Internet Traffic

Unanswered Question
Jul 8th, 2008

Please advice!!!

Here is the network diagram:

T3--> Router A ---> ASA firewall ---> Router B ---> Switch

We want to create one subnet for customer only internet access, but we would like to limite the outbound/inboud traffic by 512K. We don't have any third party programs to manage it. Are there any ways we can make in the Cisco equipments so we can only allow 512K bandwidth for customers?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Giuseppe Larosa Tue, 07/08/2008 - 12:04

Hello Ken,

the answer is yes for the outbound direction only.

once that your customers have an IP subnet you can use the modular QoS to provide this

You can use a shaper that will delay packets if overcoming (exceeding ) the BW limit.

You could also use a policer but in this case exceeding packets are usually dropped so this is much more aggressive.

Take in account that usually more bandwidth is used in the downstream inbound direction that is under the control of your internet ISP.

So an outgoing limit of 128 kbps could help in reducing BW used in inbound.

A good starting point is the following link

for class based shaping

let's suppose this customer subnet is

access-list 133 permit any

class-map customer-traffic

match ip address 133

policy-map shape_customer_outbound

class customer-traffic

shape average 128000 16000

let's suppose that gi0/0 is the outgoing interface of the internal router connecting to ASA

int gi0/0


shape_customer_outbound out

of course you may need to tune this !

hope to help


Giuseppe Larosa Tue, 07/08/2008 - 12:08


two mistyping I did

access-list 133 permit ip any

int gi0/0

service-policy out shape_customer_outbound

hope to help


kzhen Tue, 07/08/2008 - 12:22

Hi Giuseppe,

Thank you so much for help! Is there any way we can set the policy in ASA to manage the inbound traffic? like configure the interface in ASA, which is connected to the router B.



kzhen Tue, 07/08/2008 - 12:32

Hi Giuseppe,

Woops, Here is our real network diagram:

T3--> Router A ---> ASA firewall ---> Router B ---> the cloud ISP ---> Router C---> Switch

The new subnet will be created in the router C. I believe all the configuration you provided will be applied in the router C, can I configure the router B to manage inbound traffic even though router B and C need to join to the AT&T cloud?



Giuseppe Larosa Wed, 07/09/2008 - 08:27


what really counts is how much bandwidth is used on the T3 WAN link by the customer subnet users.

Unfortunately, only the ISP can control the amount of BW used in the downstream direction. So policing or shaping on the ASA can be done but does not avoid the BW usage on T3.

You can apply the policy map on RouterB interface to ASA, IP addresses don't change at every router hop (if you don't do NAT and before NAT).

Instead, if you want to save BW on the cloud between Router B and Router C I agree that you should apply the shaper on RouterC. You can also try to do something on RouterB to RouterC interface, too.

You have an ISP (AT & T)providing you a service to connect router B and router C.

These QoS features don't disturb your routing configuration to/from the ISP cloud.

List your requirements and then you can make the best choice.

What do you want to control T3 BW usage and/or RB to RC BW usage ? this is the question.

hope to help



This Discussion