Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Traffic Rate Limiting on Cisco ASA 5510?

We have internet bandwidth 4/4 Mbps on outside interface. To inside  interface are coming few internal network. How to limit internet  bandwith usage for let's say network to use 100/100 kbps.  We tried as shown below but without luck. If we create subinterfaces for  each vlan, we can apply policy on interfaces and that's working, but  now we must do that ont few internal networks coming to ASA on inside  interface.

Are we apply traffic shaping (limit the flow of traffic) or traffic policing (traffic that exceeds the speed limit on the interface is dropped) and what about burst

size? What is policing output and input? Why isn't this working?

name WirelessPrivate description WirelesusersPrivate

access-list rate-limit-wireless extended permit ip WirelessPrivate interface outside

class-map rate-limit
  match access-list rate-limit-wireless

policy-map limit-policy
  class rate-limit
   police output 100000 8000
   police input 100000 8000

service-policy limit-policy interface outside


Re: Traffic Rate Limiting on Cisco ASA 5510?

Hi Dejan,

Take a look at this link--it describes the differences between the various QoS options and provides config examples for each scenario:

Hope that helps.


New Member

I have 4 public addresses

I have 4 public addresses with 8 Mbps now. i want to distribute 2Mbps on each public ip address in asa5515.


Re: Traffic Rate Limiting on Cisco ASA 5510?

Hi Dejan,

This configuration will not work as the rate limiting is not bidirectional and the other thing it should be configured on your inside interface but in your case you have rate limiting configured it on your outside  interface. If you want this to enable on your all the interface then apply service policy onto global . So that this way the policy map will be applied to all the interfaces.

To activate the policy map on one or more interfaces, enter the following command:

hostname(config)# service-policy policymap_name {global | interface interface_name}

Where global applies the policy map to all interfaces, and interface applies the policy to one interface. Only one global policy is allowed. Interface service policies take precedence over the global service policy for a given feature.

For example, if you have a global policy with inspections, and an interface policy with TCP normalization, then both inspections and TCP normalization are applied to the interface. However, if you have a global policy with inspections, and an interface policy with inspections, then only the interface policy inspections are applied to that interface.

With the new modular policy framework (MPF) introduced in ASA versions 7.x and 8.x, the firewall administrator is now able to apply policing and rate limiting to traffic passing through the ASA appliance. I got a few questions from people how this functionality works and decided to throw in a quick example below which you can easily modify accordingly to match your needs.


We want to rate limit a local internal host when accessing a specific external public server. The local host is and the external public server is We need to limit the traffic to 100kbps and burst size 8000.

Configuration Snippet:

ASA(config)#access-list rate-limit-acl extended permit ip host host

ASA(config)#class-map rate-limit
ASA(config-cmap)#match access-list rate-limit-acl

ASA(config)#policy-map limit-policy
ASA(config-pmap)#class rate-limit
ASA(config-pmap-c)#police output 100000 8000

ASA(config)#service-policy limit-policy interface outside

For detail in this regard Kindly go through the following referencce page for all the configuration related information for Bandwidth Management(Rate Limit) Using QoS Policies

For configuring the rate limits through ASDM kindly go through the following link:

On Cisco ASA 8.x find th following:


Sachin Garg

Message was edited by: sachinga.hcl

Message was edited by: sachinga.hcl

New Member

Re: Traffic Rate Limiting on Cisco ASA 5510?

ASA config is below and bandwith limit is 512/512 kbit/s. With any  combination using policy on outside/inside interface and input/output  (single or both) it doesn't work? Any suggestions?

ASA Version 8.2(2)
hostname  ASAfirewall
enable password jbzGGb3hW4EV5FGM encrypted
passwd  2KFQnbNIdI.2KYOU encrypted
name LAN description  VlanPC
name Switches description Switches
name WirelessPrivate description WirelesusersPrivate
interface  Ethernet0/0
no nameif
no security-level
no ip address
interface  Ethernet0/0.1
vlan 51
nameif outside
security-level 0
ip address 94.247.XXX.XXX
interface Ethernet0/1
no nameif
no security-level
no ip address
interface  Ethernet0/1.1
vlan 110
nameif inside
security-level 100
ip address
interface Ethernet0/2
no nameif
no security-level
no ip address
interface  Ethernet0/3
no nameif
no security-level
no ip  address
interface Management0/0
nameif management
security-level 100
ip address
banner exec * WARNING *
boot  system disk0:/asa822-k8.bin
ftp mode passive
clock timezone CEST 1
clock  summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns  domain-lookup outside
dns domain-lookup inside
dns domain-lookup  management
same-security-traffic permit inter-interface
same-security-traffic  permit intra-interface
object-group network Lan
description VLAN  PC
object-group network NETWORK_OBJ_192.168.100.0_25
object-group  network PCtoNetGroup
object-group network Net
access-list 101  extended permit icmp any any echo
access-list 101 extended permit  icmp any any unreachable
access-list 101 extended permit icmp any  any time-exceeded
access-list 101 extended permit icmp any any  source-quench
access-list 101 extended permit icmp any any
access-list  clinical_splitTunnelAcl standard permit LAN
access-list  NetAccess extended permit ip host any
access-list  NetAccess extended permit ip host any
access-list  NetAccess extended permit ip WirelessPrivate any
access-list  NetAccess extended deny ip any any
access-list  VPNclinical_splitTunnelAcl standard permit LAN
access-list  VPNclinical_splitTunnelAcl standard permit Switches
access-list  VPNclinical_splitTunnelAcl_1 standard permit LAN
access-list  VPNclinical_splitTunnelAcl_2 standard permit LAN
access-list  VPNclinical_splitTunnelAcl_5 standard permit LAN
access-list  VPNclinical_splitTunnelAcl_3 standard permit LAN
access-list  VPNclinical_splitTunnelAcl_4 standard permit LAN
access-list  inside_nat0_outbound extended permit ip LAN
access-list inside_nat0_outbound extended permit ip  Switches
access-list  inside_nat0_outbound extended permit ip
access-list rate-limit-wireless  extended permit ip WirelessPrivate interface outside
pager  lines 24
logging enable
logging asdm informational
mtu outside  1500
mtu inside 1500
mtu management 1500
ip local pool VPNpool mask
icmp unreachable  rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any  inside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp  timeout 14400
global (outside) 1 interface
nat (inside) 0  access-list inside_nat0_outbound
nat (inside) 1 LAN
nat  (inside) 1 WirelessPrivate
access-group 101 in  interface outside
access-group NetAccess in interface inside
route  outside 94.247.XXX.XXX 1
route inside Switches 1
route inside LAN 1
route  inside WirelessPrivate 1
timeout xlate  3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp  0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00  mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite  0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00  uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record  DfltAccessPolicy
http server enable
http outside
http  LAN inside
http management
no  snmp-server location
no snmp-server contact
snmp-server enable  traps snmp authentication linkup linkdown coldstart
crypto ipsec  transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec  transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec  transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec  transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec  transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec  transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec  transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec  transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec  transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec  transform-set RA-TS esp-3des esp-sha-hmac
crypto ipsec transform-set  ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec  security-association lifetime seconds 28800
crypto ipsec  security-association lifetime kilobytes 4608000
crypto dynamic-map  DYN_MAP 10 set transform-set RA-TS
crypto dynamic-map  SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map  SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA  ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA  ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto  map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto  map outside_map interface outside
crypto isakmp identity hostname
crypto  isakmp enable outside
crypto isakmp policy 10
authentication  pre-share
encryption 3des
hash sha
group 2
lifetime  86400
telnet outside
telnet LAN  inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd  address management
dhcpd enable management
threat-detection  basic-threat
threat-detection statistics host
threat-detection  statistics access-list
no threat-detection statistics tcp-intercept
enable outside
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
group-policy VPNclinical internal
group-policy  VPNclinical attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value  VPNclinical_splitTunnelAcl
group-policy VPNclients internal
group-policy  VPNclients attributes
vpn-tunnel-protocol webvpn
url-list none
username xxxx password DyDq4NEbqGjfIfWL encrypted  privilege 15
username yyyy password GQ6EDJEzerx065iq encrypted  privilege 15
username zzzz password KCW0Chtpty2A/5kt encrypted
username  wwww password APYksyyt89fKLVDC encrypted privilege 15
tunnel-group  VPNclinical type remote-access
tunnel-group VPNclinical  general-attributes
address-pool VPNpool
default-group-policy  VPNclinical
tunnel-group VPNclinical ipsec-attributes
pre-shared-key *****
tunnel-group VPNclients type remote-access
tunnel-group  VPNclients general-attributes
default-group-policy VPNclients
class-map  rate-limit
match access-list rate-limit-wireless
class-map  inspection_default
match default-inspection-traffic
policy-map  global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect  rtsp
inspect esmtp
inspect sqlnet
inspect skinny 
inspect sunrpc
inspect xdmcp
inspect sip 
inspect  netbios
inspect tftp
inspect icmp
inspect ip-options
policy-map  limit-policy
class rate-limit
police input 512000 96000
police output 512000 96000
service-policy global_policy global
service-policy  limit-policy interface inside
prompt hostname context
profile CiscoTAC-1
no active
destination address http  ... DCEService
destination address email
destination transport-method http
subscribe-to-alert-group  diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
:  end
asdm image disk0:/asdm-631.bin
asdm location LAN inside
asdm location Switches inside
asdm  location WirelessPrivate inside
no asdm history enable

New Member

Re: Traffic Rate Limiting on Cisco ASA 5510?

WHat if you do a show policy-map interface inside?

You ACL - are you sure that this is correct?? I think it should be the following

access-list rate-limit-wireless  extended permit ip WirelessPrivate any

If you only have 4mb on your internet facing connection, I would apply the following outbound on the outside (assuming that the rate-limit-wireless  ACL is correct)

class-map wireless
match access-list rate-limit-wireless
policy-map wireless
class wireless
police 512000

policy-map qos
class class-default 
   shape average 4000000
      service-policy wireless
service-policy qos interface outside