ASA 5510 MQC mode for each IP speed limit, a network segment speed limit, some IP speed limit

Source: Internet
Author: User


The speed limit configuration is as follows:

Access-list rate_limit_1 Extended Permit ip any host 192.168.1.2    //(limit 192.168.1.2 download)
access-list rate_limit_1 Extended Permit IP host 192.168.1.2 any    //(limit 192.168.1.2 uploads)
access-list rate_limit_2 extended permit IP any host 1 92.168.1.3    //(limit 192.168.1.3 download)
access-list rate_limit_2 extended permit IP host 192.168.1.3 any    //( Limit 192.168.1.3 upload)  


Class-map  rate_limit_1
 match access-list  rate_limit_1

class-map rate_limit_2
 match Access-list  rate_limit_2


Policy-map rate_limit
 class  rate_limit_1
  Police input 819000 4368000        //(limit 192.168.1.2 upload speed 99k/s)  
  police output 819000 4368000      //(limit 192.168.1.2 download speed to 99k/s)
 class  rate_limit_2
  Police input 819000 4368000        //(limit 192.168.1.3 upload speed to 99k/s)  
  police output 819000 4368000      //(limit 192.168.1.3 upload speed to 99k/s)

Service-policy Rate_limit interface Inside    //(Applied to intranet interface)    
Note: Because the speed is limited by a single IP, the ACL is written as an IP two-sentence ACL, a matching upload, and another matching download. If all IP is written in an ACL, then the 99k/s of all IPs is restricted. Be sure to write a different ACL.
Police input 819000 4368000 the previous 819000 speed is the basic rate, after a 4368000 is the burst rate, the outgoing flow: can be calculated according to the maximum flow/8 *1.5 this formula. It could be something else.
Such as: Police output 40000000 5625000//Policy outbound traffic limit below 40M bits, burst 45M (5625000 bytes) Watch the unit

Note 1: This method of limiting traffic cannot be used on outside, because pat on the outside port, the address after NAT conversion, cannot find the matching destination and the original address, but I tried to use any to any can limit the traffic. Any source and destination specified address speed limit will not take effect.
Note 2: Questions about the rate
When applying police the unit is bps remember is bit it is the rate unit, so if you want to convert it to a storage unit byte needs to be divided by 8.

Second, limit the total uplink and downlink rate of a network segment
To limit the 172.16.18.0/24 network segment, for example:

!
Access-list Pol Extended permit ip any 172.16.18.0 255.255.255.0
access-list pol extended permit IP 172.16.18.0 255.25 5.255.0 any
!
Class-map Pol
 match access-list Pol
 !
Policy-map pol
 class Pol
  police input 3276500 600000
  police output 26214000 5000000
!
Service-policy POL interface inside
!
Third, the method of using Object-group object grouping
In the end is to achieve a certain IP total upstream down, or can achieve a certain IP uplink downlink speed limit, not actually tested. This writing looks convenient, keep it first.
To change the ACL, it is better to build a group of objects, and then add this object to the ACL, so that later want to a certain IP speed limit, directly add it to this object group is OK.

Object-group Network Rate_limit
  Network host *.*.*.*  
access-list rate_limit Extended permit IP object-group rate _limit any
access-list rate_limit extended permit ip any object-group rate_limit class-map 

  map1
   match Access-list rate_limit
policy-map map2
class map1
  police output 200000 43750
  Police input 800000 250000
Service-policy Map2 interface outside
.
Q: Object-group network Rate_limit
Network host *.*.*.*
Replace with Range x.x.x.2 x.x.x.90
Does it have a separate speed limit for each IP?
A single add job is still too big.
For:
Have not tried, but should be able to use object grouping is actually to write down a few ACLs, as long as the IP can be located.

The above show access-list can see the effective ACL, in fact, is: the use of object-group can greatly simplify the configuration of the workload




Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.