Setup Bandwidth Limit on V-Lans

Unanswered Question
Jun 8th, 2009
User Badges:

Hi, I am wondering of how to setup the bandwidth limit on following V-LANS. We have 2 MBPS 1:1 lease line and the downloading speed comes max upto 180 to 200 KB.

1) NOC (

2) DEV (

3) QA (

4) Tech(

Now, Internet is on and when users downloading anything from any V-lans then it consumes higher bandwidth which could have resulted Network gets chowk and it affects buisness production activities. Now I want to setup a limited bandwidth for entire V-lan like assign only upto 30kb downloading for QA V-Lan and same for other except NOC V-LAN. Can anyone suggest is it possible as I know it can be done by QOS but I am not so much perfect in QOS commands so I would request to experts please expain briefly with commands, if possible.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Pravin Phadte Wed, 06/10/2009 - 02:31
User Badges:
  • Silver, 250 points or more

I would suggest to do a QOS or Rate-limit would be the easy way to get this done.

If this is a router or switch. If ASA you will have to do QOS.

BrinksArgentina Thu, 06/11/2009 - 04:50
User Badges:

With this config, QA VLAN will get only 30KB, but the usage of WAN link may be bigger, because you can only limit traffic when egress from ASA.

access-list traffic_QA extended permit ip any

class-map traffic_QA

match access-list traffic_QA

policy-map limit_QA_out

class traffic_QA

police output 30000 60000

service-policy limit_QA_out interface VL_QA


Please rate all the helpful comments.

ray_stone Thu, 06/11/2009 - 23:13
User Badges:

Hi, Thank you for your responses.

"but the usage of WAN link may be bigger, because you can only limit traffic when egress from ASA"

I didn't understand the meaning of above sentence. Can you pls expain it briefly.


BrinksArgentina Fri, 06/12/2009 - 06:18
User Badges:

QoS for inbound traffic

Ok, I review all and make some testing and finally found how this must be done.

Yes, you CAN throttle down inbound traffic.

The only consideration is that you must specify the outside address, so you must create a different pool for each VLAN.

</p><p>global (outside) 1</p><p>global (outside) 2</p><p></p><p>nat (NOC) 1</p><p>nat (QA) 2</p><p></p><p></p><p>access-list traffic_wwwNOC extended permit ip any host</p><p>access-list traffic_wwwQA extended permit ip any host</p><p> </p><p>class-map class_wwwNOC</p><p> match access-list traffic_wwwNOC</p><p></p><p>class-map class_wwwQA</p><p> match access-list traffic_wwwQA</p><p></p><p>policy-map limit_outside</p><p> class class_wwwNOC</p><p>  police input 1500000 60000</p><p></p><p> class class_wwwQA</p><p>  police input 300000 30000</p><p></p><p>service-policy limit_outside interface outside</p><p>


Please rate all the helpful comments.

ray_stone Fri, 06/12/2009 - 23:32
User Badges:

Hi, If I am using below commands in my configuration:

global (outside) 1 interface outside

global (outside) 2 interface outside

What commands needs to be changed???

Pls explain.

BrinksArgentina Sat, 06/13/2009 - 14:06
User Badges:

You need a public address for each VLAN with a different policy shaping.

For instance, if your outside ip address is, you can use:

</p><p>global (outside) 1 interface outside</p><p>global (outside) 2</p><p></p><p>access-list traffic_wwwNOC extended permit ip any host </p><p>access-list traffic_wwwQA extended permit ip any host <b></b></p><p>

You can use for the global pool, an address curently used for PAT. For example if you have something like that:

static (inside,outside) tcp 80 80 netmask

... this is not a problem.

Witch is the netmask of your public address?

Please note that I made a mistake in the acl of the previus post. Each acl must point to the correspondig public address of the global pool.


Please rate all the helpful comments.

ray_stone Thu, 08/06/2009 - 05:04
User Badges:


We have 2mbps link and 4 vlans are placed on ASA FW.

1) NOC

2) QA

3) Tech

4) DEV

Now I want to set the download speed 30 kb for entire V-LAN. I want to allow 150 KB bandwith for QA V-lan for STS DC Tunnel. I want to allow 150 KB Bandwidth for Techsol V-LAN for host which is placed Sterling STS Tunnel.

Pls. explain the commands. Thnaks

BrinksArgentina Fri, 08/07/2009 - 04:13
User Badges:

How many public IP addresses do you have?

You need a /28 at least. One public IP for each global nat pool.


BrinksArgentina Sun, 08/09/2009 - 16:13
User Badges:

Do you have tested the previously posted commands?

(replace 200.1.1.x with you public address)

</p><p>global (outside) 1 <font color="green"></font></p><p>global (outside) 2 <font color="green"></font></p><p></p><p>nat (NOC) 1 </p><p>nat (QA) 2 </p><p></p><p></p><p>access-list traffic_wwwNOC extended permit ip any host <font color="green"></font> </p><p>access-list traffic_wwwQA extended permit ip any host <font color="green"></font></p><p></p><p><font color="blue">!identify traffic:</font></p><p>class-map class_wwwNOC </p><p>match access-list traffic_wwwNOC </p><p></p><p>class-map class_wwwQA </p><p>match access-list traffic_wwwQA </p><p></p><p><font color="blue">!apply different shaping to each class of traffic:</font></p><p>policy-map limit_outside </p><p>class class_wwwNOC </p><p>police input 1500000 60000 </p><p></p><p>class class_wwwQA </p><p>police input 300000 30000 </p><p></p><p><font color="blue">!enable service-policy on the interface:</font></p><p>service-policy limit_outside interface outside </p><p>


This Discussion