Cisco ASA  Bandwidth Control

Posted on 2014-02-11
Medium Priority
Last Modified: 2014-02-12

At my current job we are having issues with making the most out of limited bandwidth.  We were trying Untangle, but this is out of our price range.  

So in the absence of something like untangle, I was thinking that we make the most out of our ASA, which is paid for already.  

I have a CCNA, which I just got recently, but don't have that much actual experience and ASA's are not really within the scope of that cert anyways.  

Based on some googlefoo, I know there is traffic policing and shaping policies that can be configured on this device.  The former being applied to inside and outside, dropping packets if they exceed whatever, the latter being only appliable to the outside interface and dependent on RAM for buffering (which I am worried will be overloaded).

This ASA has a lot of pre-existing configurations and provides not only internet access, but VPN access.

I would love to be able create some kind of rule, policing or shaping to throttle internal users connection to the internet (IE not affecting LAN access) to only have 300 kbits a second bandwidth each regardless of what protocol they are using.  IE the idea being that no one user can saturate the entire connection...which they currently can if the source has more bandwidth than us.

I am looking for a simple command and explanation to do this or an explanation as to why this is not possible and maybe the next best alternative command.  Also, just to confirm which interface would such a rule be applied to?  Internal?  I don't want this to throttle internal LAN communications, just communications to the internet.

Thanks for your help and feedback.
Question by:CnicNV
  • 3
  • 3
LVL 26

Expert Comment

ID: 39854085
Firstly, you won't be able to do this on a per user basis.
With that said you need to first create and extended access list that will

1. first deny traffic sourced from your internal subnets to the vpn far end subnets
2. Second permit traffic sourced from your internal subnets to the internet

Then you create a class map to match the access list you created.
Then create a policy map to enforce policing at the limit you want to restrict the traffic to.

Example config:

access-list internet_outbound extended deny ip  192168.1.0
access-list internet_outbound extended permit ip  192168.1.0 any

class-map  internet_limit
match access-list internet_outbound

policy-map  trottle_internet
class internet_limit
police output 512000 96000   conform-action transmit exceed-action drop  (download limit to 512k)
police input 256000 96000  conform-action transmit exceed-action drop (upload limit to 256k)
service-policy throttle_internet interface inside


Author Comment

ID: 39854250
Hi Soulja,

What is the purpose of the two ACLs?  I am guessing to not throttle VPN traffic and throttle regular LAN to WAN traffic?

I figured it would not be able to do this on a per user basis as it would need some sort of sophisticated method of using LDAP to correlate with network traffic origin.

So my next question would be, how is this traffic policing command handling traffic?  IE, just to confirm that the connection limit would not be based on the interface globally IE all aggregate traffic through the inside interfaces would be limited to d512k/u256k and that instead it would be as I am hoping based on each new connection traversing that interface?  IE, if someone establishes and FTP session, it is limited to d512k/u256k, and then they start streaming a webex conference and this is a new stream of d512k/u256k totaling d1024k/u512k.  This is ideal, as I don't want to limit the entire interface to only d512k/u256k.

LVL 26

Expert Comment

ID: 39854281
The ACL is the match the source and destination traffic that will be policed. The reason I deny the first line is because that is the traffic between the vpn subnets.

Basically all traffic sourcing from the internal subnet headed to the internet would be policed if it goes over 512 download or 256k upload the packets will be dropped.  This can be one session or multiple sessions. One session could take up the entire 512, but the point if for the wan connection to not be saturated by the web traffic.
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!


Author Comment

ID: 39854339
Ok, I think I understand what you're describing.

Let me use an example.  

Lets say my internet connection is actually 10mbits up and down, and I have 100 users .  If I apply that policing command you indicated above, will it limit the entire interfaces actual bandwidth to 512k download and 256k upload for all traffic combined of those 100 users?  If so, that would be worse, in that it would make a 10mbit connection 512kbit.

But I am guessing that what you are saying to me, is that the limit is a per connection limit (one ip to another ip) and that no one connection could use more than this limit individually?  That combined together, the full internet bandwidth on the interface is still 10mbits, and that no one connection is allowed to use all of it?

Thanks for you patients, just trying to make sure 100% that I understand you:-)
LVL 26

Accepted Solution

Soulja earned 2000 total points
ID: 39854359
You can set the policing limit to whatever you want. I just used 512k for an example.

My example would limit the traffic to 512 for only traffic to the internet. This is not a per session limit but a total limit. The policer will monitor web traffic as a whole. If it starts to exceed 512, the packet that exceed will be dropped. Being that the default queing is FIFO, this would be various sources coming from the lan side to the internet.

Author Closing Comment

ID: 39854411
ahh ok, that's what I was worried about.  I was hoping it could do it based on each new connection created to prevent individual connections from using up the entire available bandwidth.  

I guess policing is really used for reining in burstable connections in keeping with the CIR for things like frame relay connections and not really for end user bandwidth control.

Thanks for taking the time to clear that up for me.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question