Bandwidth Throttling / Policing on Cisco ASA

If If you are looking to control the amount of bandwidth for a particular host using a Cisco ASA Security Appliance, you’ve come to the right place.  When I was first asked to look into this capability on the ASA I knew that I could perform some sort of Quality of Service (QOS).  In fact, all of the documentation that I came across either on Cisco’s website or from third party integrators have detailed information on controlling quality for VoIP, traffic shaping, and how to do those things across a VPN tunnel.  While the information on these great features of the ASA is helpful, finding articles on limiting bandwidth to a particular IP address was more difficult to track down.  In fact, it took a TAC case and several hours of reading papers on the above services until I was able to figure out how to police bandwidth using my ASA.  In the example below I am throttling bandwidth to 1Mb for the host 1.1.1.1:

For the sake of simplicity, I will show you how to limit inbound and outbound bandwidth for one host.  In order to do this for multiple hosts you simply replicate the steps making a few changes to access-list names, class-maps, and policy-maps.

The first step is to create the access list that define “interesting traffic” or what IP you want to control.

access-list throttle_me extended permit ip host 1.1.1.1 any
access-list throttle_me extended permit ip any host 1.1.1.1

The second step is to define the class-map.

class-map throttle-me
match access-list throttle_me

Now you need to define your policy-map and call the class-map.

policy-map throttle-policy
class throttle-me
police output 1000000 2000
police input 1000000 2000

The final step is to apply the new service-policy to the PHYSICAL interface where the traffic will flow.  You CANNOT apply this to a sub-interface.

service-policy throttle-policy interface outside

In summary, this configuration was applied to the outside interface of my ASA.  This is the “choke point” for traffic and can be considered the edge of my network.  As stated above, you must apply the policy to a physical interface on your ASA.  The IP address 1.1.1.1 represents a public address that is statically mapped to a private address behind a sub-interface on my ASA.  The method above combines a little bit of each QOS function from the ASA to get what I want it to do.

Share

71 thoughts on “Bandwidth Throttling / Policing on Cisco ASA

  1. Hi there to every body, it’s my first pay a quick visit of this blog; this blog carries amazing and truly good stuff for visitors.

  2. Hello! Would you mind if I share your blog with my
    myspace group? There’s a lot of people that I think would really enjoy your content. Please let me know. Thanks

  3. Hello,
    I set this up as defined however only outbound traffic is throttled, not inbound.
    Any ideas what it could be?
    Thanks

  4. Thanks for your info and blog, i am a newbie to this cisco world and i enjoy your writing as i learn. Just a clarification question can i rate limit on a per user basis. For instance if i’m running a cisco asa 5510 allowing 10 ipsec vpn connection can i limit each of those to say 5mbps each?

    Appreciate your time and answer

  5. My coder is trying to convince me to move to .
    net from PHP. I have always disliked the idea because of the expenses.

    But he’s tryiong none the less. I’ve been using WordPress
    on a variety of websites for about a year and am nervous about switching to another platform.

    I have heard very good things about blogengine.net. Is
    there a way I can transfer all my wordpress posts into it?
    Any kind of help would be really appreciated!

    Here is my homepage :: backpacking tent (Mallory)

  6. Great blog right here! Also your site quite a bit up fast!
    What host are you using? Can I am getting your associate link
    on your host? I desire my site loaded up as fast as yours
    lol

  7. Great Stuff here.
    Please I have a site to site VPN and I want to dedicate 4mb out of the total bandwidth of 10mb to the VPN on ASA 5510.
    Please how do I do it. Is it the same command.

    Thanks

  8. Very good blog you have here but I was wondering if
    you knew of any forums that cover the same
    topics discussed here? I’d really love to be a part of
    community where I can get responses from other knowledgeable
    individuals that share the same interest. If you have any recommendations, please let me know.
    Bless you!

  9. It is the best time to make some plans for the future and it’s time to be happy.
    I’ve read this post and if I could I desire to suggest you few interesting
    things or tips. Perhaps you could write next articles referring to this article.
    I wish to read even more things about it!

  10. have you tried the QoS configuration above. I have the same config running on ASA 8.4 but doesn’t seem to work as expected. I prefer to use shaping instead of policing on ASA

  11. we, supposed, was designed to attract the neighbouring blacks.
    Have you played any gigs around town, any house parties, any school dances.

    After debating the matter and being in the opinion how the Government
    had no capability to reimburse, they submitted true towards the Crown Law Office for their decision.

  12. Conditions such as menopause and enlarged prostate does
    not need to occur. As we joined our hearts in healing, I received an incredible message: This was our team.

  13. I find this throttling information of high significance, i will proceed to give this a try
    on the clients environment and feedback u guys
    the only difference with my clients request is that they want to BW limit a specific ip range hope this info helps

  14. Thank you, I’ve recently been looking for info about this subject for ages
    and yours is the greatest I’ve found out so far.
    However, what concerning the bottom line? Are you sure about the supply?

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>