Traffic Shaping

Traffic Shaping

Traffic shaping on the security appliance allows the device to limit the flow of traffic. This mechanism will buffer traffic over the “speed limit” and attempt to send the traffic later. On the 7.x security device, traffic shaping must be applied to all outgoing traffic on a physical interface. Shaping cannot be configured for certain types of traffic. The shaped traffic will include traffic passing though the device, as well as traffic that is sourced from the device.

In order to configure traffic shaping, use the class-default class and apply the shape command in Policy Map Class Configuration mode. This class-default class is created automatically for you by the system. It is a simple match any class map that allows you to quickly match all traffic. Here is a sample configuration:

pixfirewall(config-pmap)#policy-map PM-SHAPER
pixfirewall(config-pmap)# class class-default
pixfirewall(config-pmap-c)# shape average 2000000 16000
pixfirewall(config-pmap-c)# service-policy PM-SHAPER interface outside

Verification is simple. You can run the following to confirm your configuration:

pixfirewall(config)# show run policy-map
!
policy-map PM-SHAPER
 class class-default
shape average 2000000 16000
!

Another excellent command that confirms the effectiveness of the policy is:

pixfirewall(config)# show service-policy shape
Interface outside:
 Service-policy: PM-SHAPER
Class-map: class-default
shape (average) cir 2000000, bc 16000, be 16000
Queueing
     queue limit 64 packets
 (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 0/0

Traffic Policing

With a policing configuration, traffic that exceeds the “speed limit” on the interface is dropped. Unlike traffic shaping configurations on the appliance, with policing you can specify a class of traffic that you want the policing to effect. Let’s examine a traffic policing configuration. In this configuration, we will limit the amount of Web traffic that is permitted in an interface.

pixfirewall(config)# access-list AL-WEB-TRAFFIC permit tcp host 192.168.1.110 eq www any
pixfirewall(config-if)# class-map CM-POLICE-WEB
pixfirewall(config-cmap)# match access-list AL-WEB-TRAFFIC
pixfirewall(config-cmap)# policy-map PM-POLICE-WEB
pixfirewall(config-pmap)# class CM-POLICE-WEB
pixfirewall(config-pmap-c)# police input 1000000 conform-action transmit exceed-action drop
pixfirewall(config-pmap-c)# service-policy PM-POLICE-WEB interface outside

Notice we can verify with similar commands that we used for shaping!

pixfirewall(config)# show run policy-map
!
policy-map PM-POLICE-WEB
 class CM-POLICE-WEB
  police input 1000000
!
pixfirewall(config)# show ser
pixfirewall(config)# show service-policy police
Interface outside:
  Service-policy: PM-POLICE-WEB
    Class-map: CM-POLICE-WEB
      Input police Interface outside:
        cir 1000000 bps, bc 31250 bytes
        conformed 0 packets, 0 bytes; actions:  transmit
        exceeded 0 packets, 0 bytes; actions:  drop
        conformed 0 bps, exceed 0 bps

Bandwidth Limiting using Cisco ASA

For configuring  Bandwidth Limiting Example ,

Devices used
1. Cisco ASA 5510 Version 8.2(5)
2.Cisco 3560 switch.
3. Laptop

Connection

Internet leased line (16Mbps) connected to E0/1 port of ASA and E0/0 connected to Switch 24th Port.

Total bandwidth is dived into 2 departments

1. Sales - 10Mbps (172.17.46.0/24)
2. HR - 6Mbps (172.17.47.0/24)

ASA Configuration
-------------------------

interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 172.17.1.1 255.255.255.0
!
interface Ethernet0/1
 shutdown
 nameif outside
 security-level 0
 ip address 8.1.5.8 255.255.255.248
!

access-list vlan46 extended permit ip 172.17.46.0 255.255.255.0 any
access-list vlan46 extended permit ip any 172.17.46.0 255.255.255.0
access-list vlan47 extended permit ip 172.17.47.0 255.255.255.0 any
access-list vlan47 extended permit ip any 172.17.47.0 255.255.255.0


global (outside) 1 interface
nat (inside) 1 172.17.1.0 255.255.255.0
nat (inside) 1 172.17.46.0 255.255.255.0
nat (inside) 1 172.17.47.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 78.100.54.185 1
route inside 172.17.46.0 255.255.255.0 172.17.1.1 1
route inside 172.17.47.0 255.255.255.0 172.17.1.1 1


class-map hr
 match access-list vlan47
class-map sales
 match access-list vlan46


policy-map bw
 class hr
  police output 6000000
  police input 6000000
 class sales
  police output 10000000
  police input 10000000
!
service-policy bw interface inside


3560 Switch
------------------



vlan 46
 name Sales
!
vlan 47
 name HR


interface GigabitEthernet0/1
 switchport access vlan 46
 switchport mode access
!
interface GigabitEthernet0/2
 switchport access vlan 47
 switchport mode access


interface GigabitEthernet0/24
 description connected to CiscoASA5510
!


interface Vlan1
 ip address 172.17.1.2 255.255.255.0
!
interface Vlan46
 ip address 172.17.46.1 255.255.255.0
!
interface Vlan47
 ip address 172.17.47.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 172.17.1.1
!



Testing

ASA

#show service-policy police

u can connect laptop on 1 and 2 port of the switch  for testing .and all the other ports are in vlan 1 so u will get full speed.

I am testing by connecting the laptop  and try to access speedtest.net site , then we can see the difference.

Bandwidth Sharing in Cisco Routers

The following example polices the inside interface to 30Mbps.  It also utilizes a fair queue mechanism so that all subnets are queued equally yet can use the entire purchased rate in the absence of competing traffic.

access-list 101 permit ip any a.a.a.a w.w.w.w ## Subnet A

access-list 102 permit ip any b.b.b.b w.w.w.w ## Subnet B

access-list 103 permit ip any c.c.c.c w.w.w.w ## Subnet C

class-map subnet-a
match access-group 101

class-map subnet-b 
match access-group 102

class-map subnet-c
match access-group 103

policy-map subnets
class-map subnet-a
  bandwidth percent 33
class-map subnet-b
  bandwidth percent 33
class-map subnet-c
  bandwidth percent 33
exit

policy-map physical
class class-default
  police 30000000 conform-action transmit exceed-action drop
  service-policy subnets
exit

int fa0/1
service-policy output physical
exit