Rate Limiting/Policing

Unanswered Question
Sep 16th, 2008

I trying to determine the best place to limit traffic. I have a host on a 6509 that replicates data to another host on the other end of a site-to-site VPN:

HOST>ASA5520>20mb Internet---10mb Internet>ASA5520>HOST

I would like to limit the rate to 8mb during business hours.

Where is the best place to apply the policy?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
satish_zanjurne Tue, 09/16/2008 - 05:37

Because policing drops packets, resulting in retransmissions, it is recommended for use

on higher-speed interfaces..

So it will be better if you apply the policy on 20Mbps connection..

HTH...rate if helpful...

Marwan ALshawi Tue, 09/16/2008 - 06:04

i would say u need to make the limit as close to the source as possible so it it is on the 20 M side then make on that ASA on the outsid einterface on the outbound direction

also for spisific time u can do the trick with time-based ACL that match the traffic to be policed

and the following link will help u alot with ASA config :


good luck

if helpful Rate

Joseph W. Doherty Tue, 09/16/2008 - 06:08

As close to the sending host as possible. For instance a policer on the 6509. Ideally one with a timed based ACL, if supported.

Marwan ALshawi Tue, 09/16/2008 - 06:13

hi Joseph thats exactly what i meant by the source word :)

as he said replication then the sending will be the source of repilication!

gizbri Tue, 09/16/2008 - 06:48

Thanks for all the replies.

It looks like the best place for the policy is on the 6509 where the host is connected. Should I do a rate-limit or shaping? From what I understand a traffic shape results in less dropped packets ?

Joseph W. Doherty Tue, 09/16/2008 - 07:27

Shaping usually results in less dropped packets because of its default buffering. Policing can provide about the same drop rate, but the default burst sizes often need to be adjusted. However, shaping also offers the advantage that the bandwidth hog's packets are "metered" into the other traffic, where policing will allow bursts through.

I.e. If available, I would prefer shaping. Unsure how extensive a 6500's shaping features are. Also, generally you can only shape outbound, but you can often police either inbound or outbound.


If your devices support it, it's possible to both police early to control the sender's transmission rate via policing and later manage possible congestion with a shaper or other queuing.


For another approach, if instead of 8 Mbps, 10 Mbps was acceptable, you might also configured Ethernet at 10 Mbps on the source's Ethernet port. (Might even be doable with timed scripts.)

Joseph W. Doherty Tue, 09/16/2008 - 07:12

Marwan, yup, I understood what you meant, but from your second post, I presume you didn't realize I didn't see your post until after I had posted mine. I had considered, after seeing yours, adding a postscript acknowledgment of your post to my post, but figured the close post times, 4 minutes, showed what likely happened (i.e. I'm a slow typist).

Another reason I didn't amend my post, I thought there was some value in my suggesting doing the policing on the 6509, rather than later downstream such as your suggestion of policing on the ASA's outside interface.

Of course, it's likely bandwidth is less an issue until you get closer to the WAN bottleneck, but in principle, I'm sure you'll agree that perhaps an (inbound) policer on the 6509 would be even closer to the source, as described in the OP.


This Discussion