Bandwidth Throttling / Policing on Cisco ASA
If If you are looking to control the amount of bandwidth for a particular host using a Cisco ASA Security Appliance, you’ve come to the right place. When I was first asked to look into this capability on the ASA I knew that I could perform some sort of Quality of Service (QOS). In fact, all of the documentation that I came across either on Cisco’s website or from third party integrators have detailed information on controlling quality for VoIP, traffic shaping, and how to do those things across a VPN tunnel. While the information on these great features of the ASA is helpful, finding articles on limiting bandwidth to a particular IP address was more difficult to track down. In fact, it took a TAC case and several hours of reading papers on the above services until I was able to figure out how to police bandwidth using my ASA. In the example below I am throttling bandwidth to 1Mb for the host 126.96.36.199:
For the sake of simplicity, I will show you how to limit inbound and outbound bandwidth for one host. In order to do this for multiple hosts you simply replicate the steps making a few changes to access-list names, class-maps, and policy-maps.
The first step is to create the access list that define “interesting traffic” or what IP you want to control.
access-list throttle_me extended permit ip host 188.8.131.52 any
access-list throttle_me extended permit ip any host 184.108.40.206
The second step is to define the class-map.
match access-list throttle_me
Now you need to define your policy-map and call the class-map.
police output 1000000 2000
police input 1000000 2000
The final step is to apply the new service-policy to the PHYSICAL interface where the traffic will flow. You CANNOT apply this to a sub-interface.
service-policy throttle-policy interface outside
In summary, this configuration was applied to the outside interface of my ASA. This is the “choke point” for traffic and can be considered the edge of my network. As stated above, you must apply the policy to a physical interface on your ASA. The IP address 220.127.116.11 represents a public address that is statically mapped to a private address behind a sub-interface on my ASA. The method above combines a little bit of each QOS function from the ASA to get what I want it to do.
Using this on a WSUS server, works great.