Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA, apply rate limit to a specific subnet.

Hello at all.

I need to apply a rate limit, on ASA firewall, when a specific subnet connects to Internet.

Thanks for help.

Andrea

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: ASA, apply rate limit to a specific subnet.

"Be patient Jon"

Sorry Andrea, didn't mean to come across as impatient :-).

You can rate-limit the outgoing traffic but not the incoming traffic from the Internet. Actually strictly speaking you could rate-limit the imcoming traffic from the Internet with a service policy outbound on your inside interface but this isn't helpful as the traffic will already have come across your Internet link and used up bandwidth.

If you want to rate-limit inbound you would need to talk to your ISP.

Jon

5 REPLIES
Hall of Fame Super Blue

Re: ASA, apply rate limit to a specific subnet.

Andrea

Assuming 192.168.5.0/24 is the subnet -

access-list rate_subnet permit ip 192.168.5.0 255.255.255.0 any

class-map rate_subnet

match access-list rate_subnet

policy-map rate_qos

class rate_subnet

police output

service-policy rate_qos interface outside

see this link for full details -

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml

Jon

New Member

Re: ASA, apply rate limit to a specific subnet.

Hi Jon and many many thanks for your help.

I have another question.

I understand that 192.x.x.x is the pre-NAT subnet. Because the service policy is applied only in the output direction than I do not understand how the ACL can match inbound (traffic from Internet)!

Regards.

Andrea.

Hall of Fame Super Blue

Re: ASA, apply rate limit to a specific subnet.

Andrea

From the doc i sent -

"Note: Policing is applied only in the output direction"

So you cannot police inbound on the ASA.

Jon

New Member

Re: ASA, apply rate limit to a specific subnet.

Be patient Jon...

So I'm not able to apply a rate limit to a file transfer from Internet!?

Andrea

Hall of Fame Super Blue

Re: ASA, apply rate limit to a specific subnet.

"Be patient Jon"

Sorry Andrea, didn't mean to come across as impatient :-).

You can rate-limit the outgoing traffic but not the incoming traffic from the Internet. Actually strictly speaking you could rate-limit the imcoming traffic from the Internet with a service policy outbound on your inside interface but this isn't helpful as the traffic will already have come across your Internet link and used up bandwidth.

If you want to rate-limit inbound you would need to talk to your ISP.

Jon

321
Views
5
Helpful
5
Replies
CreatePlease to create content