Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
552
Views
5
Helpful
5
Replies

ASA, apply rate limit to a specific subnet.

Go to solution
andrea.meconi
Level 2
Level 2

‎03-16-2009 04:48 AM - edited ‎03-11-2019 08:05 AM

Hello at all.

I need to apply a rate limit, on ASA firewall, when a specific subnet connects to Internet.

Thanks for help.

Andrea

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to andrea.meconi

‎03-16-2009 08:45 AM

"Be patient Jon"

Sorry Andrea, didn't mean to come across as impatient :-).

You can rate-limit the outgoing traffic but not the incoming traffic from the Internet. Actually strictly speaking you could rate-limit the imcoming traffic from the Internet with a service policy outbound on your inside interface but this isn't helpful as the traffic will already have come across your Internet link and used up bandwidth.

If you want to rate-limit inbound you would need to talk to your ISP.

Jon

View solution in original post

5 Replies 5

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-16-2009 05:06 AM

Andrea

Assuming 192.168.5.0/24 is the subnet -

access-list rate_subnet permit ip 192.168.5.0 255.255.255.0 any

class-map rate_subnet

match access-list rate_subnet

policy-map rate_qos

class rate_subnet

police output

service-policy rate_qos interface outside

see this link for full details -

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml

Jon

0 Helpful

Go to solution
andrea.meconi
Level 2
Level 2
In response to Jon Marshall

‎03-16-2009 06:44 AM

Hi Jon and many many thanks for your help.

I have another question.

I understand that 192.x.x.x is the pre-NAT subnet. Because the service policy is applied only in the output direction than I do not understand how the ACL can match inbound (traffic from Internet)!

Regards.

Andrea.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to andrea.meconi

‎03-16-2009 07:49 AM

Andrea

From the doc i sent -

"Note: Policing is applied only in the output direction"

So you cannot police inbound on the ASA.

Jon

0 Helpful

Go to solution
andrea.meconi
Level 2
Level 2
In response to Jon Marshall

‎03-16-2009 08:15 AM

Be patient Jon...

So I'm not able to apply a rate limit to a file transfer from Internet!?

Andrea

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to andrea.meconi

‎03-16-2009 08:45 AM

"Be patient Jon"

Sorry Andrea, didn't mean to come across as impatient :-).

You can rate-limit the outgoing traffic but not the incoming traffic from the Internet. Actually strictly speaking you could rate-limit the imcoming traffic from the Internet with a service policy outbound on your inside interface but this isn't helpful as the traffic will already have come across your Internet link and used up bandwidth.

If you want to rate-limit inbound you would need to talk to your ISP.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card