If If you are looking to control the amount of bandwidth for a particular host using a Cisco ASA Security Appliance, you’ve come to the right place. When I was first asked to look into this capability on the ASA I knew that I could perform some sort of Quality of Service (QOS). In fact, all of the documentation that I came across either on Cisco’s website or from third party integrators have detailed information on controlling quality for VoIP, traffic shaping, and how to do those things across a VPN tunnel. While the information on these great features of the ASA is helpful, finding articles on limiting bandwidth to a particular IP address was more difficult to track down. In fact, it took a TAC case and several hours of reading papers on the above services until I was able to figure out how to police bandwidth using my ASA. In the example below I am throttling bandwidth to 1Mb for the host 1.1.1.1:
For the sake of simplicity, I will show you how to limit inbound and outbound bandwidth for one host. In order to do this for multiple hosts you simply replicate the steps making a few changes to access-list names, class-maps, and policy-maps.
The first step is to create the access list that define “interesting traffic” or what IP you want to control.
access-list throttle_me extended permit ip host 1.1.1.1 any
access-list throttle_me extended permit ip any host 1.1.1.1
The second step is to define the class-map.
class-map throttle-me
match access-list throttle_me
Now you need to define your policy-map and call the class-map.
policy-map throttle-policy
class throttle-me
police output 1000000 2000
police input 1000000 2000
The final step is to apply the new service-policy to the PHYSICAL interface where the traffic will flow. You CANNOT apply this to a sub-interface.
service-policy throttle-policy interface outside
In summary, this configuration was applied to the outside interface of my ASA. This is the “choke point” for traffic and can be considered the edge of my network. As stated above, you must apply the policy to a physical interface on your ASA. The IP address 1.1.1.1 represents a public address that is statically mapped to a private address behind a sub-interface on my ASA. The method above combines a little bit of each QOS function from the ASA to get what I want it to do.
Great article David, I’m sure this will be very useful to anyone trying to limit the bandwidth to a particular host behind their Cisco Firewall. This would be very useful to anyone doing virtual machines and other hosting solutions for people, like an ISP. Thanks for sharing this information!
Hi,
its nice to read a useful article for beginner like me.
Some of points from this article are very helpful for me as I haven’t
considered them yet.
I would like to say thank you for sharing this cool article.
Bookmarked and sharing for friends.
- Suresh
@ Oscar. Thanks for stopping by
. You might run into this in the future.
@Suresh. Thanks for stopping by. Hopefully this information will come in handy to you one day.
Great article and discovery on the ASA, the Cisco TAC guys didn’t even know about this. And thanks for saving me so much work on the oracle VM side!
@Steve R – Thanks. Anytime I can save someone from performing mindless tasks…thats a good thing!!
Can I throttle the traffic for my inside subnet inbound/outbound using this config?
My biggest issue is big downloads being pulled and taking up the 3mb circuit. if I apply a policing policy to the outside interface will it help?
Thanks
@ Jay. Yes, it is possible to use Policing for that. However if the hosts you want to limit use the same NAT address outbound and you apply the policy to that public address, it will throttle all traffic for hosts that are NATted to it.
Not really a big deal, if you have the IP addresses available, you can always assign one public to the outside interface and another that you use for NAT to the hosts on the inside.
Thanks Dave, to follow your example. I modified to represent applying to the entire inside subnet(1.1.1.0 /24) So, if I wanted to allow the users on the inside subnet to use up to 2mb of a 3mb circuit in both directions, the config would look like this?:
access-list throttle_me extended permit ip 1.1.1.0 255.255.255.0 any
access-list throttle_me extended permit ip any host 1.1.1.0 255.255.255.0
The second step is to define the class-map.
class-map throttle-me
match access-list throttle_me
Now you need to define your policy-map and call the class-map.
policy-map throttle-policy
class throttle-me
police output 2000000 2000
police input 2000000 2000
The final step is to apply the new service-policy to the PHYSICAL interface where the traffic will flow. You CANNOT apply this to a sub-interface.
service-policy throttle-me interface outside
Now, if anyone from the inside tries to upload or download a big file, they will be limited to 2mb of bandwidth in either direction? I read on another board that policing does not handle inbound traffic.
I hope you are right =)
Thanks!
The inbound is handled as long as the internal hosts have a static mapping with a public address. Looking at my example you will see 2 ACL entries. The 1.1.1.1 represent the public address associated with the internal host (via static).
Also, you may want to bump the burst value up some more from 2000 to 4000.
It would look like:
police output 20000000 4000
police input 20000000 4000
If you replace the 1.1.1.1 with the public address that represents your internal host (or the NAT address), this will throttle the traffic as you want.
My internal hosts PAT with the IP of the outside interface. So everyone on the 192.168.100.0 subnet access the internet behind the same 209.x.x.x address. So if I config using the 209.x.x.x will it police the inbound/outbound for all traffic that uses this address?
Also I am using a PIX running 7.2(4), will it still work on the PIX?
Again, Thanks for the info! I feel like i am finally getting somewhere with this!
That is correct. If you want more control, you would want to either assign a static mapping to the systems you think are the offenders and just police their public address.
Another option would be to use QOS and limit by traffic type. But that’s another article.
Bro,
really thanks, i was searching for this past one week, finally i got it from you..really thanks,
i have few questions reagarding this matter;
we have a 5520ASA and have a 6mb leased line. what i want to do that limit the outgoin email bandwidth for the admin network only .the problem is when staff sending emails with any big attachment the network getting delay for a while, so i think i can avoid the latency if i limit the outgoin smtp traffic from the admin network or the source as the email server(the email server has hosted internally).
say for limit the bandwidth 512kb for outgoing smtp traffic from inside network..is that possible to do with ASA? can you please guide me if it is possible.. that would be really really appreciated..
my customer is nagging with me for this….
Really thanks,
Mohi
additionally would like to add a note that jst need to limit the outgoing traffic only, not any incoming traffic…
please let me know if you want to know any more infor regarding this matter.
cheers,
@mohi. Thank you for stopping by. The easy answer is yes, the ASA has the ability to limit SMTP traffic to a single host (outbound only). However, Policing would not be the best method for that. In order to accomplish what you want with respect to SMTP and that single host, you would want to use QOS. I have received several questions about this and have another post planned for the future which addresses this specific need. In the meantime, here is a document from Cisco on the subject.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml
Great, really thanks.
I’m not too expert in cisco security. But i have done with this in fortinet and its very easy to do. I have already gone through the above link which i understood that covering some other difficult way
i would really appreciate, if you could please give me a brief idea in your way(configuration) and that would be more helpful. my ideal goal is just limit the bw for smtp traffic from the email server and that way when the internal staffs sending emails to out through this email server, the ASA will restrict the BW consuming. i’m facing this problem from last four days and i hope you can help me to over come this.
cheers,
Mohi, I will try and finish up the article on QOS since this is what will solve your problem. Stay tuned.
Hi David, your article is very helpful and I have a similar problem with my ASA, but in my case I want to throttle a vpn tunnel in a 2 Mb line, I want to limit the traffic of the vpn clients and then avoid to saturate the LAN. I think that limiting the bandwidth of the tunnel it will works well. What changes do I have to do on your configuratión?. Thank you for your attention.
Thanks for the interesting article!
So, if you want to allow each IP in a certain subnet a maximum of 1024Kbps, you’d have to list all the IP addresses? So far I see limiting the total for the subnet, limiting the total for an IP, but what about limiting the maximum for any given IP in a subnet?
@ KC.. In my example I am using the outside interface as the location where my policy is applied (since I want to restrict bandwidth in both directions). In the case where you want to restrict it to one IP within a given subnet, you will need to have a static mapping for that single IP so that it can be identified as traffic to/from it move through the outside interface.
However, if you want to police the traffic without chewing up precious public addresses, you can apply the policy to the internal interface (must be physical interface, no sub-interfaces here) you can do that. Keep in mind that return traffic to that host FROM the Internet might be larger than your policing limit since the policy is not applied to the outside interface.
Hope this helps. Good luck with your setup.
Thank you for a great example:
Although I found I had to change:
service-policy throttle-me interface outside
to:
service-policy throttle-policy interface outside
for it to work, but the point is it works!!
*****************
Do you know if it is possible to do the reverse i.e an ip has super priority or guaranteed minimum bandwidth?
Example scenario:
Network camera uploading all the time hogs bandwidth which is good as I want it to use max available upload bandwidth (400K).
However when PC needs to upload then the network camera is not important.
If it is possible to give the PC a guaranteed minimum bandwidth or super priority then both could exist happy.
i.e The network camera in full mode when bandwidth is available and the PC getting all / majority of bandwidth when it needs it.
Or am I dreaming
@ tf. Thanks for stopping by. You are correct regarding applying the policy instead of the ACL. Made the change. Good catch, virtual pint coming your way.
As far as the second part of your comment..no, you are not dreaming. You are asking for more of a QOS solution than policing. I understand you want to prefer the traffic from your PC. However it may be easier (if you know the port/protocol) to assign a priority to the camera traffic and a higher priority to all other traffic (your PC). This would ensure the PC gets in/out first. Another option might be to prioritize switch ports behind the firewall (assuming both devices are plugged into the same switch). I am also assuming a little here in that most SOHO switches do not have this capability.
There are several options with QOS, you may want to search Cisco for some in depth reading. http://tinyurl.com/yjgeqsg When I get a bit more free time I’ll add an example for this sort of requirement as it can be very useful.
Thanks again for stopping by. If you do implement one of the QOS features, let me know. I’d be happy to publish your findings.
Hi David -
This is a good article and a good start. However, it’s important to point out that what most people are looking for here is an inbound or ingress rate limiting policy.
Unless you have strict control over both sides of the link (i.e. the ISP) you can never truly achieve the desired goal of rate-limiting certain users or types of traffic.
Aside from the details of trying to control which users or type of traffic is being rate-limited the single largest problem is that the upstream device may be capable of sending data at a rate faster than you would like. Your best case scenario in the configuration listed is to simply drop the packets if they exceed the bandwidth or burst rate specified. These are dropped upon ingress and it does not actually prevent that bandwidth from being utilized.
For TCP or other flow-based traffic types behavior will have some impact due to the nature of the TCP stream requiring an ACK and window-size management. If the ACKs are dropped the window sizes will eventually decrease and the rate will slow down, but TCP will also try to increase the rate again.
To achieve this goal, a device that truly manipulates the TCP headers would be desirable as the implementation of ingress-policing on the ASA is more of an interim solution.
For strict UDP or non-session oriented types of traffic these policies will have no effect on ingress traffic bandwidth other than to slow down traffic that has already reached the ASA (in other words, a moot point). This can be demonstrated in a lab setup in which you simply have to ping-flood the ASA to cause a DoS.
Hi David,
Great post. This is a clear example of Throttling on an ASA.
However is it possible to set limits on the amount of data that can flow from one host to another? I know you can limit the amount of connections on an ACL. but can I say for example.
Let internal host download (so all traffic from insideip to any) 1gigbyte. Then drop the traffic?
cheers.
Hi, I am not a networking guy but work in IT business app side. We have vpn network to remote site over a business dsl. We need to enable remote user to be able to download training content over the vpn network over business dsl. Is there a way to implement bandwidth throttling? I was told bandwidth throttling over vpn is not possible.
@ Hari. Thank you for stopping by. It is possible to limit bandwidth resources across a VPN tunnel. Instead of putting all that information here, I have the following link which directs you to a good explanation with an example of how to accomplish that. http://bit.ly/Bandwidth_Throttle_VPN
Hope that helps you out.
@Marcos Yes, it would be possible to restrict between hosts using ACLs. If the hosts are in different VLANs or live behind different interfaces of the ASA then following my example would do the trick. You would need to substitute the outside interface for the interface name that one of the hosts sits behind. DMZ1 for example.
Curious, I have multiple vpn connections and want to throttle inbound traffic, Any thought for that?
@Curt – first off thanks for stopping by. As far as policing bandwidth across VPN tunnels, the same concept applies. If you can identify the destination that hosts on the remote side of the tunnel are talking with, then you can apply a policy-map to limit the bandwidth across those tunnels. Cisco has some decent documentation on this aspect of QOS. Have a look at this and see if it meets your requirements. http://bit.ly/atNHEY
Hi David,
First of all thanks for sharing this very informative article, I am new with Cisco ASA. I have a question to you. I have 10MB Internet connection in my office, I have 2 Cisco ASA 5510 one is in my office and another one in my data center whcih I have much bigger bandwidth. I have a VPN connection between the our office and the data center, I want to give much higher priority to the VPN traffic because if one of my office user download huge file from the internet it affects the application connecting to my data center via the VPN what is the best way to accomplish this??
Thanks
Hi!
I see something above like my problem but not the same.
1 pc (outside or trought internet) communicate to 1 another(inside network,behind asa)
but the all other participant of the inside network use all of the bandwith of internet connection.
my goal is to guarantee a minimum bandwidth or all of the remaining to the pc’s if the other participant of the network dont use the internet.
Which qos method can enable this for me? or can i reach this?
Thanks!
You are 100% correct and this point seems to be missed by most people in this thread.
Works great – thanks
I have a subnet on wireless for guests and I want to limit their traffic to the internet (that is the only traffic they can do), I’d like to use my ASA to do this.
Do I have to create a nat from this subnet to an outside IP and apply this config to the outside IP ?
If I use the exissting IP I go out with, all the network would be affected, correct !?
I Have ASA 5510 series at work, and have two Networks connected o it, 192.168.2.0 and 192.168.1.0 , I want to assign a particular amount of bandwidth to each Network using Local Network Address not the public IP, how can i do it?
thanks for sharing this, solved my problem
Hi, I enjoyed reading this article. Though I haven’t used this feature, I might come across it some day. Hopefully, I’ll be using it. Thanks for sharing this info.
-Vinay
Awesome! Thanks for doing this. Been looking for something like this that is simple and easy to use and understand.
You hit one out of the park sir!!!
Hi first of all thanks for usefull thing, this works for me great, one thing i would like to ask if i applied this for my one of the vlan subnet limited 2 mbps, what if one person starts download it goes up to 2mbps rest of workstaions getting slow down with in the subnet. how do do it when applied to network instand of ip
Hi David,
Great Work dude. Hats off to the information that you provide in this website. I request you to please brief upon the following as I tried on many websites to refer but could not get the information:-
police output 1000000 2000
police input 1000000 2000
What is this 2000 ???
Is there any method through GUI that I can create this rule to limit a host 1 Mbps thorugh ASA ???
Hi ,
I have a scenario wherein I have Nortel Passport Switch installed as the Core Switch (Nortel 8006), and 95 % of the other L2 Switches are also Nortel; like Nortel 425-24T, Nortel 450-24T, Nortel 420-24T, Nortel 350-24T, and Nortel 2526T. Few Cisco Switches are installed at L2. Now after a long fight with the management, I succeeded in getting new 15 L2 Cisco Switches 2960, and core switch as Cisco 4500. Now my question is how to go about with the configuration part? Should I first go ahead and replace the Core Switch first and than the L2 switches or vice versa? Please assist me in providing information on configuration and critical things to be covered while performing the Upgradation of the network. I am planning to do this since 3 months but did not get valuable resources to study upon. Along with the information if you provide me the downtime that will be required, it will be great. God Bless people like you!! Hoping for a quick reply from your side.
Do you happen to know if you can limit requests per second / minute, and/or throttle in any other way with the 5500 series?
I personally wish to bookmark this blog, “Bandwidth Throttling / Policing on Cisco ASA | Slazyk’s Musings” on my site. Will you mind in the event I reallydo? Thanks a lot -Damien
Hello would you mind letting me know which web host you’re utilizing? I’ve loaded your blog in 3 completely different browsers and
I must say this blog loads a lot quicker then most. Can you suggest a good web hosting
provider at a honest price? Thank you, I appreciate it!
Hi there mates, its wonderful paragraph concerning educationand entirely
defined, keep it up all the time.
My question is given below, If you know any expert of ASA than please help me to short out this problem as soon as possible.
I have 4 mbps internet bandwidth over outside interface of ASA5540 ( Software ver 8.4(2)), It is not directly on physical interface, it is on subinteface of outside. we have 10.29.xx.xx internal subnets. And internal subnets are Dynamic PATed on outside sub-interface public ip. My question is that, can I apply qos ( rate limite) for a range of subnets like 10.29.1.0 255.255.255.0 have 1.5 mbps limit and 10.29.2.0 have 2.5 mbps limit of internet bandwidth. It is possible to apply qos on subinterface. Another thing, If I want to control only inbound traffic from internet to internal subnet) than can I use Access list like source any ip and my internal subnet is destination and Qos apply on inside interface of ASA for outbound traffic . Inside interface have also subinterface.
please help
thankxx
My question is given below, If you know any expert of ASA than please help me to short out this problem as soon as possible.
I have 4 mbps internet bandwidth over outside interface of ASA5540 ( Software ver 8.4(2)), It is not directly on physical interface, it is on subinteface of outside. we have 10.29.xx.xx internal subnets. And internal subnets are Dynamic PATed on outside sub-interface public ip. My question is that, can I apply qos ( rate limite) for a range of subnets like 10.29.1.0 255.255.255.0 have 1.5 mbps limit and 10.29.2.0 have 2.5 mbps limit of internet bandwidth. It is possible to apply qos on subinterface. Another thing, If I want to control only inbound traffic from internet to internal subnet) than can I use Access list like source any ip and my internal subnet is destination and Qos apply on inside interface of ASA for outbound traffic . Inside interface have also subinterface.
please help
thanks
Dear Sir,
Am New in cisco asa, And now i wants to controll bandwidth through asa 5510,am confused about police input and police output,At what scenerio we use police input and police output at what interface inside/outside.
@Mithlesh Kumar, just add more classes.. IOS has a limit of 255 class-maps + the default-class.. not sure about the limitations of the ASA but you should be able to add quite a few i’m sure.
Example config:
!
access-list throttle_1mb extended permit ip host 1.1.1.1 any
access-list throttle_1mb extended permit ip any host 1.1.1.1
!
access-list throttle_2mb extended permit ip host 1.1.1.1 any
access-list throttle_2mb extended permit ip any host 1.1.1.1
!
class-map throttle-1mb
match access-list throttle_1mb
!
class-map throttle-2mb
match access-list throttle_2mb
!
policy-map throttle-policy
class throttle-1mb
police output 1000000 2000
police input 1000000 2000
!
class throttle-2mb
police output 2000000 4000
police input 2000000 4000
!
interface foo
service-policy throttle-policy interface outside
!
Very nice post. I just stumbled upon your weblog and wanted to say that I’ve truly loved surfing around your blog posts. In any case I will be subscribing in your rss feed and I hope you write again soon!