At work we have free wifi for our customers as a nicety and so they can download our smartphone app if needed. Initially I set it up with no bandwidth limits with the idea of keeping an eye on it and locking it down if there was abuse. Over the past few weeks my
MRTG graphs showed several spikes where the free wifi hit 10mbps. That is a big chunk of our internet connection so I decided it was time to limit the bandwidth. Since I'm not a Cisco expert it took some Googling to find the best way to do this. I found a couple resources that helped me put together what I needed. The free wifi network is on a separate VLAN with it's own IP subnet.
Here is interface definition for the VLAN
interface Vlan92
nameif freewifi
security-level 50
ip address 192.168.92.1 255.255.255.0
Here is the syntax I used to limit the freewifi VLAN to 2mbps. The limit is applied to the subnet used by the freewifi VLAN.
access-list ip-qos extended permit ip 192.168.92.0 255.255.255.0 any
access-list ip-qos extended permit ip any 192.168.92.0 255.255.255.0
class-map qos
description qos policy
match access-list ip-qos
policy-map qos
class qos
police output 2000000 2000000
police input 2000000 2000000
service-policy qos interface freewifi
Testing
My initial thought for testing the bandwidth limits was to connect to the freewifi VLAN and simply use one of the internet speed testing web sites. The speed test web sites worked fine for download speeds but the upload tests kept reporting that they were getting the full bandwidth of the connection. It seemed like the upload limit wasn't being enforced. I tried all of the popular speed testing sites and got the same result. Downloads were limited to 2mbps and uploads were running at the full speed of the connection. Hmmm...
I reviewed my settings on the ASA and everything seemed like it was correct. I decided to do a different type of test to see if I would get a different result. I created a 10MB file and then tested uploading and downloading it to and from a server out on the internet using
scp. This test gave me the results I was expecting. Both upload and download of this test file took about 35 seconds which is inline for a 2mbps connection. I then tested transferring the same file on the inside VLAN which has no bandwidth limits and the scp transfer time was 4 seconds. I'm not sure what was going on with the speed test sites but the upload speeds were not reporting accurately for me.
Monitoring status
You can watch the bandwidth limits in action using the 'show service-policy police' command. If the limit is exceeded the output will show the number of packets and bytes that have exceeded the bandwidth limit.
This is the command output before sending any traffic:
asa5505# show service-policy police
Interface freewifi:
Service-policy: qos
Class-map: qos
Output police Interface freewifi:
cir 2000000 bps, bc 2000000 bytes
conformed 1306 packets, 907993 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Input police Interface freewifi:
cir 2000000 bps, bc 2000000 bytes
conformed 1072 packets, 192021 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
This is the output after transmitting several test files:
asa5505# show service-policy police
Interface freewifi:
Service-policy: qos
Class-map: qos
Output police Interface freewifi:
cir 2000000 bps, bc 2000000 bytes
conformed 149813 packets, 127878453 bytes; actions: transmit
exceeded 10273 packets, 14716462 bytes; actions: drop
conformed 3384 bps, exceed 360 bps
Input police Interface freewifi:
cir 2000000 bps, bc 2000000 bytes
conformed 157493 packets, 123699017 bytes; actions: transmit
exceeded 15083 packets, 21214456 bytes; actions: drop
conformed 4928 bps, exceed 760 bps
Resources