Bandwidth Throttling / Policing on Cisco ASA
If If you are looking to control the amount of bandwidth for a particular host using a Cisco ASA Security Appliance, you’ve come to the right place. When I was first asked to look into this capability on the ASA I knew that I could perform some sort of Quality of Service (QOS). In fact, all of the documentation that I came across either on Cisco’s website or from third party integrators have detailed information on controlling quality for VoIP, traffic shaping, and how to do those things across a VPN tunnel. While the information on these great features of the ASA is helpful, finding articles on limiting bandwidth to a particular IP address was more difficult to track down. In fact, it took a TAC case and several hours of reading papers on the above services until I was able to figure out how to police bandwidth using my ASA. In the example below I am throttling bandwidth to 1Mb for the host 1.1.1.1:
For the sake of simplicity, I will show you how to limit inbound and outbound bandwidth for one host. In order to do this for multiple hosts you simply replicate the steps making a few changes to access-list names, class-maps, and policy-maps.
The first step is to create the access list that define “interesting traffic” or what IP you want to control.
access-list throttle_me extended permit ip host 1.1.1.1 any
access-list throttle_me extended permit ip any host 1.1.1.1
The second step is to define the class-map.
class-map throttle-me
match access-list throttle_me
Now you need to define your policy-map and call the class-map.
policy-map throttle-policy
class throttle-me
police output 1000000 2000
police input 1000000 2000
The final step is to apply the new service-policy to the PHYSICAL interface where the traffic will flow. You CANNOT apply this to a sub-interface.
service-policy throttle-policy interface outside
In summary, this configuration was applied to the outside interface of my ASA. This is the “choke point” for traffic and can be considered the edge of my network. As stated above, you must apply the policy to a physical interface on your ASA. The IP address 1.1.1.1 represents a public address that is statically mapped to a private address behind a sub-interface on my ASA. The method above combines a little bit of each QOS function from the ASA to get what I want it to do.
Great article David, I’m sure this will be very useful to anyone trying to limit the bandwidth to a particular host behind their Cisco Firewall. This would be very useful to anyone doing virtual machines and other hosting solutions for people, like an ISP. Thanks for sharing this information!
Hi,
its nice to read a useful article for beginner like me.
Some of points from this article are very helpful for me as I haven’t
considered them yet.
I would like to say thank you for sharing this cool article.
Bookmarked and sharing for friends.
- Suresh
@ Oscar. Thanks for stopping by
. You might run into this in the future.
@Suresh. Thanks for stopping by. Hopefully this information will come in handy to you one day.
Great article and discovery on the ASA, the Cisco TAC guys didn’t even know about this. And thanks for saving me so much work on the oracle VM side!
@Steve R – Thanks. Anytime I can save someone from performing mindless tasks…thats a good thing!!
Can I throttle the traffic for my inside subnet inbound/outbound using this config?
My biggest issue is big downloads being pulled and taking up the 3mb circuit. if I apply a policing policy to the outside interface will it help?
Thanks
@ Jay. Yes, it is possible to use Policing for that. However if the hosts you want to limit use the same NAT address outbound and you apply the policy to that public address, it will throttle all traffic for hosts that are NATted to it.
Not really a big deal, if you have the IP addresses available, you can always assign one public to the outside interface and another that you use for NAT to the hosts on the inside.
Thanks Dave, to follow your example. I modified to represent applying to the entire inside subnet(1.1.1.0 /24) So, if I wanted to allow the users on the inside subnet to use up to 2mb of a 3mb circuit in both directions, the config would look like this?:
access-list throttle_me extended permit ip 1.1.1.0 255.255.255.0 any
access-list throttle_me extended permit ip any host 1.1.1.0 255.255.255.0
The second step is to define the class-map.
class-map throttle-me
match access-list throttle_me
Now you need to define your policy-map and call the class-map.
policy-map throttle-policy
class throttle-me
police output 2000000 2000
police input 2000000 2000
The final step is to apply the new service-policy to the PHYSICAL interface where the traffic will flow. You CANNOT apply this to a sub-interface.
service-policy throttle-me interface outside
Now, if anyone from the inside tries to upload or download a big file, they will be limited to 2mb of bandwidth in either direction? I read on another board that policing does not handle inbound traffic.
I hope you are right =)
Thanks!
The inbound is handled as long as the internal hosts have a static mapping with a public address. Looking at my example you will see 2 ACL entries. The 1.1.1.1 represent the public address associated with the internal host (via static).
Also, you may want to bump the burst value up some more from 2000 to 4000.
It would look like:
police output 20000000 4000
police input 20000000 4000
If you replace the 1.1.1.1 with the public address that represents your internal host (or the NAT address), this will throttle the traffic as you want.
My internal hosts PAT with the IP of the outside interface. So everyone on the 192.168.100.0 subnet access the internet behind the same 209.x.x.x address. So if I config using the 209.x.x.x will it police the inbound/outbound for all traffic that uses this address?
Also I am using a PIX running 7.2(4), will it still work on the PIX?
Again, Thanks for the info! I feel like i am finally getting somewhere with this!
That is correct. If you want more control, you would want to either assign a static mapping to the systems you think are the offenders and just police their public address.
Another option would be to use QOS and limit by traffic type. But that’s another article.
Bro,
really thanks, i was searching for this past one week, finally i got it from you..really thanks,
i have few questions reagarding this matter;
we have a 5520ASA and have a 6mb leased line. what i want to do that limit the outgoin email bandwidth for the admin network only .the problem is when staff sending emails with any big attachment the network getting delay for a while, so i think i can avoid the latency if i limit the outgoin smtp traffic from the admin network or the source as the email server(the email server has hosted internally).
say for limit the bandwidth 512kb for outgoing smtp traffic from inside network..is that possible to do with ASA? can you please guide me if it is possible.. that would be really really appreciated..
my customer is nagging with me for this….
Really thanks,
Mohi
additionally would like to add a note that jst need to limit the outgoing traffic only, not any incoming traffic…
please let me know if you want to know any more infor regarding this matter.
cheers,
@mohi. Thank you for stopping by. The easy answer is yes, the ASA has the ability to limit SMTP traffic to a single host (outbound only). However, Policing would not be the best method for that. In order to accomplish what you want with respect to SMTP and that single host, you would want to use QOS. I have received several questions about this and have another post planned for the future which addresses this specific need. In the meantime, here is a document from Cisco on the subject.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml
Great, really thanks.
I’m not too expert in cisco security. But i have done with this in fortinet and its very easy to do. I have already gone through the above link which i understood that covering some other difficult way
i would really appreciate, if you could please give me a brief idea in your way(configuration) and that would be more helpful. my ideal goal is just limit the bw for smtp traffic from the email server and that way when the internal staffs sending emails to out through this email server, the ASA will restrict the BW consuming. i’m facing this problem from last four days and i hope you can help me to over come this.
cheers,
Mohi, I will try and finish up the article on QOS since this is what will solve your problem. Stay tuned.
Hi David, your article is very helpful and I have a similar problem with my ASA, but in my case I want to throttle a vpn tunnel in a 2 Mb line, I want to limit the traffic of the vpn clients and then avoid to saturate the LAN. I think that limiting the bandwidth of the tunnel it will works well. What changes do I have to do on your configuratión?. Thank you for your attention.
Thanks for the interesting article!
So, if you want to allow each IP in a certain subnet a maximum of 1024Kbps, you’d have to list all the IP addresses? So far I see limiting the total for the subnet, limiting the total for an IP, but what about limiting the maximum for any given IP in a subnet?
@ KC.. In my example I am using the outside interface as the location where my policy is applied (since I want to restrict bandwidth in both directions). In the case where you want to restrict it to one IP within a given subnet, you will need to have a static mapping for that single IP so that it can be identified as traffic to/from it move through the outside interface.
However, if you want to police the traffic without chewing up precious public addresses, you can apply the policy to the internal interface (must be physical interface, no sub-interfaces here) you can do that. Keep in mind that return traffic to that host FROM the Internet might be larger than your policing limit since the policy is not applied to the outside interface.
Hope this helps. Good luck with your setup.
Thank you for a great example:
Although I found I had to change:
service-policy throttle-me interface outside
to:
service-policy throttle-policy interface outside
for it to work, but the point is it works!!
*****************
Do you know if it is possible to do the reverse i.e an ip has super priority or guaranteed minimum bandwidth?
Example scenario:
Network camera uploading all the time hogs bandwidth which is good as I want it to use max available upload bandwidth (400K).
However when PC needs to upload then the network camera is not important.
If it is possible to give the PC a guaranteed minimum bandwidth or super priority then both could exist happy.
i.e The network camera in full mode when bandwidth is available and the PC getting all / majority of bandwidth when it needs it.
Or am I dreaming
@ tf. Thanks for stopping by. You are correct regarding applying the policy instead of the ACL. Made the change. Good catch, virtual pint coming your way.
As far as the second part of your comment..no, you are not dreaming. You are asking for more of a QOS solution than policing. I understand you want to prefer the traffic from your PC. However it may be easier (if you know the port/protocol) to assign a priority to the camera traffic and a higher priority to all other traffic (your PC). This would ensure the PC gets in/out first. Another option might be to prioritize switch ports behind the firewall (assuming both devices are plugged into the same switch). I am also assuming a little here in that most SOHO switches do not have this capability.
There are several options with QOS, you may want to search Cisco for some in depth reading. http://tinyurl.com/yjgeqsg When I get a bit more free time I’ll add an example for this sort of requirement as it can be very useful.
Thanks again for stopping by. If you do implement one of the QOS features, let me know. I’d be happy to publish your findings.
Hi David -
This is a good article and a good start. However, it’s important to point out that what most people are looking for here is an inbound or ingress rate limiting policy.
Unless you have strict control over both sides of the link (i.e. the ISP) you can never truly achieve the desired goal of rate-limiting certain users or types of traffic.
Aside from the details of trying to control which users or type of traffic is being rate-limited the single largest problem is that the upstream device may be capable of sending data at a rate faster than you would like. Your best case scenario in the configuration listed is to simply drop the packets if they exceed the bandwidth or burst rate specified. These are dropped upon ingress and it does not actually prevent that bandwidth from being utilized.
For TCP or other flow-based traffic types behavior will have some impact due to the nature of the TCP stream requiring an ACK and window-size management. If the ACKs are dropped the window sizes will eventually decrease and the rate will slow down, but TCP will also try to increase the rate again.
To achieve this goal, a device that truly manipulates the TCP headers would be desirable as the implementation of ingress-policing on the ASA is more of an interim solution.
For strict UDP or non-session oriented types of traffic these policies will have no effect on ingress traffic bandwidth other than to slow down traffic that has already reached the ASA (in other words, a moot point). This can be demonstrated in a lab setup in which you simply have to ping-flood the ASA to cause a DoS.
Hi David,
Great post. This is a clear example of Throttling on an ASA.
However is it possible to set limits on the amount of data that can flow from one host to another? I know you can limit the amount of connections on an ACL. but can I say for example.
Let internal host download (so all traffic from insideip to any) 1gigbyte. Then drop the traffic?
cheers.
Hi, I am not a networking guy but work in IT business app side. We have vpn network to remote site over a business dsl. We need to enable remote user to be able to download training content over the vpn network over business dsl. Is there a way to implement bandwidth throttling? I was told bandwidth throttling over vpn is not possible.
@ Hari. Thank you for stopping by. It is possible to limit bandwidth resources across a VPN tunnel. Instead of putting all that information here, I have the following link which directs you to a good explanation with an example of how to accomplish that. http://bit.ly/Bandwidth_Throttle_VPN
Hope that helps you out.
@Marcos Yes, it would be possible to restrict between hosts using ACLs. If the hosts are in different VLANs or live behind different interfaces of the ASA then following my example would do the trick. You would need to substitute the outside interface for the interface name that one of the hosts sits behind. DMZ1 for example.