Model of asa for response rate limit

Hi , i'm new , just registered
I need to know what kind of cisco asa i should buy for my company, i need to use response rate limit , for limit dns requestes on my dns server.
If you' can helm me, i'll be very gratefull..

Recent versions of ISC BIND can rate-limit their responses themselves; Cisco ASA software can police packet flow rates but it's not their primary function.  If the only thing you want is rate-limiting, I wouldn't bother with the ASA.   If you need actual firewall, NAT, or IPS functionality, the ASA becomes useful.
To size an ASA, you'd need to know what kind of traffic rates you need to support, and what kind of inspections you plan to do.  Cisco has some published packet and throughput data at e.g.  
   http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-700608.html
In my own experience, simple firewall configurations and test traffic will at least meet and often exceed Cisco's guidance.
Personally, I'm using ASA 5525-x devices to support ~350 users on gigabit fiber uplinks averaging about 6kps, mixed sizes with good results.  With the older 5520's I was dropping packets during peak traffic surges to full line rates.
-- Jim Leinweber, WI State Lab of Hygiene

Similar Messages

  • SGE2000 QoS: Ingress Rate Limit BUG ?

    I buyed a new unit of SGE2000. Thirst I changed firmware to newest one (3.0.0.18) so I do not know what firmware was installed before.
    The problem is that it is not posssible to change Ingress Rate Limit to value lower than 3500...
    Hardware Version
    00.00.01
    Software Version
    3.0.0.18
    Boot Version
    2.0.0.03
    Manual says:
    Ingress Rate Limit — Defines the amount of bandwidth assigned to the interface.
    For FE ports, the rate is 62 - 100,000 Kbps.
    For GE ports, the rate is 62 - 1,000,000 Kbps
    ====
    Default value for Ingress Rate Limit field is 3500, while I change it to eg. 512 the combobox is opening with warning information:
    "Entered value in highlighted field must be an Integer. Range 3500...1000000"
    "Committed Information Rate (CIR)" field allow to put a value down to 64, so it is ok.
    Should I downgrade firmware to v3.0.0.17 ?
    Any help appreciated.

    My appologies for the lack of reply here.  I checked with the PM for the product and they asked me if there is a case open with the Small Business Support Center (SBSC) on this issue.  Have you had a case open on this yet?  If not can I ask you to log a case and then respond back to this postig with the case number please?  It seems this is a bug so the product team will need to process the fix for this via the standard problem identification/case reporting process.
    Thanks in advance!

  • Rate-limit for some MAC on aironet 1231

    Hello!
    I need to set rate-limit for some mac addresses on access point aironet 1231.Is it possible?
    If no, what ios or devices can do it?
    Thanks.

    No there is no option for rate-limit in Aironet but in controller, Rate-limiting is applicable to all traffic destined to the CPU from either direction (wireless or wired). Cisco recommends that you always run the controller with the default config advanced rate enable command in effect in order to rate-limit traffic to the controller and protect against denial-of-service (DoS) attacks. You can use the config advanced rate disable command to stop rate-limiting of Internet Control Message Protocol (ICMP) echo responses for testing purposes.

  • ASA rate limit certain websites

    Hello,
    Is there a way with the ASA to rate limit certain websites?  Match using regex but rate limit only those matches?
    For example if I wanted to rate limit youtube, could I match youtube in a regex statement and then inspect http and only rate limit youtube and not the rest of the http traffic?
    When I set the rate limit it allways seems to rate-limit whatever I am inspecting, eg http in general.
    Or should I look at doing this on my router instead?
    Thanks,
    Dan.

    Dan,
    OK - I forwarded that particular example as the way I look at it, it tells me:-
    1) How to configrure RegEx
    2) How to configure a specific URL to perform an action (it just happens in this example it's a block action)
    3) Assign it to a class map
    Once you have it in a class map, you are almost there - in theory (I have not tried this) but since you will have a class map, you should be able to assign it to a QoS policy map, rate limiting the amount of traffic?
    See the below example of a QoS Rate Limit
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml
    Andrew.

  • Service-Policy Or Bandwidth Rate Limit for IP

    Hii Netpros,
    Is this possible to configure the Service Policy(for Bandwidth) or Bandwidth Rate Limit for Single IP. For eg: If we want to configure the Service Policy(for Bandwidth) or Bandwidth Rate Limit of 2Mb for only IP " 10.10.10.3" on network  i.e the Host or device which is configured with this IP can access upto 2Mb only.
    Actual Network :-   We need this to configure this for wireless customers, Actually we have created one Vlan 2 (IP:- 10.10.10.1/29 @ our end router) , 10.10.10.2 on Basestation wiresss device (Vlan 2 allowed on this wireless device) and this wireless device is working as point to multipoint wireless. i.e 2 or more then 2 wireless customers or last mile will connect to this basestation wireless.  Wireless customer-1 is 10.10.10.3 (2Mb bandwidth)  and Wireless Customer-2  10.10.10.4 (512Kb).
    Hence we require to limit the bandwidth for this 2 wireless customers having different bandwidth. how to acheive & control bandwidth @ our end router for them. please suggest.
    Thanks

    This topic is probably better suited in another Infrastructure forum, but I suppose it depends on which features are supported by your Cisco hardware and software. This doc discusses a variety of options:
    http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpolsh.html
    For example, with the older CAR (committed access rate) approach:
    interface FastEthernet5/0
         rate-limit input access-group 101 20000000 [normal burst size] [excess burst size] conform-action transmit exceed-action drop
         rate-limit input access-group 102 5120000 [normal burst size] [excess burst size] conform-action transmit exceed-action drop
    access-list 101 permit ip 10.10.10.3 0.0.0.0
    access-list 102 permit ip 10.10.10.4 0.0.0.0
    You can observe CAR in action with "show interfaces fa5/0 rate-limit" for example.

  • Rate Limit for Envelope Senders for sender?

    I need to setup a temporary Rate Limit exception for delivery failures.  The rate limit error that I'm getting is:
    System is rate limiting Envelope Sender <> due to high volume of messages
    What entry can I put in the Address List exception list that will allow e-mails with null senders to be excluded?  $null?
    Jason

    Feature Request?

  • Bandwidth Management(Rate Limit) Using QoS Policies

    Hello,
    I need some advice. We have an ASA 5525 running version 8.6(1)2 and a 10 MG pipe. I have execs that want to limit bandwidth on users for stuff like youtube, stream media, and downloads. I found the article on ‘Bandwidth Management(Rate Limit) Using QoS Policies’ so it appears our firewall can do what we want. I’m not a cisco person. My knowledge is limited when it comes to configuration – that’s why we have SmartNet :). The advice I need is what to ask for, so to speak, when I put a case in. Can bandwidth be limited on end users and/or can they limit the ‘bandwidth rate limit’ to just youtube, steaming media, and downloads? If so, what should the limit be? and I’m assume this would be for ‘incoming’ traffic only? we’re running into some bandwidth hogs – usually youtube and/or streaming media. We have a Barracuda web filter which we’ve used to block and monitor activity but I simply do not have time to babysit this all day. I should also mention we do have critical data running up and down the pipe; such as credit card processing, DB replication between in house DB and hosted website, TPCx and EDI, FTP, and such that we don’t want restricted.
    Need input please,
    Thanks,
    D

    Hello,
    That's a question that you as the network admin of that organization could answer.
    How much traffic for business purposes must travel via HTTP/HTTPS?
    How much bandwith are you willing to provide to this 2 protocols?
    Those are the kind of answers you need to answer before setting the number
    Regards
    Remember to rate all of the helpful posts, Just click the 5 stars at the left of each post
    Julio

  • Wireless rate limit

    Hi,
    My network infrastructure as simple as following:
    LAN(edge switches 3560).......>Aggregator switch(3750)........>Firewall(ASA 5510)........>Router.......>Internet
    I define 3 wireless VLANs with 3 SSIDs on the Aggregator switch(3750):
    1. one SSID for company employees.
    2. one SSID for wireless IP phones.
    3. one SSID for company guest which access only internet.
    And the wireless APs connected to the LAN(edge switches) direct with trunks.
    My question is how to apply a rate limit for SSID for company guest to access internet with B.W. of 128kbps only.
    I tried policy map to be applied on the aggregator switch(3750) on the VLAN interface, but, it is not working.
    So, any suggested help, please.

    Hi Ahmed:
    With autonomous APs, rate limiting isn't possible.  All the autonomous APs support is QoS and that's pretty iffy.  At the core of the issue, you're dealing with radio waves and which ones arrive at the radio first, and who was prevented from talking because someone else was talking.  Dealing with these QoS and traffic shaping/policing issues are really tough with wireless because the transmission medium itself is unreliable.
    The "Configuring QoS" chapter of the autonomous AP configuration guide
      http://tools.cisco.com/squish/5aCf1
    will show you how you can map priority tagging to an SSID so that in that path from radio receiver to outbound on the fastethernet interface toward the rest of the network, you can control which SSID's packets get up into the network first, but the reverse path is a different story.  Because the wireless medium is half-duplex acknowledged, you can have a high priority packet out there on the radio interface trying to be beamed out to the client, and if the client isn't sending their ACK or what have you, it's going to sit and retry until its 63 retries are done before it gets out of the way to let the next high priority packet have a turn at getting transmitted out.
    Once the traffic gets past the edge switch, the fact that it was at one time wireless is irrelevant.  You should look at it as a general "rate limiting one VLAN's traffic over another" and check with the routing protocols or traffic shaping folks.
    Sincerely,
    Rollin Kibbe
    Network Management Systems Team

  • 3750X rate-limit (QoS)

    Hello,
    I'm trying to configure a rate-limit in a 3750X but I'm not seeing any result... 
    These are my configurations:
    RF#show run 
    Building configuration...
    Current configuration : 23410 bytes
    ! Last configuration change at 08:53:35 UTC Sun Mar 14 1993
    version 15.0
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname RF
    boot-start-marker
    boot-end-marker
    no aaa new-model
    switch 1 provision ws-c3750x-48p
    system mtu routing 1500
    ip routing
    ip domain-name erf.carco.com.mx
    rep admin vlan 100
    mls qos
    spanning-tree mode pvst
    spanning-tree extend system-id
    vlan internal allocation policy ascending
    vlan 2
    vlan 4 
    vlan 6
    vlan 8
    vlan 10
    vlan 20
    vlan 21   
    vlan 22
    vlan 23
    vlan 25 
    vlan 26
    vlan 30
    vlan 50
    vlan 53
    vlan 70
    vlan 81
    vlan 91
    vlan 92
    vlan 93
    vlan 95
    vlan 96
    vlan 99
    vlan 100
    vlan 102
    vlan 110
    vlan 122
    vlan 129
    vlan 200
    vlan 213
    vlan 227
    vlan 333
    vlan 357
    vlan 417
    vlan 444
    vlan 500
    vlan 502
    vlan 555
    vlan 700
    vlan 712
    vlan 910
    vlan 911
    vlan 951
    vlan 1105
    vlan 1508
    vlan 1830
    vlan 1870
    vlan 1890
    vlan 1891
    vlan 1892
    class-map match-any test
      match access-group 100
    policy-map test
     class test
      police 150000000 512000 exceed-action drop
    interface Loopback0
     ip address 10.20.40.106 255.255.255.0
    interface Port-channel22
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport mode trunk
     bandwidth 10000000
     rep segment 10
    interface Port-channel24
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport mode trunk
     bandwidth 10000000
     rep segment 10
    interface FastEthernet0
     no ip address
     no ip route-cache
     shutdown
    interface GigabitEthernet1/0/1
    interface GigabitEthernet1/0/2
    interface GigabitEthernet1/0/3
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport trunk allowed vlan 2,10,50,53,60,70,91-93,95,96,99,100,110,213,227
     switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
     switchport mode trunk
     no logging event link-status
     shutdown
     speed 1000
     duplex full
    interface GigabitEthernet1/0/4
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport trunk allowed vlan 2,8,10,20,50,53,70,91-93,95,96,99,100,110,213
     switchport trunk allowed vlan add 227,500,700,910,911,951,1830,1870,1890-1892
     switchport mode trunk
     shutdown
     speed 1000
     duplex full
    interface GigabitEthernet1/0/5
    interface GigabitEthernet1/0/6
    interface GigabitEthernet1/0/7
    interface GigabitEthernet1/0/8
    interface GigabitEthernet1/0/9
    interface GigabitEthernet1/0/10
     switchport access vlan 91
     switchport mode access
     logging event link-status
    interface GigabitEthernet1/0/11
    interface GigabitEthernet1/0/12
    interface GigabitEthernet1/0/13
    interface GigabitEthernet1/0/14
    interface GigabitEthernet1/0/15
     switchport access vlan 91
     switchport mode access
     logging event link-status
    interface GigabitEthernet1/0/16
    interface GigabitEthernet1/0/17
    interface GigabitEthernet1/0/18
    interface GigabitEthernet1/0/19
    interface GigabitEthernet1/0/20
     switchport access vlan 91
     switchport mode access
     logging event link-status
    interface GigabitEthernet1/0/21
    interface GigabitEthernet1/0/22
    interface GigabitEthernet1/0/23
    interface GigabitEthernet1/0/24
    interface GigabitEthernet1/0/25
     switchport access vlan 910
     switchport mode access
    interface GigabitEthernet1/0/26
    interface GigabitEthernet1/0/27
    interface GigabitEthernet1/0/28
    interface GigabitEthernet1/0/29
    interface GigabitEthernet1/0/30
    interface GigabitEthernet1/0/31
    interface GigabitEthernet1/0/32
    interface GigabitEthernet1/0/33
    interface GigabitEthernet1/0/34
    interface GigabitEthernet1/0/35
    interface GigabitEthernet1/0/36
    interface GigabitEthernet1/0/37
     no switchport
     bandwidth 150000
     ip address 10.20.103.13 255.255.255.252
     rate-limit output access-group 100 24000000 3000000 3000000 conform-action transmit exceed-action drop
     logging event link-status
    interface GigabitEthernet1/0/38
    interface GigabitEthernet1/0/39
    interface GigabitEthernet1/0/40
    interface GigabitEthernet1/0/41
    interface GigabitEthernet1/0/42
    interface GigabitEthernet1/0/43
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport mode trunk
     bandwidth 10000000
     channel-group 24 mode on
    interface GigabitEthernet1/0/44
    interface GigabitEthernet1/0/45
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport trunk allowed vlan 2,10,50,53,60,70,91-93,95,96,99,100,110,213,227
     switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
     switchport mode trunk
     shutdown
    interface GigabitEthernet1/0/46
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport trunk allowed vlan 2,10,50,53,60,70,91-93,95,96,99,100,110,213,227
     switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
     switchport mode trunk
     shutdown
    interface GigabitEthernet1/0/47
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport mode trunk
     bandwidth 10000000
     channel-group 22 mode on
    interface GigabitEthernet1/0/48
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 6
     switchport trunk allowed vlan 2,7,10,20,50,53,70,91-93,95,96,99,100,110,213
     switchport trunk allowed vlan add 227,700,910,911,951,1830,1870,1890-1892
     switchport mode trunk
     logging event link-status
     shutdown
    interface GigabitEthernet1/1/1
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport trunk allowed vlan 2,8,10,20,50,53,60,70,91-93,95,96,99,110,213,227
     switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
     switchport mode trunk
     shutdown
    interface GigabitEthernet1/1/2
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport trunk allowed vlan 2,8,10,20,50,53,60,70,91-93,95,96,99,110,213,227
     switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
     switchport mode trunk
     shutdown
    interface GigabitEthernet1/1/3
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 6
     switchport trunk allowed vlan 2,6,8,10,20,50,53,70,91-93,95,96,99,100,110,213
     switchport trunk allowed vlan add 227,700,910,911,951,1830,1870,1890-1892
     logging event link-status
     shutdown
    interface GigabitEthernet1/1/4
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 6
     switchport trunk allowed vlan 2,6,8,10,20,50,53,70,91-93,95,96,99,100,110,213
     switchport trunk allowed vlan add 227,700,910,911,951,1830,1870,1890-1892
     switchport mode trunk
     logging event link-status
     shutdown
    interface TenGigabitEthernet1/1/1
    interface TenGigabitEthernet1/1/2
    interface Vlan1
     no ip address
     shutdown
    interface Vlan6
     description ***LANERF**
     ip address 10.20.6.106 255.255.255.0
     no ip redirects
    interface Vlan23
     description < TRANSITO MUR >
     no ip address
     no ip redirects
    interface Vlan100
     description < VLAN MAN >
     ip address 10.20.100.106 255.255.255.0
     no ip redirects
     ip ospf authentication message-digest
     ip ospf message-digest-key 1 md5 7 032368342B2F0F
     ip ospf dead-interval minimal hello-multiplier 4
    router ospf 1
     router-id 10.20.40.106
     auto-cost reference-bandwidth 100000
     area 0.0.0.0 authentication message-digest
     area 1.80.1.1 authentication message-digest
     redistribute connected subnets
     redistribute static subnets
     passive-interface default
     no passive-interface Vlan23
     no passive-interface Vlan100
     no passive-interface GigabitEthernet1/0/37
     network 10.20.6.0 0.0.0.0 area 0.0.0.0
     network 10.20.40.106 0.0.0.0 area 0.0.0.0
     network 10.20.91.6 0.0.0.0 area 0.0.0.0
     network 10.20.100.106 0.0.0.0 area 0.0.0.0
     default-information originate
    ip http server
    ip http secure-server
    access-list 100 permit ip 10.50.80.0 0.0.0.255 10.80.80.0 0.0.0.255
    access-list 100 permit ip 10.80.80.0 0.0.0.255 10.50.80.0 0.0.0.255
    snmp-server community ASComRO RO
    line con 0
    line vty 0 4
     login
    line vty 5 15
     login
    event manager applet track_qos_down authorization bypass
     event syslog pattern "TRACKING-5-STATE: 15 ip sla 15 reachability Up->Down"
     action 1 cli command "enable"
     action 2 cli command "configure terminal"
     action 3 cli command "interface giga1/0/37"
     action 4 cli command "rate-limit output access-group 100 400000000 50000000 50000000 conform-action transmit exceed-action drop"
     action 5 cli command "end"
    event manager applet track_qos_up authorization bypass
     event syslog pattern "TRACKING-5-STATE: 15 ip sla 15 reachability Down->Up"
     action 1 cli command "enable"
     action 2 cli command "configure terminal"
     action 3 cli command "interface giga1/0/37"
     action 4 cli command "no rate-limit output access-group 100 400000000 50000000 50000000 conform-action transmit exceed-action drop"
     action 5 cli command "end"
    end
    ERF#     
    ERF#show mls qos 
    QoS is enabled 
    QoS ip packet dscp rewrite is enabled 
    ERF#show mls qos inter gigabitEthernet 1/0/37 
    GigabitEthernet1/0/37 
    trust state: not trusted 
    trust mode: not trusted 
    trust enabled flag: ena 
    COS override: dis 
    default COS: 0 
    DSCP Mutation Map: Default DSCP Mutation Map 
    Trust device: none 
    qos mode: port-based 
    When I apply the command I'm seeing a gauge using a 3rd party but I'm not seeing that the traffic will be truncated @ 50Mbps.
    Any thoughts??? 

    Hi
    Bandwidth commands allocates the particular amount of bandwidth you mention or configure over there.
    Basically you have the liberty to configure upto 75% of the available interface bandwidth to different classes.
    most widelys used with CBWFQ technique..
    so while configuring up the same better to watch out for the exact bandwidth value keyed in on the interface to have your alloocation work properly.
    policing basically used for limiting the traffic or to control the bursts by dropping them or marking them with different ip precedence or DSCP values.
    its very much similar to the rate-limit command applied on the interface level which again uses token bucket system either single or dual based on the configuration parameters.
    for more info on above mentioned clis do check these links..
    http://www.cisco.com/en/US/tech/tk543/tk545/tsd_technology_support_protocol_home.html
    http://www.cisco.com/en/US/tech/tk543/tk544/tsd_technology_support_protocol_home.html
    regds

  • ICMP unreacheble, rate-limit

    Hi !
    I'm currently working on projet of network hardening.
    Based on Cisco security best pratice, I see it's recommand to rate limit genaration of ICMP unreachable message to prevent DoS attack. (according to document : http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080825564.pdf page 74)
    On Catalyst 6509 run IOS 12.2(17r)SX5 I see to possible way to rate-limit ICMP messages if mls QoS is running.
    1- mls rate-limit unicast ip ICMP unreachable acl-drop 100 10 (enable by default, according to document : http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080825564.pdf page 74)
    mls rate-limit unicast ip ICMP unreachable no-route 100 10
    2- ip ICMP rate-limit unreachable <millisecond> (500 ms is default parameters, which permit 2 paquets per seconds, also enable by default if I'm base on : http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml, ACL for IOS section)
    Which one of those command have precedence over the other one ?
    Which one is better over the other one ?
    With the mls rate-limit option, we have the possibility to check default parameter with : "show mls rate-limit" command is exist equivalent for : "ip ICMP rate-limit unreachable"
    We have also Catalyst 3550 switches, on which we have to rate-limit genaration of ICMP unreachable message for same reason as 6509. I understand the :"ip ICMP rate-limit unreachable" command is my only option "under "mls " the only option I have is QoS or aclmerge. Under thoses parameter I have no way to rate-limit ICMP message generation....
    I have check in running-configuration I did not find any reference to ICMP rate-limit command, I hope this is active like explain in document http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml, ACL for IOS section, (Version 12.2(44)SE3) but I would like to be able to confirm if any show command exist to confirm this.
    thanks a lot !

    Hello Marcus,
    On the ASA as you are already aware we only have the choice of modifying the ICMP unreachable rate,
    With the IOS the rate-limit for ICMP unreachable replies  will be rate limited to one every 500ms
    use:
    show ip icmp rate-limit
    Besides that I have not seen any other information that you could customize.
    Regards

  • Rate-limit

    Hi, I have someone who is worried about denial-of-service attacks. They have 11 vm's that share a connection and want to set it up so that there is a maximum amount of traffic allowed to hit each vm, so if there is a DDoS attack it will only affect that one VM instead of all the VM's on the same connection. What is the best way to go about this from the ASA? This is behind a 5515 with asa code version 8.6. Is there a way to rate-limit by ip address?  Thanks!

    The feature is called traffic policing. Basically, what you should do is this:
    1. Define traffic to each server by using corresponding ACLs
    2. Define class map for each server
    3. Define policy map or use global policy to apply policing.
    Example:
    server 1 has ip 10.0.0.1 and provides http access from the outside
    server 2 has ip 10.0.0.2 and provides https access from the outside
    1.
    access-list SERVER_1_TRAFFIC permit tcp any host 10.0.0.1 eq 80
    access-list SERVER_2_TRAFFIC permit tcp any host 10.0.0.2 eq 443
    2.
    class-map SERVER1
    match access-list SERVER_1_TRAFFIC
    class-map SERVER2
    match access-list SERVER_2_TRAFFIC
    3.
    policy-map global_policy
      class SERVER1
      police input 100000 (bps) 10000 (bps)
      police output .....
      class SERVER2
      police input 200000 (bps) 10000 (bps)
      police output .....
    Here's the guide:
    http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns_qos.html#wp1065257

  • Dynamic ARP inspection rate limit issues with Windows Vista Systems

    Good Day to everybody.
    I had implemented DHCP Snooping & Dynamic ARP inspection feature to mitigate ARP spoofing attacks to one of customer location where we have mix of Windows vista & XP systems. By default DAI feature rate limit ARP packets on un-trusted ports to 15 Packets per second. With this value I was facing some issue to access file shares where port will go in error-disabled state due to ARP broadcast from system was crossing 15 PPS limit of DAI. For the same, I had increased the DAI limit to 64 & after that we had not facing this problem from windows XP systems, but windows vista systems are still giving problem. Also this probem is very random in nature & not all the windows Vista system will face same issue even though they are accessing same file share & are configured with same DAI rate limit.
    That's why I am not able to figure out baseline values for DAI rate limits. I had already search microsoft documentation for limiting this ARP broadcast from Windows Vista system, but no luck.
    Is there any way to find out correct settings for this DAI packet rate limiting in Windows Vista enviorement ?

    Hello bensyseng,
    check out this thread.
    As topmahof said already it could correlate with a wrong Intel driver.
    Follow @LenovoForums on Twitter! Try the forum search, before first posting: Forum Search Option
    Please insert your type, model (not S/N) number and used OS in your posts.
    I´m a volunteer here using New X1 Carbon, ThinkPad Yoga, Yoga 11s, Yoga 13, T430s,T510, X220t, IdeaCentre B540.
    TIP: If your computer runs satisfactorily now, it may not be necessary to update the system.
     English Community       Deutsche Community       Comunidad en Español

  • Can I use the Galaxy in Germany if it's "unlocked" with a local SIM (for local rates)?

    Can I use this phone in Germany with a *local* SIM card for local rates if I get Verizon to unlock it or do I have to wait for the ever-elusive upgrade for this to be possible?
    I have been with Verizon since 2006, my original HTC Incredible has been eligible for an upgrade since April, and I was planning to stay with Verizon since I'm overall happy with the service. However, this uncertainty about being able to use the phone globally (and specifically in Germany) with local SIM cards has me considering other carriers for the first time, who have not crippled their phones in this way. In particular AT&T I guess. I don't understand why Verizon would choose to limit their phone like this.
    I would like to stay with Verizon, but I'm not going to wait indefinitely for a required update -- unless someone authoritative can tell me that I am able to use this phone with a local SIM card with local rates in German right now. That would make me very happy   .. otherwise, I guess it's time to check out the Galaxy on the other carriers.
    ps: I have searched the web, and this forum for related posting w/o the answer for this specific question about unlock helping with Germany.

    Hmm .. thanks for the info, I was afraid of that .. I'v really been wanting to upgrade my phone for a few months now ... and the S III seems like the best phone right now, but not without that feature. I would rather stick with Verizon though but I am looking at the other carriers because of this.
    Also just found out that FM radio isn't available on the North American versions of the phone .. too bad, my DInc has it, and it helps limit data usage (and presumably uses less power than streaming, plus not all stations stream). It's not a required feature for me, but it was a nice option to have..

  • Time Out Error while waiting for response from DB Procedure

    Hi Gurus,
    We are encountering a problem in our production environment. The system is implemented using AIA foundation pack 2.5 on SOA suite 10.1.3.4.
    We have a BPEL process A which calls an ESB Service which inturn calls BPEL Process B. In process B, we have a DB procedure call which waits for a response from
    a DB procedure. The procedure doesn't reply on time and Process B remains in waiting state to get the response from DB Procedure wherein Process A errors out by showing as "Timed Out Error".
    This issue is intermittent and we have already increased transaction-time outs in transaction-manager.xml to 7200 and ejb-orion-jar.xml to 3600.
    When we encountered this problem, we found out that there are too many connections open and when we bounced the server, everything was restored to nornal but as it is a production env. we can't do it over and over again.
    We have 2 nodes each having max connections as 100 and min. as 0.
    Is there a limit to max no. of connections or can we do something in DB side to ensure that it doesn't happen again ?
    Please suggest.
    Thanks,
    Vikas Manchanda

    Hi Anuj,
    I don't think it is a problem with connection reaching to max numbers because this issue is coming on very intermittent basis.we don't have any other processes using
    the same connection pool and this issue is coming even when there is no load on the server. This is recent trace from the production environment. Also i don't have any thing called "abandoned-connection-pool" in my data-sources.xml.
    <2011-07-07 13:09:16,101> <ERROR> <default.collaxa.cube> <BaseCubeSessionBean::logError> Error while invoking bean "delivery": Waiting for response has timed out. The conversation id is null. Please check the process instance for detail.
    com.oracle.bpel.client.delivery.ReceiveTimeOutException: Waiting for response has timed out. The conversation id is null. Please check the process instance for detail.
    at com.collaxa.cube.ejb.impl.DeliveryBean.request(DeliveryBean.java:109)
    at sun.reflect.GeneratedMethodAccessor113.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:592)
    at com.evermind.server.ejb.interceptor.joinpoint.EJBJoinPointImpl.invoke(EJBJoinPointImpl.java:35)
    at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
    at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
    at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
    at com.evermind.server.ejb.interceptor.system.JAASInterceptor$1.run(JAASInterceptor.java:31)
    at com.evermind.server.ThreadState.runAs(ThreadState.java:693)
    at com.evermind.server.ejb.interceptor.system.JAASInterceptor.invoke(JAASInterceptor.java:34)
    at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
    at com.evermind.server.ejb.interceptor.system.TxRequiredInterceptor.invoke(TxRequiredInterceptor.java:50)
    at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
    at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
    at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
    at com.evermind.server.ejb.InvocationContextPool.invoke(InvocationContextPool.java:55)
    at com.evermind.server.ejb.StatelessSessionEJBObject.OC4J_invokeMethod(StatelessSessionEJBObject.java:87)
    at DeliveryBean_RemoteProxy_4bin6i8.request(Unknown Source)
    at com.collaxa.cube.ws.soap.oc4j.SOAPRequestProvider.processNormalOperation(SOAPRequestProvider.java:451)
    at com.collaxa.cube.ws.soap.oc4j.SOAPRequestProvider.processBPELMessage(SOAPRequestProvider.java:274)
    at com.collaxa.cube.ws.soap.oc4j.SOAPRequestProvider.processMessage(SOAPRequestProvider.java:120)
    at oracle.j2ee.ws.server.provider.ProviderProcessor.doEndpointProcessing(ProviderProcessor.java:956)
    at oracle.j2ee.ws.server.WebServiceProcessor.invokeEndpointImplementation(WebServiceProcessor.java:349)
    at oracle.j2ee.ws.server.provider.ProviderProcessor.doRequestProcessing(ProviderProcessor.java:466)
    at oracle.j2ee.ws.server.WebServiceProcessor.processRequest(WebServiceProcessor.java:114)
    at oracle.j2ee.ws.server.WebServiceProcessor.doService(WebServiceProcessor.java:96)
    at oracle.j2ee.ws.server.WebServiceServlet.doPost(WebServiceServlet.java:194)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
    at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:64)
    at oracle.security.jazn.oc4j.JAZNFilter$1.run(JAZNFilter.java:400)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
    at oracle.security.jazn.oc4j.JAZNFilter.doFilter(JAZNFilter.java:414)
    at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:623)
    at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:370)
    at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:871)
    at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:453)
    at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:313)
    at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:199)
    at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
    at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
    at java.lang.Thread.run(Thread.java:595)
    Caused by: com.oracle.bpel.client.delivery.ReceiveTimeOutException: Waiting for response has timed out. The conversation id is null. Please check the process instance for detail.
    at com.collaxa.cube.engine.delivery.DeliveryHandler.initialRequestAnyType(DeliveryHandler.java:576)
    at com.collaxa.cube.engine.delivery.DeliveryHandler.initialRequest(DeliveryHandler.java:465)
    at com.collaxa.cube.engine.delivery.DeliveryHandler.request(DeliveryHandler.java:134)
    at com.collaxa.cube.ejb.impl.DeliveryBean.request(DeliveryBean.java)
    Please suggest.
    Thanks,
    Vikas Manchanda

  • Bandwidth Rate-Limit -w- WWR-Queue

    How would one convert a layer-2 port's "switchport rate-limit" bandwidth statement, on a 6509 -w- WS-X6748-SFP ports, to a routed/layer-3 "wrr-queue" bandwidth statement policy? Basically trying to hard-core the port's speed to 20MB.  Current/tested layer-2 port bandwidth setting:
    rate-limit input 20000000 5000 5000 conform-action transmit exceed-action drop
    rate-limit output 20000000 5000 5000 conform-action transmit exceed-action drop
    Got lost in how to use/configure all WRR's four queues... just need to limit the port's bandwidth to 20MB.  Any suggestions would be appreciated.
    Thanks, Kevin

    1) Enabled QoS globally...
    2960(config)#mls qos
    2) Configure an ACL to define the matched traffic...
    2960(config)#access-list 111 permit ip any any
    3) Configure a class map for the matched traffic...
    2960(config)#class-map traffic
    2960(config-cmap)#match access 111
    4) Configure a policy-map to define action...
    2960(config)#policy-map Control
    2960(config-pmap)#class traffic
    2960(config-pmap-c)#police 10000000 8000 exceed-action drop
    5) Attached the policy-map to the interface.
    a) Example
    -In this case, I'll attach the policy map to port_1....
    2960(config)#int fa0/1
    2960(config-if)#service-policy input Control
    >>>>>> This will rate-limit traffic coming from the PC

Maybe you are looking for

  • Can not update my system and not able to repair disk

    I havn't used my macbook pro for about a year, and recently I need to travel to another place and need it with me. I see in AppStore that there is an update for my ios, I downloaded it, and run the install. however, when updating my system. I run int

  • XI message Interface as webservice

    Hi, How can XI be used to publish Message Interface as a web service? Mustafa

  • Hi I am facing problem

    I have stored 5 value in option box like 1,2,3,4,5 ,by default 5 is selected I change the value 5 into 3, Now I want when i refresh the page the value displayed is 3 not 5 . How it possible. plz help me soon

  • OGIS_GEOMETRY_COLUMNS

    Does anyone know if the MDSYS.OGIS_GEOMETRY_COLUMNS is ever checked by any of the MDSYS.SDO_Geometry or MDSYS.ST_Geometry functions? I am mostly interested in knowing if there is any reason I should be populating this table if I create an SDO or ST g

  • Engine and NSMAdmin client refuse to install/work on DC

    Hi, I have a strange problem setting up Storage Manager 3.0.3 at a customer. The customer has a server 2008 R2 64 bit DC especially for IDM purposes (IDM Remote Loader, Exchange tools for creating mailboxes and also intended to be the Storage Manager