Traffic Rate Limiting on Cisco ASA 5510?

Unanswered Question
Sep 7th, 2010

We have internet bandwidth 4/4 Mbps on outside interface. To inside  interface are coming few internal network. How to limit internet  bandwith usage for let's say 10.1.103.0/24 network to use 100/100 kbps.  We tried as shown below but without luck. If we create subinterfaces for  each vlan, we can apply policy on interfaces and that's working, but  now we must do that ont few internal networks coming to ASA on inside  interface.

Are we apply traffic shaping (limit the flow of traffic) or traffic policing (traffic that exceeds the speed limit on the interface is dropped) and what about burst

size? What is policing output and input? Why isn't this working?

name 10.1.103.0 WirelessPrivate description WirelesusersPrivate

access-list rate-limit-wireless extended permit ip WirelessPrivate 255.255.255.0 interface outside

class-map rate-limit
  match access-list rate-limit-wireless

policy-map limit-policy
  class rate-limit
   police output 100000 8000
   police input 100000 8000

service-policy limit-policy interface outside

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (3 ratings)
sachinga.hcl Tue, 09/07/2010 - 09:17

Hi Dejan,

This configuration will not work as the rate limiting is not bidirectional and the other thing it should be configured on your inside interface but in your case you have rate limiting configured it on your outside  interface. If you want this to enable on your all the interface then apply service policy onto global . So that this way the policy map will be applied to all the interfaces.

To activate the policy map on one or more interfaces, enter the following command:

hostname(config)# service-policy policymap_name {global | interface interface_name}


Where global applies the policy map to all interfaces, and interface applies the policy to one interface. Only one global policy is allowed. Interface service policies take precedence over the global service policy for a given feature.

For example, if you have a global policy with inspections, and an interface policy with TCP normalization, then both inspections and TCP normalization are applied to the interface. However, if you have a global policy with inspections, and an interface policy with inspections, then only the interface policy inspections are applied to that interface.

With the new modular policy framework (MPF) introduced in ASA versions 7.x and 8.x, the firewall administrator is now able to apply policing and rate limiting to traffic passing through the ASA appliance. I got a few questions from people how this functionality works and decided to throw in a quick example below which you can easily modify accordingly to match your needs.

Scenario:

We want to rate limit a local internal host when accessing a specific external public server. The local host is 192.168.1.10 and the external public server is 100.100.100.1. We need to limit the traffic to 100kbps and burst size 8000.

Configuration Snippet:

ASA(config)#access-list rate-limit-acl extended permit ip host 192.168.1.10 host 100.100.100.1

ASA(config)#class-map rate-limit
ASA(config-cmap)#match access-list rate-limit-acl

ASA(config)#policy-map limit-policy
ASA(config-pmap)#class rate-limit
ASA(config-pmap-c)#police output 100000 8000

ASA(config)#service-policy limit-policy interface outside

For detail in this regard Kindly go through the following referencce page for all the configuration related information for Bandwidth Management(Rate Limit) Using QoS Policies

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml#rate

For configuring the rate limits through ASDM kindly go through the following link:

http://flylib.com/books.php?ln=en&n=2&p=464&c=186&p1=1&c1=1&c2=231&view=1

On Cisco ASA 8.x find th following:

http://www1.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_qos.html

http://www1.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_qos.html#wp1075478

HTH

Sachin Garg

Message was edited by: sachinga.hcl

Message was edited by: sachinga.hcl

DejanMilicevic Wed, 09/08/2010 - 12:45

ASA config is below and bandwith limit is 512/512 kbit/s. With any  combination using policy on outside/inside interface and input/output  (single or both) it doesn't work? Any suggestions?

ASA Version 8.2(2)
!
hostname  ASAfirewall
enable password jbzGGb3hW4EV5FGM encrypted
passwd  2KFQnbNIdI.2KYOU encrypted
names
name 10.1.101.0 LAN description  VlanPC
name 10.1.100.0 Switches description Switches
name  10.1.103.0 WirelessPrivate description WirelesusersPrivate
dns-guard
!
interface  Ethernet0/0
no nameif
no security-level
no ip address
!
interface  Ethernet0/0.1
vlan 51
nameif outside
security-level 0
ip address 94.247.XXX.XXX 255.255.255.252
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface  Ethernet0/1.1
vlan 110
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.252
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface  Ethernet0/3
shutdown
no nameif
no security-level
no ip  address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
banner exec * WARNING *
banner exec IF YOU  ARE NOT AUTHORISED TO ACCESS THIS SYSTEM EXIT IMMEDIATELY!
boot  system disk0:/asa822-k8.bin
ftp mode passive
clock timezone CEST 1
clock  summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns  domain-lookup outside
dns domain-lookup inside
dns domain-lookup  management
same-security-traffic permit inter-interface
same-security-traffic  permit intra-interface
object-group network Lan
description VLAN  PC
object-group network NETWORK_OBJ_192.168.100.0_25
object-group  network PCtoNetGroup
object-group network Net
access-list 101  extended permit icmp any any echo
access-list 101 extended permit  icmp any any unreachable
access-list 101 extended permit icmp any  any time-exceeded
access-list 101 extended permit icmp any any  source-quench
access-list 101 extended permit icmp any any
access-list  clinical_splitTunnelAcl standard permit LAN 255.255.255.0
access-list  NetAccess extended permit ip host 10.1.101.5 any
access-list  NetAccess extended permit ip host 10.1.101.30 any
access-list  NetAccess extended permit ip WirelessPrivate 255.255.255.0 any
access-list  NetAccess extended deny ip any any
access-list  VPNclinical_splitTunnelAcl standard permit LAN 255.255.255.0
access-list  VPNclinical_splitTunnelAcl standard permit Switches 255.255.255.0
access-list  VPNclinical_splitTunnelAcl_1 standard permit LAN 255.255.255.0
access-list  VPNclinical_splitTunnelAcl_2 standard permit LAN 255.255.255.0
access-list  VPNclinical_splitTunnelAcl_5 standard permit LAN 255.255.255.0
access-list  VPNclinical_splitTunnelAcl_3 standard permit LAN 255.255.255.0
access-list  VPNclinical_splitTunnelAcl_4 standard permit LAN 255.255.255.0
access-list  inside_nat0_outbound extended permit ip LAN 255.255.255.0 192.168.100.0  255.255.255.128
access-list inside_nat0_outbound extended permit ip  Switches 255.255.255.0 192.168.100.0 255.255.255.128
access-list  inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.252  192.168.100.0 255.255.255.128
access-list rate-limit-wireless  extended permit ip WirelessPrivate 255.255.255.0 interface outside
pager  lines 24
logging enable
logging asdm informational
mtu outside  1500
mtu inside 1500
mtu management 1500
ip local pool VPNpool  192.168.100.1-192.168.100.100 mask 255.255.255.0
icmp unreachable  rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any  inside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp  timeout 14400
global (outside) 1 interface
nat (inside) 0  access-list inside_nat0_outbound
nat (inside) 1 LAN 255.255.255.0
nat  (inside) 1 WirelessPrivate 255.255.255.0
access-group 101 in  interface outside
access-group NetAccess in interface inside
route  outside 0.0.0.0 0.0.0.0 94.247.XXX.XXX 1
route inside Switches  255.255.255.0 10.1.1.2 1
route inside LAN 255.255.255.0 10.1.1.2 1
route  inside WirelessPrivate 255.255.255.0 10.1.1.2 1
timeout xlate  3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp  0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00  mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite  0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00  uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record  DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http  LAN 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no  snmp-server location
no snmp-server contact
snmp-server enable  traps snmp authentication linkup linkdown coldstart
crypto ipsec  transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec  transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec  transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec  transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec  transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec  transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec  transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec  transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec  transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec  transform-set RA-TS esp-3des esp-sha-hmac
crypto ipsec transform-set  ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec  security-association lifetime seconds 28800
crypto ipsec  security-association lifetime kilobytes 4608000
crypto dynamic-map  DYN_MAP 10 set transform-set RA-TS
crypto dynamic-map  SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map  SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA  ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA  ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto  map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto  map outside_map interface outside
crypto isakmp identity hostname
crypto  isakmp enable outside
crypto isakmp policy 10
authentication  pre-share
encryption 3des
hash sha
group 2
lifetime  86400
telnet 0.0.0.0 0.0.0.0 outside
telnet LAN 255.255.255.0  inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd  address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection  basic-threat
threat-detection statistics host
threat-detection  statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
group-policy VPNclinical internal
group-policy  VPNclinical attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value  VPNclinical_splitTunnelAcl
group-policy VPNclients internal
group-policy  VPNclients attributes
vpn-tunnel-protocol webvpn
webvpn
url-list none
username xxxx password DyDq4NEbqGjfIfWL encrypted  privilege 15
username yyyy password GQ6EDJEzerx065iq encrypted  privilege 15
username zzzz password KCW0Chtpty2A/5kt encrypted
username  wwww password APYksyyt89fKLVDC encrypted privilege 15
tunnel-group  VPNclinical type remote-access
tunnel-group VPNclinical  general-attributes
address-pool VPNpool
default-group-policy  VPNclinical
tunnel-group VPNclinical ipsec-attributes
pre-shared-key *****
tunnel-group VPNclients type remote-access
tunnel-group  VPNclients general-attributes
default-group-policy VPNclients
!
class-map  rate-limit
match access-list rate-limit-wireless
class-map  inspection_default
match default-inspection-traffic
!
!
policy-map  global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect  rtsp
inspect esmtp
inspect sqlnet
inspect skinny 
inspect sunrpc
inspect xdmcp
inspect sip 
inspect  netbios
inspect tftp
inspect icmp
inspect ip-options
policy-map  limit-policy
class rate-limit
police input 512000 96000
police output 512000 96000
!
service-policy global_policy global
service-policy  limit-policy interface inside
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/odd  ... DCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group  diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:06dee49ed404601c3f296eeb8c691bb2
:  end
asdm image disk0:/asdm-631.bin
asdm location LAN  255.255.255.0 inside
asdm location Switches 255.255.255.0 inside
asdm  location WirelessPrivate 255.255.255.0 inside
no asdm history enable

golly_wog Wed, 09/08/2010 - 15:06

WHat if you do a show policy-map interface inside?


You ACL - are you sure that this is correct?? I think it should be the following

access-list rate-limit-wireless  extended permit ip WirelessPrivate 255.255.255.0 any

If you only have 4mb on your internet facing connection, I would apply the following outbound on the outside (assuming that the rate-limit-wireless  ACL is correct)

class-map wireless
match access-list rate-limit-wireless
!
policy-map wireless
class wireless
police 512000

!
policy-map qos
class class-default 
   shape average 4000000
      service-policy wireless
!
service-policy qos interface outside

Actions

Login or Register to take actions

This Discussion

Posted September 7, 2010 at 6:24 AM
Stats:
Replies:4 Avg. Rating:5
Views:28753 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446