I set the max down stream and upstream provided after running a number of speed tests and setting it a little lower than my worst speed results. Once I did that I set up a rule for all traffic for rate control and set them just below the min and max I put in for isp bandwidth. I set the ip range from 192.168.1.100-190 this will cover anything that dhcp hands out and I also have a few statics set up on 192.168.1.180 and 181. However after enabling it I ran some speed tests and I still get full speed and the rules seem to be getting ignored.
View 2 Replies
View Related
Jun 24, 2012
After I have upgraded our ASA 5510 to 8.4.2 I have problem with the management interface.Our former firmware 8.2.3 had no problem using the management interface as a DMZ zone, but after we upgraded to 8.4.2 we can't make it work.The interface and the protocol is up, when I type: show interface.But when I ping the interface from a computer connectet to the interface, nothing happens.
Even the logging shows nothing.
View 7 Replies
View Related
Jan 3, 2013
I've done a similar solution before where I put bandwidth inherit on the Dialer interface of the CPE and it inherited the ATM interface speed (the upload sync rate) and prevented the CPE from maxing out and hitting hardware queuing in the DSLAM. I can't seem to find a way to do this downstream from our ASR1K to the customer though.
Platform is ASR1001 with IOS 3.7.2 or 15.2(4)S
Problem description:We have many xDSL users (ADSL2+ and VDSL2). They all sync at different speeds depending on how far they are from the DSLAM.
Example:
Customer A might be connected at 40000kbps/10000kbps (VDSL2)
Customer B might be connected at 5000kbps/600kbps (ADSL)
When they connect and the PPPoE session comes up, the bandwidth on the Virtual Access Interface is equal to the customer's downstream sync rate, so Customer A's virtual access interface, Virtual-Access 2.13 will say 40000kbps, and Customer B's virtual access interface Virtual-Access 2.39 will say 5000kbps.Using RADIUS, we apply a sub-qos-policy-out to the PPPoE session.I want to shape the customer to 80% of their sync rate so that we do not hit interface congestion in the DSL network which makes VoIP perform poorly.I cannot use an absolute value for the shape, because the sync rate varies for each customer.The problem I have is at present the policy-map is using the interface bandwidth of Gi0/0/1 (1Gbit) instead of the bandwidth of the Virtual Access Interface. Therefore the customer is being limited to 800Mbit which means the QoS policy will never take effect.
RADIUS Config Below:
cisco-avpair += ip:sub-qos-policy-out=QOS-POLICY-OUT-PARENT-DSL
Class Maps
class-map match-any QOS-CLASS-VOIP-RTP-DSL
match protocol rtp audio
match access-group name QOS-VOIP-RTP
class-map match-any QOS-CLASS-VIDEO-RTP-DSL
[code].....
View 5 Replies
View Related
Jan 19, 2011
I have a WLC 4404 installed and we would like to manage the bandwidth per SSID.
Today we have configured many SSID because our campus has a lot of wireless users and any SSID has only one class C subnet (/24).
We would like to configure each SSID with more subnets. is this possible ?
Additionally we need to restrict the bandwidth per SSID. is this possible ? We have some SSID for less important users and we would like to assign the bandwidth per SSID.
View 4 Replies
View Related
Nov 5, 2012
I am trying to restrict bandwidth for a particular LAN IP address on my network using policy maps but it does not seem to be working, My LAN IP address is 192.168.20.199 which i am trying to limit the bandwidth on.
Cisco_1841#sh policy-map interface fa0/0FastEthernet0/0
Service-policy input: Bandwidth_Allocation_In
Class-map: BWTest_In (match-all) 0 packets, 0 bytes 5 minute offered rate 0
[Code].....
View 3 Replies
View Related
Aug 29, 2012
I am trying to use GNS to simulate this, but a bit difficult to achieve this. May I know can the Cisco Router handle below requirement? Example Cisco 2811
1) Bandwidth management based on IP Address or Subnet? For example; allocate 1Mbps (CIR) and 10Mbps (BIR) to 172.16.1.10
2) Can the Cisco Router control the inbound and outbound bandwidth?
3) Can you share the sample config?
View 7 Replies
View Related
Aug 16, 2012
I setup a WLC5508 with 2 SSIDs, one for guest traffic and another for internal users. They are in separate subnets and are routed out to the internet via 2 different isps, with the guest network going over a bonded t1 and the internal users going out the primary internet connection for the company. While this works as desired and we've verified that while on the guest network we're going out the right isp, we've encountered an issue with saturation of the bonded t1 pipe by guests. We'd like to find a way to limit a guest to a capped down/up stream if possible, with downstream being the most important. The infrastructure includes 3560 switches and AIR-CAP3502I-A-K9 access points.
View 1 Replies
View Related
Sep 30, 2012
I have 20 mbps internet link and I have ASA 5505 . I have to divide this bandwidth 10-10 mbps each for Voice and Data . So that both can work properly. because when I am using it for both on same interface, I am getting Voice disturbance..
View 1 Replies
View Related
Jul 24, 2012
i have 16MB internet speed, i want to give inside interface in my ASA only 2MB to use how can i assign it ?
ASA Version 8.2(5) !hostname ConcordeASAenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface
[Code].....
View 2 Replies
View Related
Aug 13, 2010
setting up Rate Control in Bandwidth Management. It doesn't seem to work at all. I knew from some other Posts that I need to have IPS on and I do.. Is there something else I need to do.
My users are connected wirelessly to the router through three different SSIDs and I have 3 VLANS. I need to set some limitations on two of the LANS.
View 1 Replies
View Related
Dec 20, 2011
We are looking at putting in a solution at a hotel for Free Guest WiFI.The solution would cover 4 floors and about 120 rooms and some open areas .In short the hardware would look as follows
-2500 controller
-1142LAP
-2960 PoE switch
-878 Adsl router for internet connectivity (20Mbps/1Mbps internet ADSL feed)
One of the concerns raised by the client is that they would like to make sure that no single user could eat up too much bandwidth creating problems for the rest of the users . Can the above KIT or something similar achieve this objective? As far as I can think of we would require a Proxy server .
View 6 Replies
View Related
Jun 1, 2011
I am trying to get ride of an old traffic management appliance and would like to replace it by a simple Cisco 3845.
The configuration is really simple:
Customers -- Router 3845 -- Internet
I want to be able to provide bundles to customer such 64kps garanteed/ 2mbps MIR (retail) and 2mbps garanteed no MIR (business).
I need also to specify to the router the total internet bandwitdh available (example: 20mbps symetrical).
This configuration will work ? Should I worry about any performance issue if I start to have a lot of customers ?
ip access-list extended Cust1
permit ip any sub_Cust1
permit ip subCust1 any
View 2 Replies
View Related
Jul 15, 2012
I'm trying wrap my head around bandwidth guarantee for nested maps. I tried adding a new class to two of my policy-maps today, and got this error: 3945E-1(config-pmap-c)#bandwidth 3000 Insufficient bandwidth 3000 kbps for the bandwidth guarantee
I'm not sure how it knows that with the nested maps and how it's computed. I have a 100mb WAN connectin going to 19 branches. I have a class-map that identifies traffic to the individual branch and within that class, a policy-map is applied to prioritize voice over video etc.
Here's the QoS setup:
class-map Branch1-Policy
match access-group branch-1-acl
*
*
[code]....
I was adding the Video-Conf class to both Traffic-6calls and Traffic-10calls when I got the above error. How would that percentage be calculated? I know by default i can only reserve up to 75% of interface bandwidth. The platform is 3945E running 15.1(3)
View 1 Replies
View Related
Oct 20, 2012
i have a small network with Polycom phones connected to the sf300 switch and have the pc's daisy chained via the second switch port on each phone. i have the pc traffic running on the default vlan 1 and the voice traffic running on the voice vlan 100. can i do bandwidth management on a vlan/port basis or is that not necessary. i want to ensure that the voice traffic is never impacted by the pc traffic on the same cable.
View 2 Replies
View Related
May 22, 2013
We have an ASA 5525 running version 8.6(1)2 and a 10 MG pipe. I have execs that want to limit bandwidth on users for stuff like youtube, stream media, and downloads. I found the article on ‘Bandwidth Management(Rate Limit) Using QoS Policies’ so it appears our firewall can do what we want. I’m not a cisco person. My knowledge is limited when it comes to configuration – that’s why we have SmartNet.
Can bandwidth be limited on end users and/or can they limit the ‘bandwidth rate limit’ to just youtube, steaming media, and downloads? If so, what should the limit be? and I’m assume this would be for ‘incoming’ traffic only? we’re running into some bandwidth hogs – usually youtube and/or streaming media. We have a Barracuda web filter which we’ve used to block and monitor activity but I simply do not have time to babysit this all day. I should also mention we do have critical data running up and down the pipe; such as credit card processing, DB replication between in house DB and hosted website, TPCx and EDI, FTP, and such that we don’t want restricted.
View 7 Replies
View Related
Jun 8, 2011
ASA 5520 to get it to authenticate VPN users against and Active Directory environment plus allow management access as well. I created a Dynamic Access Policy on the ASA stating that if you are a member of the Active Directory group "Managment" the continue. I chagned the DefaultAccessPolicy to "Terminate". So with that, VPN users cannot connect because they are not a member of that group, but the access to manage the ASA is allowed because of that policy.Is there a way through using Dynamic Access Policies that I can allow management access (SSH, ASDM, etc) by matching to a group membership and will allow normal users to VPN in successfully but not allow them access to managing the ASA?
View 1 Replies
View Related
Nov 20, 2012
I have configured ASA 5510 With IPsec Remote VPN.With local database users(Users are created in ASA).
Internal network has 4 VLANS. Need solution for below.
There are 25 Users created in ASA. where only 5 tp 6 users wants to grant access to Particualr IP and Subnets and rest of the users can access entire lan.
Is it possible to configure Group policy in ASA for IPsec Remote VPN.
View 1 Replies
View Related
Mar 5, 2013
I am trying to add 89,462+ access list rules to an ASA 5510 running 8.2(5). I have added all the rules to an object group and when I try to apply the access list to an interface it gives me the following error:
ERROR: Cannot add policy to rule engine ERROR: Unable to assign access-list wan-out to interface wan
I have not tried not using an object group and just putting the rules in the access list. I want to be able to add to these rules if needed easily.
I think it's clear that i have exceeded the rule limit for the ASA. So my question is, what is the rule limit for an ASA 5510 and which ASA could I purchase that would handle this amount of rules?
View 1 Replies
View Related
Jun 16, 2011
I have ACE 4710 in context mode. I am doing internet browsing (Port 80) redirection to two proxy servers (Transparent Proxy) as well as I am using this ACE box for multiple other servers load balancing.
I have multiple policies applied on my LAN interface (VLAN 300) where all the users and servers are connected.
Now I am facing problem with one application (PLATTS) which is oil company related application. This application is working fine while directly connected with Internet (extrenal internet connection) or by giving explicit proxy in the user browser.
But In transparent proxy This application is not working and my company policy only allow the transparent proxy not explicit proxy.
Now if on my interface vlan 300 i will remove the service-policy input PM_MAIN_BCPROXY my application will start working but i cant redirect the port 80 traffic to my proxy servers which is also my requirement.
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.0.65 255.255.255.224
[Code]....
This application use multiple destinations for connectivity and I have even tried by passing the destination IP addresses by making bypass policy but still no luck.
I want this application to work as well as redirection of port 80. I even try re-ordering the policy sequence but no luck. this application to work as well as redirectino of port 80 for Internet.
View 4 Replies
View Related
Feb 13, 2012
I am having issues with the ASA 5510 management interface. I can't communicate with this interface. It is showing DOWN/DWON even if I type NO SHUT several times.
My existing config is as follows
our-asa-01# sh run
Saved
ASA Version 7.2(5)
hostname our-asa-01
names
dns-guard
interface Ethernet0/0
[code]....
View 5 Replies
View Related
Oct 4, 2010
Can any VPN user change their user account password through tunnel which configured on local database of ASA 5510?
View 3 Replies
View Related
Feb 7, 2012
In my Cisco ASA 5510 in release 8.2, I have an extrage behavior in the output of "show service-police" command. The issue is that I create a class-map to limit trafic in one of ASA interfaces and I applied in a service policy. This is the configuration:
access-list ACL-Limitada extended permit ip host srv-proxy any
access-list ACL-Limitada extended permit ip any host srv-proxy
access-list ACL-Limitada extended permit tcp 192.168.10.0 255.255.255.0 any eq ftp-data
access-list ACL-Limitada extended permit tcp 192.168.10.0 255.255.255.0 any eq ftp
access-list ACL-Limitada extended permit tcp any 192.168.10.0 255.255.255.0 eq ftp-data
access-list ACL-Limitada extended permit tcp any 192.168.10.0 255.255.255.0 eq ftp
[code]...
View 1 Replies
View Related
Nov 27, 2012
I configure my Cisco ACS5.2 using Command set policy and providing Shell access 15.I allow user only “show * ” command.It works fine with Telnet. User Group cannot execute any command apart from “Show * ”But when I connect the device using Console user group has full permission on the devices.I believe Command set policy is not working on Console. Is it normal behavior or do I need to update some changes in ACS or Network devices ?
My network device configuration is as below :
tacacs-server host 10.x.x.x key test123
tacacs-server host 10.y.y.y key test123
tacacs-server timeout 1
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
[code].....
View 1 Replies
View Related
Sep 27, 2012
We have a metro Ethernet service, basically our WAN connection, that we use to connect 4 sites. This MOE service has a CIR of 200 Mbps, connected to a port on a 3550-12T running Version 12.1(22)EA5 at 1000 Mbps. We are exceeding our CIR at times during the day for short bursts which is causing the MOE switch to drop packets, which I suspect I am seeing manifest itself in some choppy VoIP conversations and dropped ICMP packets from our network monitoring software. I implemented policy maps to apply an outbound service policy to the interface connected to the MOE service, but I am not seeing any matches to the access lists or the service policy. I’m not sure if I am missing something or perhaps the IOS is not capable?
Below is the config for the service policy and some command output. Notice that there are hits on a statndard access list that is used for other purposes, but the extended access lists used for the class maps have no matches.
!
class-map match-all REALTIME
match access-group name REALTIME
[Code].....
View 4 Replies
View Related
Jan 9, 2013
I need to archive the configuration for the devices but it states that SSH fails to authenticate although I have checked the credentials many times.
View 1 Replies
View Related
Dec 20, 2012
I have an ASA 5510 deployed and we are getting a tonne of port scanning traffic (who isn't these days) and ping traffic.The threat scanning thresholds seem a bit too high and was wondering if there is a way to use a Service Policy Rule to perform a Shun/Block of the hosts rather than the firewall simply blocking the request via the ACL and sending a reply.
In other words, if I do nothing, I know the ACL is protecting the resources but it is still replying to the client connection. I want the end result to be the same as a "Shun" where the connection is dropped and no reply is sent. how to employ Service Policy Rules to thwart Port Scanning and/or IP Spoofing?
View 2 Replies
View Related
Jun 23, 2012
I am trying to create an IAP for a single computer based on it's MAC address. I want to block certain keywords and websites 24/7. When I setup the IAP as number 1, I add the MAC address of the computer in question. I then Select Allow and choose Everyday and 24 Hours. I type in the forbidden domains and click add after each one. I type in the keywords and click add after each one. After I click on Save, all of my computers on the network lose internet access.
I have WRVS4400N VPN Version 2, firmware version 2.0.2.1
View 2 Replies
View Related
May 24, 2012
I seem to get conflicting information on using the Management port as a regular routed interface on the ASA5510..The management interface can be used for the traffic that passes through the firewall as well. The Security Plus License for the ASA 5510 is required in order to use the management0/0 port as a regular interface. With a base license on the 5510, the management0/0 port cannot be used as a regular interface.
I believe that I saw another post that mentioned it was part of the standard IOS if you had a later version.
View 2 Replies
View Related
Nov 10, 2011
I have some trouble with that policy-map on my 2960 or 3560 switches with LAN base 12.2(53)SE2. I want to use that feature to catch video traffic from webcams in laptops which can't send dscp values out of the box. This is my test config to check if the function is working: catch every traffic from my workstation for testing, access-list 101 permit ip any any, class-map match-all CL_TEST
1. I can't see any counters with the command "sh policy-map interface FastEthernet 0/1". Cisco tells that this command is not possible. But how I can see if the policy is working correct?
2. When I did the configuration I can't see any packets with dscp af41 on the out going interface on the switch with "sh mls qos int gi0/1 statistic" as I expected. After reloading the switch I see the pakets with af41. Okay for that moment. But.After that I changed something in the policy-map. Only "set ip dscp ef" for a second test.
Generating some traffic I see only packets with af41 as before I changed the policy-map. No traffic with ef on the outgoing interface.
View 4 Replies
View Related
Jan 28, 2013
Unable to limit traffic on catalyst 3750 gigabit ports it has fiber modules,
I want to limit traffic 2mb per port
I have tried srr-queue and policier but it is not working and there is no ratelimit command under any interface, Applying policy to output is not supported of the interface
policy-map rate-limit
class class-default
police 2000000 8000 exceed-action drop
int gi1/0/3
service-policy input rate-limit
still when I start download it goes to 10 mbps
View 12 Replies
View Related
Jan 6, 2013
interface Vlan24
description Internal Wireless Internet
ip address 10.x.0.1 255.255.254.0
[Code]....
So, I am trying to limit the bandwidth used by this vlan. The service-policy output statement works, the service-policy input statement does not. My test is to get on that vlan and go to speedtest.net. My download speeds are about 3.5Mb/s, my upload speeds are about 20Mb/s.
it has something to do with this:
sh mls qos ip
QoS Summary [IPv4]: (* - shared aggregates, Mod - switch module Sid - Switch Id)
Int Sid Mod Dir Class-map DSCP Agg Trust Fl AgForward-By AgPoliced-By
[Code].....
View 1 Replies
View Related
