Networks Training

You are here: Home / Cisco ASA General / Traffic Rate and Bandwidth Limiting on Cisco ASA Firewall

Traffic Rate and Bandwidth Limiting on Cisco ASA Firewall

Written By

With the new modular policy framework (MPF) introduced in ASA versions 7.x and 8.x, the firewall administrator is now able to apply policing and rate limiting to traffic passing through the ASA appliance.

I got a few questions from people how this functionality works and decided to throw in a quick example below which you can easily modify accordingly to match your needs.

Scenario 1:

We want to rate limit a local internal host when accessing a specific external public server. The local host is 192.168.1.10 and the external public server is 100.100.100.1. We need to limit the traffic to 100kbps and burst size 8000.

Configuration Snippet:

ASA(config)#access-list rate-limit-acl extended permit ip host 192.168.1.10 host 100.100.100.1

ASA(config)#class-map rate-limit
ASA(config-cmap)#match access-list rate-limit-acl

ASA(config)#policy-map limit-policy
ASA(config-pmap)#class rate-limit
ASA(config-pmap-c)#police output 100000 8000

ASA(config)#service-policy limit-policy interface outside

Scenario 2:

We need to apply a rate bandwidth limit to an internal LAN computer so that it will use a maximum of 5Mbps from our Internet line.

MORE READING:  Cisco ASA Firewall Fundamentals ebook : Rapidshare and Torrent Free Download

Assume the internal LAN host is 192.168.1.1

Configuration Snippet:

ASA(config)#access-list rate-limit-host extended permit ip host 192.168.1.1 any
ASA(config)#access-list rate-limit-host extended permit ip any host 192.168.1.1

ASA(config)#class-map rate-limit
ASA(config-cmap)#match access-list rate-limit-host

ASA(config)#policy-map limit-policy
ASA(config-pmap)#class rate-limit
ASA(config-pmap-c)#police output 5000000 8000
ASA(config-pmap-c)#police input 5000000 8000

ASA(config)#service-policy limit-policy interface inside

Related Posts

Filed Under: Cisco ASA General

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. Kris says

    I have applied a same configs, and when i do the sh service-pol int out
    i dont see any hits,

    SA-5540# sh service-pol int out

    Interface outside:
    Service-policy: XXX-policy
    Class-map: XXX-map
    Output police Interface outside:
    cir 1000000 bps, bc 10000 bytes
    conformed 0 packets, 0 bytes; actions: drop
    exceeded 0 packets, 0 bytes; actions: drop
    conformed 0 bps, exceed 0 bps

  2. BlogAdmin says

    Hello Kris,

    Maybe the flow of traffic in your scenario is different. Try to use the following:
    ASA(config-pmap-c)#police input 100000 8000

  3. Gary says

    I want to limit to internet access,so I did
    #access-list rate-limit-acl extended permit ip host 192.168.1.10 host any
    but it shown :
    ERROR: % Invalid Hostname
    would you explain how can I did?
    Thanks

  4. BlogAdmin says

    Gary,

    The correct command is:

    access-list rate-limit-acl extended permit ip host 192.168.1.10 any

    Harris

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

BLOGROLL

Tech21Century
Firewall.cx