[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Cisco ASA  Bandwidth Control

Posted on 2014-02-11
Medium Priority
Last Modified: 2014-02-12

At my current job we are having issues with making the most out of limited bandwidth.  We were trying Untangle, but this is out of our price range.  

So in the absence of something like untangle, I was thinking that we make the most out of our ASA, which is paid for already.  

I have a CCNA, which I just got recently, but don't have that much actual experience and ASA's are not really within the scope of that cert anyways.  

Based on some googlefoo, I know there is traffic policing and shaping policies that can be configured on this device.  The former being applied to inside and outside, dropping packets if they exceed whatever, the latter being only appliable to the outside interface and dependent on RAM for buffering (which I am worried will be overloaded).

This ASA has a lot of pre-existing configurations and provides not only internet access, but VPN access.

I would love to be able create some kind of rule, policing or shaping to throttle internal users connection to the internet (IE not affecting LAN access) to only have 300 kbits a second bandwidth each regardless of what protocol they are using.  IE the idea being that no one user can saturate the entire connection...which they currently can if the source has more bandwidth than us.

I am looking for a simple command and explanation to do this or an explanation as to why this is not possible and maybe the next best alternative command.  Also, just to confirm which interface would such a rule be applied to?  Internal?  I don't want this to throttle internal LAN communications, just communications to the internet.

Thanks for your help and feedback.
Question by:CnicNV
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 26

Expert Comment

ID: 39854085
Firstly, you won't be able to do this on a per user basis.
With that said you need to first create and extended access list that will

1. first deny traffic sourced from your internal subnets to the vpn far end subnets
2. Second permit traffic sourced from your internal subnets to the internet

Then you create a class map to match the access list you created.
Then create a policy map to enforce policing at the limit you want to restrict the traffic to.

Example config:

access-list internet_outbound extended deny ip  192168.1.0
access-list internet_outbound extended permit ip  192168.1.0 any

class-map  internet_limit
match access-list internet_outbound

policy-map  trottle_internet
class internet_limit
police output 512000 96000   conform-action transmit exceed-action drop  (download limit to 512k)
police input 256000 96000  conform-action transmit exceed-action drop (upload limit to 256k)
service-policy throttle_internet interface inside


Author Comment

ID: 39854250
Hi Soulja,

What is the purpose of the two ACLs?  I am guessing to not throttle VPN traffic and throttle regular LAN to WAN traffic?

I figured it would not be able to do this on a per user basis as it would need some sort of sophisticated method of using LDAP to correlate with network traffic origin.

So my next question would be, how is this traffic policing command handling traffic?  IE, just to confirm that the connection limit would not be based on the interface globally IE all aggregate traffic through the inside interfaces would be limited to d512k/u256k and that instead it would be as I am hoping based on each new connection traversing that interface?  IE, if someone establishes and FTP session, it is limited to d512k/u256k, and then they start streaming a webex conference and this is a new stream of d512k/u256k totaling d1024k/u512k.  This is ideal, as I don't want to limit the entire interface to only d512k/u256k.

LVL 26

Expert Comment

ID: 39854281
The ACL is the match the source and destination traffic that will be policed. The reason I deny the first line is because that is the traffic between the vpn subnets.

Basically all traffic sourcing from the internal subnet headed to the internet would be policed if it goes over 512 download or 256k upload the packets will be dropped.  This can be one session or multiple sessions. One session could take up the entire 512, but the point if for the wan connection to not be saturated by the web traffic.
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?


Author Comment

ID: 39854339
Ok, I think I understand what you're describing.

Let me use an example.  

Lets say my internet connection is actually 10mbits up and down, and I have 100 users .  If I apply that policing command you indicated above, will it limit the entire interfaces actual bandwidth to 512k download and 256k upload for all traffic combined of those 100 users?  If so, that would be worse, in that it would make a 10mbit connection 512kbit.

But I am guessing that what you are saying to me, is that the limit is a per connection limit (one ip to another ip) and that no one connection could use more than this limit individually?  That combined together, the full internet bandwidth on the interface is still 10mbits, and that no one connection is allowed to use all of it?

Thanks for you patients, just trying to make sure 100% that I understand you:-)
LVL 26

Accepted Solution

Soulja earned 2000 total points
ID: 39854359
You can set the policing limit to whatever you want. I just used 512k for an example.

My example would limit the traffic to 512 for only traffic to the internet. This is not a per session limit but a total limit. The policer will monitor web traffic as a whole. If it starts to exceed 512, the packet that exceed will be dropped. Being that the default queing is FIFO, this would be various sources coming from the lan side to the internet.

Author Closing Comment

ID: 39854411
ahh ok, that's what I was worried about.  I was hoping it could do it based on each new connection created to prevent individual connections from using up the entire available bandwidth.  

I guess policing is really used for reining in burstable connections in keeping with the CIR for things like frame relay connections and not really for end user bandwidth control.

Thanks for taking the time to clear that up for me.

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is focussed on erradicating the confusion with slash notations. This article will help you identify and understand the purpose and use of slash notations. A deep understanding of this will help you identify networks quicker especially w…
There are times where you would like to have access to information that is only available from a different network. This network could be down the hall, or across country. If each of the network sites have access to the internet, you can create a ne…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question