• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4061
  • Last Modified:

Cisco ASA Bandwidth Control


At my current job we are having issues with making the most out of limited bandwidth.  We were trying Untangle, but this is out of our price range.  

So in the absence of something like untangle, I was thinking that we make the most out of our ASA, which is paid for already.  

I have a CCNA, which I just got recently, but don't have that much actual experience and ASA's are not really within the scope of that cert anyways.  

Based on some googlefoo, I know there is traffic policing and shaping policies that can be configured on this device.  The former being applied to inside and outside, dropping packets if they exceed whatever, the latter being only appliable to the outside interface and dependent on RAM for buffering (which I am worried will be overloaded).

This ASA has a lot of pre-existing configurations and provides not only internet access, but VPN access.

I would love to be able create some kind of rule, policing or shaping to throttle internal users connection to the internet (IE not affecting LAN access) to only have 300 kbits a second bandwidth each regardless of what protocol they are using.  IE the idea being that no one user can saturate the entire connection...which they currently can if the source has more bandwidth than us.

I am looking for a simple command and explanation to do this or an explanation as to why this is not possible and maybe the next best alternative command.  Also, just to confirm which interface would such a rule be applied to?  Internal?  I don't want this to throttle internal LAN communications, just communications to the internet.

Thanks for your help and feedback.
  • 3
  • 3
1 Solution
Firstly, you won't be able to do this on a per user basis.
With that said you need to first create and extended access list that will

1. first deny traffic sourced from your internal subnets to the vpn far end subnets
2. Second permit traffic sourced from your internal subnets to the internet

Then you create a class map to match the access list you created.
Then create a policy map to enforce policing at the limit you want to restrict the traffic to.

Example config:

access-list internet_outbound extended deny ip  192168.1.0
access-list internet_outbound extended permit ip  192168.1.0 any

class-map  internet_limit
match access-list internet_outbound

policy-map  trottle_internet
class internet_limit
police output 512000 96000   conform-action transmit exceed-action drop  (download limit to 512k)
police input 256000 96000  conform-action transmit exceed-action drop (upload limit to 256k)
service-policy throttle_internet interface inside

CnicNVAuthor Commented:
Hi Soulja,

What is the purpose of the two ACLs?  I am guessing to not throttle VPN traffic and throttle regular LAN to WAN traffic?

I figured it would not be able to do this on a per user basis as it would need some sort of sophisticated method of using LDAP to correlate with network traffic origin.

So my next question would be, how is this traffic policing command handling traffic?  IE, just to confirm that the connection limit would not be based on the interface globally IE all aggregate traffic through the inside interfaces would be limited to d512k/u256k and that instead it would be as I am hoping based on each new connection traversing that interface?  IE, if someone establishes and FTP session, it is limited to d512k/u256k, and then they start streaming a webex conference and this is a new stream of d512k/u256k totaling d1024k/u512k.  This is ideal, as I don't want to limit the entire interface to only d512k/u256k.

The ACL is the match the source and destination traffic that will be policed. The reason I deny the first line is because that is the traffic between the vpn subnets.

Basically all traffic sourcing from the internal subnet headed to the internet would be policed if it goes over 512 download or 256k upload the packets will be dropped.  This can be one session or multiple sessions. One session could take up the entire 512, but the point if for the wan connection to not be saturated by the web traffic.
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

CnicNVAuthor Commented:
Ok, I think I understand what you're describing.

Let me use an example.  

Lets say my internet connection is actually 10mbits up and down, and I have 100 users .  If I apply that policing command you indicated above, will it limit the entire interfaces actual bandwidth to 512k download and 256k upload for all traffic combined of those 100 users?  If so, that would be worse, in that it would make a 10mbit connection 512kbit.

But I am guessing that what you are saying to me, is that the limit is a per connection limit (one ip to another ip) and that no one connection could use more than this limit individually?  That combined together, the full internet bandwidth on the interface is still 10mbits, and that no one connection is allowed to use all of it?

Thanks for you patients, just trying to make sure 100% that I understand you:-)
You can set the policing limit to whatever you want. I just used 512k for an example.

My example would limit the traffic to 512 for only traffic to the internet. This is not a per session limit but a total limit. The policer will monitor web traffic as a whole. If it starts to exceed 512, the packet that exceed will be dropped. Being that the default queing is FIFO, this would be various sources coming from the lan side to the internet.
CnicNVAuthor Commented:
ahh ok, that's what I was worried about.  I was hoping it could do it based on each new connection created to prevent individual connections from using up the entire available bandwidth.  

I guess policing is really used for reining in burstable connections in keeping with the CIR for things like frame relay connections and not really for end user bandwidth control.

Thanks for taking the time to clear that up for me.

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now