Traffic Rate Limiting on Cisco ASA 5510?

DejanMilicevic · ‎09-07-2010

We have internet bandwidth 4/4 Mbps on outside interface. To inside interface are coming few internal network. How to limit internet bandwith usage for let's say 10.1.103.0/24 network to use 100/100 kbps. We tried as shown below but without luck. If we create subinterfaces for each vlan, we can apply policy on interfaces and that's working, but now we must do that ont few internal networks coming to ASA on inside interface.

Are we apply traffic shaping (limit the flow of traffic) or traffic policing (traffic that exceeds the speed limit on the interface is dropped) and what about burst

size? What is policing output and input? Why isn't this working?

name 10.1.103.0 WirelessPrivate description WirelesusersPrivate

access-list rate-limit-wireless extended permit ip WirelessPrivate 255.255.255.0 interface outside

class-map rate-limit
match access-list rate-limit-wireless

policy-map limit-policy
class rate-limit
police output 100000 8000
police input 100000 8000

service-policy limit-policy interface outside

mirober2 · ‎09-07-2010

Hi Dejan,

Take a look at this link--it describes the differences between the various QoS options and provides config examples for each scenario:

https://supportforums.cisco.com/docs/DOC-1230

Hope that helps.

-Mike

Ahmad-Maan · ‎10-20-2015

I have 4 public addresses with 8 Mbps now. i want to distribute 2Mbps on each public ip address in asa5515.

sachinga.hcl · ‎09-07-2010

Hi Dejan,

This configuration will not work as the rate limiting is not bidirectional and the other thing it should be configured on your inside interface but in your case you have rate limiting configured it on your outside interface. If you want this to enable on your all the interface then apply service policy onto global . So that this way the policy map will be applied to all the interfaces.

To activate the policy map on one or more interfaces, enter the following command:

hostname(config)# service-policy policymap_name {global | interface interface_name}

Where global applies the policy map to all interfaces, and interface applies the policy to one interface. Only one global policy is allowed. Interface service policies take precedence over the global service policy for a given feature.

For example, if you have a global policy with inspections, and an interface policy with TCP normalization, then both inspections and TCP normalization are applied to the interface. However, if you have a global policy with inspections, and an interface policy with inspections, then only the interface policy inspections are applied to that interface.

With the new modular policy framework (MPF) introduced in ASA versions 7.x and 8.x, the firewall administrator is now able to apply policing and rate limiting to traffic passing through the ASA appliance. I got a few questions from people how this functionality works and decided to throw in a quick example below which you can easily modify accordingly to match your needs.

Scenario:

We want to rate limit a local internal host when accessing a specific external public server. The local host is 192.168.1.10 and the external public server is 100.100.100.1. We need to limit the traffic to 100kbps and burst size 8000.

Configuration Snippet:

ASA(config)#access-list rate-limit-acl extended permit ip host 192.168.1.10 host 100.100.100.1

ASA(config)#class-map rate-limit
ASA(config-cmap)#match access-list rate-limit-acl

ASA(config)#policy-map limit-policy
ASA(config-pmap)#class rate-limit
ASA(config-pmap-c)#police output 100000 8000

ASA(config)#service-policy limit-policy interface outside

For detail in this regard Kindly go through the following referencce page for all the configuration related information for Bandwidth Management(Rate Limit) Using QoS Policies

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml#rate

For configuring the rate limits through ASDM kindly go through the following link:

http://flylib.com/books.php?ln=en&n=2&p=464&c=186&p1=1&c1=1&c2=231&view=1

On Cisco ASA 8.x find th following:

http://www1.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_qos.html

http://www1.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_qos.html#wp1075478

HTH

Sachin Garg

Message was edited by: sachinga.hcl

DejanMilicevic · ‎09-08-2010

ASA config is below and bandwith limit is 512/512 kbit/s. With any combination using policy on outside/inside interface and input/output (single or both) it doesn't work? Any suggestions?

ASA Version 8.2(2)
!
hostname ASAfirewall
enable password jbzGGb3hW4EV5FGM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.1.101.0 LAN description VlanPC
name 10.1.100.0 Switches description Switches
name 10.1.103.0 WirelessPrivate description WirelesusersPrivate
dns-guard
!
interface Ethernet0/0
no nameif
no security-level
no ip address
!
interface Ethernet0/0.1
vlan 51
nameif outside
security-level 0
ip address 94.247.XXX.XXX 255.255.255.252
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.1
vlan 110
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.252
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
banner exec * WARNING *
banner exec IF YOU ARE NOT AUTHORISED TO ACCESS THIS SYSTEM EXIT IMMEDIATELY!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup management
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Lan
description VLAN PC
object-group network NETWORK_OBJ_192.168.100.0_25
object-group network PCtoNetGroup
object-group network Net
access-list 101 extended permit icmp any any echo
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any
access-list clinical_splitTunnelAcl standard permit LAN 255.255.255.0
access-list NetAccess extended permit ip host 10.1.101.5 any
access-list NetAccess extended permit ip host 10.1.101.30 any
access-list NetAccess extended permit ip WirelessPrivate 255.255.255.0 any
access-list NetAccess extended deny ip any any
access-list VPNclinical_splitTunnelAcl standard permit LAN 255.255.255.0
access-list VPNclinical_splitTunnelAcl standard permit Switches 255.255.255.0
access-list VPNclinical_splitTunnelAcl_1 standard permit LAN 255.255.255.0
access-list VPNclinical_splitTunnelAcl_2 standard permit LAN 255.255.255.0
access-list VPNclinical_splitTunnelAcl_5 standard permit LAN 255.255.255.0
access-list VPNclinical_splitTunnelAcl_3 standard permit LAN 255.255.255.0
access-list VPNclinical_splitTunnelAcl_4 standard permit LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip LAN 255.255.255.0 192.168.100.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip Switches 255.255.255.0 192.168.100.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.252 192.168.100.0 255.255.255.128
access-list rate-limit-wireless extended permit ip WirelessPrivate 255.255.255.0 interface outside
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool VPNpool 192.168.100.1-192.168.100.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 LAN 255.255.255.0
nat (inside) 1 WirelessPrivate 255.255.255.0
access-group 101 in interface outside
access-group NetAccess in interface inside
route outside 0.0.0.0 0.0.0.0 94.247.XXX.XXX 1
route inside Switches 255.255.255.0 10.1.1.2 1
route inside LAN 255.255.255.0 10.1.1.2 1
route inside WirelessPrivate 255.255.255.0 10.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http LAN 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN_MAP 10 set transform-set RA-TS
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet LAN 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
group-policy VPNclinical internal
group-policy VPNclinical attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNclinical_splitTunnelAcl
group-policy VPNclients internal
group-policy VPNclients attributes
vpn-tunnel-protocol webvpn
webvpn
url-list none
username xxxx password DyDq4NEbqGjfIfWL encrypted privilege 15
username yyyy password GQ6EDJEzerx065iq encrypted privilege 15
username zzzz password KCW0Chtpty2A/5kt encrypted
username wwww password APYksyyt89fKLVDC encrypted privilege 15
tunnel-group VPNclinical type remote-access
tunnel-group VPNclinical general-attributes
address-pool VPNpool
default-group-policy VPNclinical
tunnel-group VPNclinical ipsec-attributes
pre-shared-key *****
tunnel-group VPNclients type remote-access
tunnel-group VPNclients general-attributes
default-group-policy VPNclients
!
class-map rate-limit
match access-list rate-limit-wireless
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect ip-options
policy-map limit-policy
class rate-limit
police input 512000 96000
police output 512000 96000
!
service-policy global_policy global
service-policy limit-policy interface inside
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/odd ... DCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:06dee49ed404601c3f296eeb8c691bb2
: end
asdm image disk0:/asdm-631.bin
asdm location LAN 255.255.255.0 inside
asdm location Switches 255.255.255.0 inside
asdm location WirelessPrivate 255.255.255.0 inside
no asdm history enable

golly_wog · ‎09-08-2010

WHat if you do a show policy-map interface inside?

You ACL - are you sure that this is correct?? I think it should be the following

access-list rate-limit-wireless extended permit ip WirelessPrivate 255.255.255.0 any

If you only have 4mb on your internet facing connection, I would apply the following outbound on the outside (assuming that the rate-limit-wireless ACL is correct)

class-map wireless
match access-list rate-limit-wireless
!
policy-map wireless
class wireless
police 512000

!
policy-map qos
class class-default
shape average 4000000
service-policy wireless
!
service-policy qos interface outside