Solved: Bandwidth Throttling on ASA question

marcosgeorgopoulos · ‎06-10-2010

Hi All,

I have a question regarding Throttling Bandwidth on an ASA 5510.

Lets say for simplicities sake I Have two physical interfaces connected.

OUTSIDE - Connects to my ISP.

Inside - with 2 subinterfaces connected.
192.168.1.1/24 VLAN 5
10.10.1.1/24 VLAN 10

Now what I want to do is restrict the bandwidth to and from the 192.168.1.1/24 network to 2mb/s

and

limit the bandwidth to and from the 10.10.1.1/24 network to 1mb/s.

NOTE: The two internal networks cannot talk to each other.

Now I understand I can do something like this say for the 192.168.1.0/24 network.

access-list 2mbs_throttle extended permit ip host 1.1.1.1 any
access-list 2mbs_throttle extended permit ip any host 1.1.1.1
access-list 2mbs_throttle extended permit ip host 1.1.1.2 any
access-list 2mbs_throttle extended permit ip any host 1.1.1.2

where 1.1.1.1 is the 192.168.1.0's PAT'd address AND 1.1.1.2 is an internal servers NAT'ed (via a STATIC) public address.

class-map cm_2mb_throttle
match access-list 2mbs_throttle

policy-map restrict-bandwidth-policy
class cm_2mb_throttle
police output 2000000 2000
police input 2000000 2000

service-policy restrict-bandwidth-policy interface outside

Does this look correct?

Is this restricting the total size of the servers NAT'ed behind 1.1.1.1 and 1.1.1.2 to 2mb/s with a small burst?

Also is there a better way of doing this? Could I somehow apply this policy to the VLANs?

Any help is very much appreciated.

Cheers.

Panos Kampanakis · ‎06-11-2010

No no, if the links are full duplex you have 2Mbps in each dirrection at the same time, so it is 2Mbps bidirectional.

That is what I meant.

I hope it makes sense.

PK

View solution in original post

francisco_1 · ‎06-10-2010

Marcos,

See this http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml

marcosgeorgopoulos · ‎06-10-2010

Thanks I've seen that document.

I was asking if someone could help with my specific questions.

Panos Kampanakis · ‎06-10-2010

Geia sou Marco,


Does this look correct?

Yes.

Is this restricting the total size of the 
servers NAT'ed behind 1.1.1.1 and 1.1.1.2 to 2mb/s with a small burst?

Note that you are giving 2Mbps up and down to the servers.

Also is 
there a better way of doing this? Could I somehow apply this policy to 
the VLANs?

Probably not. You can be more explicit on how much you want servers to upload and download but that is it.

I am not sure what you mean by "apply to the VLANs. You can apply it to traffic matches in the class-map. So you can do it for traffic matching vlan subnets.

I hope it helps.

PK

marcosgeorgopoulos · ‎06-10-2010

Hi PK,

Many thanks for yout informative reply.

I have just one further question based on your response

"Note that you are giving 2Mbps up and down to the servers."

Does this mean if I had a 10meg pipe that theoretically that subnet could use up to 4mbs? ie. 2mbs up + 2mb down?

Can you suggest a way that I could limit the total to 2mbs?

I don't want the subnet to be able to exceed 2mbs in total, but don't wont to restrict them to 1mbs up and 1mbs down

cheers.

Panos Kampanakis · ‎06-11-2010

No no, if the links are full duplex you have 2Mbps in each dirrection at the same time, so it is 2Mbps bidirectional.

That is what I meant.

I hope it makes sense.

PK