Bandwidth Throttling / Policing on Cisco ASA

Bandwidth Throttling / Policing on Cisco ASA

If If you are looking to control the amount of bandwidth for a particular host using a Cisco ASA Security Appliance, you’ve come to the right place.  When I was first asked to look into this capability on the ASA I knew that I could perform some sort of Quality of Service (QOS).  In fact, all of the documentation that I came across either on Cisco’s website or from third party integrators have detailed information on controlling quality for VoIP, traffic shaping, and how to do those things across a VPN tunnel.  While the information on these great features of the ASA is helpful, finding articles on limiting bandwidth to a particular IP address was more difficult to track down.  In fact, it took a TAC case and several hours of reading papers on the above services until I was able to figure out how to police bandwidth using my ASA.  In the example below I am throttling bandwidth to 1Mb for the host 1.1.1.1:

For the sake of simplicity, I will show you how to limit inbound and outbound bandwidth for one host.  In order to do this for multiple hosts you simply replicate the steps making a few changes to access-list names, class-maps, and policy-maps.

The first step is to create the access list that define “interesting traffic” or what IP you want to control.

access-list throttle_me extended permit ip host 1.1.1.1 any
access-list throttle_me extended permit ip any host 1.1.1.1

The second step is to define the class-map.

class-map throttle-me
match access-list throttle_me

Now you need to define your policy-map and call the class-map.

policy-map throttle-policy
class throttle-me
police output 1000000 2000
police input 1000000 2000

The final step is to apply the new service-policy to the PHYSICAL interface where the traffic will flow.  You CANNOT apply this to a sub-interface.

service-policy throttle-policy interface outside

In summary, this configuration was applied to the outside interface of my ASA.  This is the “choke point” for traffic and can be considered the edge of my network.  As stated above, you must apply the policy to a physical interface on your ASA.  The IP address 1.1.1.1 represents a public address that is statically mapped to a private address behind a sub-interface on my ASA.  The method above combines a little bit of each QOS function from the ASA to get what I want it to do.

Using this on a WSUS server, works great.

7 thoughts on “Bandwidth Throttling / Policing on Cisco ASA

  1. Hi – I can’t apply this to the physical because the physical has "no nameif" applied… not sure if I can change it as i’m not sure what impact this will have nor am I sure what secuirty level this should be but assume "0". Concerns are that I have quite a lot of subinterfaces coming off this physical one so I’m a bit nervous just to add nameif outside to the physical….any ideas?cheers

  2. Applying a nameif if there isn’t one already there shouldn’t have any impact.How are you referencing your outside interface at the moment.

  3. Hi SiddIn this example, the maximum rate for traffic is 1 mb/s and a maximum burst size of 2000 bytes per secondHope that helps. Cheers, Joe

  4. I have few more questions. Is there any specific reason for specifying the maximum burst size, is that not an optional field.How does it work if we don’t specify it, what is the default value.I believe according to below statement except conform-rate all other are optional fields , please correct me if I am wrong.police {output | input} conform-rate [conform-burst] [conform-action [drop | transmit] [exceed-action [drop | transmit]]]

Leave a Reply

Your email address will not be published. Required fields are marked *