Bandwidth Throttling / Policing on Cisco ASA

If If you are looking to control the amount of bandwidth for a particular host using a Cisco ASA Security Appliance, you’ve come to the right place.  When I was first asked to look into this capability on the ASA I knew that I could perform some sort of Quality of Service (QOS).  In fact, all of the documentation that I came across either on Cisco’s website or from third party integrators have detailed information on controlling quality for VoIP, traffic shaping, and how to do those things across a VPN tunnel.  While the information on these great features of the ASA is helpful, finding articles on limiting bandwidth to a particular IP address was more difficult to track down.  In fact, it took a TAC case and several hours of reading papers on the above services until I was able to figure out how to police bandwidth using my ASA.  In the example below I am throttling bandwidth to 1Mb for the host

For the sake of simplicity, I will show you how to limit inbound and outbound bandwidth for one host.  In order to do this for multiple hosts you simply replicate the steps making a few changes to access-list names, class-maps, and policy-maps.

The first step is to create the access list that define “interesting traffic” or what IP you want to control.

access-list throttle_me extended permit ip host any
access-list throttle_me extended permit ip any host

The second step is to define the class-map.

class-map throttle-me
match access-list throttle_me

Now you need to define your policy-map and call the class-map.

policy-map throttle-policy
class throttle-me
police output 1000000 2000
police input 1000000 2000

The final step is to apply the new service-policy to the PHYSICAL interface where the traffic will flow.  You CANNOT apply this to a sub-interface.

service-policy throttle-policy interface outside

In summary, this configuration was applied to the outside interface of my ASA.  This is the “choke point” for traffic and can be considered the edge of my network.  As stated above, you must apply the policy to a physical interface on your ASA.  The IP address represents a public address that is statically mapped to a private address behind a sub-interface on my ASA.  The method above combines a little bit of each QOS function from the ASA to get what I want it to do.


91 thoughts on “Bandwidth Throttling / Policing on Cisco ASA

  1. Hi there to every body, it’s my first pay a quick visit of this blog; this blog carries amazing and truly good stuff for visitors.

  2. Hello! Would you mind if I share your blog with my
    myspace group? There’s a lot of people that I think would really enjoy your content. Please let me know. Thanks

  3. Hello,
    I set this up as defined however only outbound traffic is throttled, not inbound.
    Any ideas what it could be?

  4. Thanks for your info and blog, i am a newbie to this cisco world and i enjoy your writing as i learn. Just a clarification question can i rate limit on a per user basis. For instance if i’m running a cisco asa 5510 allowing 10 ipsec vpn connection can i limit each of those to say 5mbps each?

    Appreciate your time and answer

  5. My coder is trying to convince me to move to .
    net from PHP. I have always disliked the idea because of the expenses.

    But he’s tryiong none the less. I’ve been using WordPress
    on a variety of websites for about a year and am nervous about switching to another platform.

    I have heard very good things about Is
    there a way I can transfer all my wordpress posts into it?
    Any kind of help would be really appreciated!

    Here is my homepage :: backpacking tent (Mallory)

  6. Great blog right here! Also your site quite a bit up fast!
    What host are you using? Can I am getting your associate link
    on your host? I desire my site loaded up as fast as yours

  7. Great Stuff here.
    Please I have a site to site VPN and I want to dedicate 4mb out of the total bandwidth of 10mb to the VPN on ASA 5510.
    Please how do I do it. Is it the same command.


  8. Very good blog you have here but I was wondering if
    you knew of any forums that cover the same
    topics discussed here? I’d really love to be a part of
    community where I can get responses from other knowledgeable
    individuals that share the same interest. If you have any recommendations, please let me know.
    Bless you!

  9. It is the best time to make some plans for the future and it’s time to be happy.
    I’ve read this post and if I could I desire to suggest you few interesting
    things or tips. Perhaps you could write next articles referring to this article.
    I wish to read even more things about it!

  10. have you tried the QoS configuration above. I have the same config running on ASA 8.4 but doesn’t seem to work as expected. I prefer to use shaping instead of policing on ASA

  11. we, supposed, was designed to attract the neighbouring blacks.
    Have you played any gigs around town, any house parties, any school dances.

    After debating the matter and being in the opinion how the Government
    had no capability to reimburse, they submitted true towards the Crown Law Office for their decision.

  12. Conditions such as menopause and enlarged prostate does
    not need to occur. As we joined our hearts in healing, I received an incredible message: This was our team.

  13. I find this throttling information of high significance, i will proceed to give this a try
    on the clients environment and feedback u guys
    the only difference with my clients request is that they want to BW limit a specific ip range hope this info helps

  14. Thank you, I’ve recently been looking for info about this subject for ages
    and yours is the greatest I’ve found out so far.
    However, what concerning the bottom line? Are you sure about the supply?

  15. Hi, I do believe this is an excellent site. I stumbledupon it ;
    ) I will revisit yet again since i have saved as a favorite
    it. Money and freedom is the greatest way to change, may you be rich and continue to help other people.

  16. Everything is very open with a really clear clarification of
    the issues. It was really informative. Your site is extremely helpful.
    Thank you for sharing!

  17. Mi coder is trying to persuade now i am to move come across .from the internet from PHP. me have always hated the idea beclaim of the costs. planned he’s tryiong none the less. . . I’ve proved to be using phone-type on numerous websites for about a year and am nervous about switching to another operating system. on the subject of have heard elite things about blogmagnetic generator.planet wide. develops into there a way had been can import all my wordpress textile into it? Amanhattan help wan be greathowever appreciated:-)

  18. Hi blogger, i found this post on 20 spot in google’s search results.
    You should reduce your bounce rate in order to rank in google.
    This is major ranking factor nowadays. There is very useful
    wp plugin which can help you. Just search in google for:
    Lilas’s Bounce Plugin

  19. This post is excellent but I see that you aren’t using the full earning potential of your site.
    You can earn pretty good promoting products related to health and beauty niche, don’t waste your traffic, just type in google:

    Polym’s earning ideas

  20. Extremely initial of all, go to the u – Torrent software.
    See Also: Sync Blackberry With Different Applications.
    Torrents really are a much quicker plus more convenient technique of downloading online, and Seedbox
    could be the perfect strategy to get torrents downloaded or uploaded for
    sharing of one’s own.

  21. Definitely believe that which you said. Your favorite justification appeared to be on the net the easiest thing to be aware of.
    I say to you, I certainly get irked while
    people consider worries that they just don’t know about.
    You managed to hit the nail upon the top and defined oout the
    whole thing withouyt having side effect , people could take a signal.
    Will probably be back to get more. Thanks

  22. Exceⅼlent beat ! I wiѕɦ tο ɑρρrᥱntісе աɦіlѕt ʏoᥙ аmеnd yοuг աеƄsіtе,
    Һоա ϲan i ѕuЬѕcгіЬе
    fог а bⅼօg
    wеƅ sіtе?
    Τɦᥱ аϲϲօunt ɑiⅾеԁ me ɑ аcсерtablᥱ dеаⅼ.

    Ӏ ѡегe a lіttⅼᥱ Ƅіt ɑcԛսɑintеⅾ
    оf tһіѕ ʏߋuг ƅrⲟaɗcɑѕt оffᥱгеԀ νibrаnt cⅼeɑг сonceρt

  23. Thanks fօr οne’ѕ marvеlօսѕ ⲣοstіng!
    Ι ԛᥙіte еnjоуed
    геаding іt, yߋu mіgҺt ƅe a ǥrᥱat ɑᥙtҺог.
    I ѡіll гememЬег tߋ Ƅߋօқmarқ ʏoսг ƅⅼоց and
    wіlⅼ οften сοmе ƅacк sоmеtimᥱ sօⲟn. Ӏ wаnt tⲟ еncоᥙгɑցе ʏоս cоntinuе yοᥙr
    ǥгeɑt ԝߋгκ, Һaѵе а niϲe Һοlіɗaʏ

  24. First οf all I woulԁ like to say sսpeгb ƅⅼоǥ!
    Ι hɑԀ а գսіcк գuеѕtіοn wҺiϲһ Ι’Ԁ ⅼiқе to
    ɑѕҝ іf ʏοս Ԁօ not mind.

    ӏ wɑѕ cᥙrіⲟus tο fіnd oᥙt Һоѡ
    уⲟᥙ сᥱntег уоᥙrѕelf
    and ϲlᥱаг yⲟսг
    ɦеɑԀ ⲣгіߋг tߋ wгіtіng.
    I һаᴠe ɦɑⅾ a tοսցh tіmᥱ clеагіng mу thouɡһtѕ іn ցᥱttіng mʏ
    tҺoսցһtѕ οսt.
    I ⅾⲟ tɑҝе pⅼеаѕսге іn աгіtіng hоwеᴠeг іt juѕt ѕеᥱmѕ ⅼіκe tɦе fiгѕt 10 tⲟ 15 mіnutеѕ ɑге սѕuаⅼⅼу ᴡɑѕteⅾ ϳսѕt
    tгʏіng to fіǥᥙге
    out hⲟѡ to
    bᥱցіn. Ꭺny ѕuɡցᥱѕtiοns ог hіntѕ?

    Ƭhank үоս!

  25. Ⅰ’m not sᥙre wɦᥱrᥱ yοᥙ’ге
    gᥱttіng уοᥙг іnfοгmatіоn, Ƅut gߋօԁ tⲟріc.

    I neеԀѕ tο ѕρеnd ѕⲟme
    tіmе learning muϲһ mⲟге οг ᥙndегѕtаnding mоге.
    Ꭲɦаnks fоr maǥnifіcеnt іnfo
    І ѡas loокіng fог tһіѕ іnfο fоr
    mу mіѕѕіоn.

  26. I’m truly enjⲟүіng tһе
    ⅾеsіgn and laуоut оf үοսr
    ѕitе. It’ѕ a ѵеry еaѕу ⲟn tһе еуеs ᴡҺіcɦ
    maκеѕ іt mucҺ mоге еnjοyаƄⅼе fοг mе tо сօmе hеге and
    ѵіsіt mⲟrе
    οftеn. Dіɗ үοս hiге ߋᥙt a ɗеsіցneг to
    cгеаtе ʏоᥙг thеmᥱ?
    Ԍгeat ԝoгк!

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>