Lots of ASA 5505 throttle questions

Is it possible to throttle a given internal IP address to some maximum bandwidth? I have a 3 Mbit/s link and I want to make sure that our database replication system doesn't try to take more than 2 Mbit/s. Unfortunately the replication goes over SSH, so I can't easily separate it from developer's SSH terminal sessions. I want them to have low latency terminals, but I want bulk traffic also going over SSH to have a lower priority. I can mark the database replication SSH traffic based on the IP of the database. I toyed around with using trickle, but I would rather just have the firewall handle this detail.

Sometimes developers will do a bulk copy of data with SCP. If possible I would like to make sure that any one IP address on our network cannot slow everyone else down. ... of course, you can't look into an SSH stream and easily categorize the content; although, it seems to me that SSH streams that have not been using much bandwitdh should be rewarded with a higher-priority. Maybe this type of QOS is too sophisticated for the ASA.

I've been going over the QOS documentation and I understand how I can assign priority to certain categories of traffic, but I'm not sure how to get from there to solving my problem. The information might be here in the docs, but I'm missing the terminology. Correct me if I'm just using the wrong terms to ask what I want or if I'm looking at this in the wrong way.

Any pointers or examples?

-- Noah

Hi Noah,

I am going to cheat a little here and refer to a QoS example in an ASA book I have from Cisco Press.

It reads:

class-map mail-pop match access-list Mail-ACL-Out class-map web match access-list web-out class-map voip-sig match dscp af31 class-map voip-rtp match dscp ef

policy map voip-mail-qos-policy !POP Mail resticted to 56kbps class-map pop police 56000 10500 !Voip Siganlling is prioritised class voip-sig priority !Voip Data is prioritised class voip-rtp priority !Web Mail is rate limited to 56kbps class web police 56000 10500

service-policy voip-mail-qos-policy interface outside

So in summary, define your class maps and classify on ACL if you want to trap certain traffic. I included voice above so you could see an alternative way to prioritise other than policing. There is also traffic shaping and other QoS tools available no doubt.

In your scenario:

I can't quite determine from reading your post how you want the traffic splitting. I think you are saying that database replication uses SSH as do developers terminals. In addition developers also use SCP.

This being the case you would have class-maps for

developer-ssh match developer-ssh-acl

data-replication-ssh match data-replication-acl

developer-rcp match developer-rcp-acl

If this is the case, data replication will go back to a storage host / server won't it. That being the case use and extended ACL to classify the source & destination host + additionally port number if the ASA will let you.

Darren