Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Rate Limiting/Policing

I trying to determine the best place to limit traffic. I have a host on a 6509 that replicates data to another host on the other end of a site-to-site VPN:

HOST>ASA5520>20mb Internet---10mb Internet>ASA5520>HOST

I would like to limit the rate to 8mb during business hours.

Where is the best place to apply the policy?



Re: Rate Limiting/Policing

Because policing drops packets, resulting in retransmissions, it is recommended for use

on higher-speed interfaces..

So it will be better if you apply the policy on 20Mbps connection..

HTH...rate if helpful...

Re: Rate Limiting/Policing

i would say u need to make the limit as close to the source as possible so it it is on the 20 M side then make on that ASA on the outsid einterface on the outbound direction

also for spisific time u can do the trick with time-based ACL that match the traffic to be policed

and the following link will help u alot with ASA config :

good luck

if helpful Rate

Super Bronze

Re: Rate Limiting/Policing

As close to the sending host as possible. For instance a policer on the 6509. Ideally one with a timed based ACL, if supported.

Re: Rate Limiting/Policing

hi Joseph thats exactly what i meant by the source word :)

as he said replication then the sending will be the source of repilication!

New Member

Re: Rate Limiting/Policing

Thanks for all the replies.

It looks like the best place for the policy is on the 6509 where the host is connected. Should I do a rate-limit or shaping? From what I understand a traffic shape results in less dropped packets ?

Super Bronze

Re: Rate Limiting/Policing

Shaping usually results in less dropped packets because of its default buffering. Policing can provide about the same drop rate, but the default burst sizes often need to be adjusted. However, shaping also offers the advantage that the bandwidth hog's packets are "metered" into the other traffic, where policing will allow bursts through.

I.e. If available, I would prefer shaping. Unsure how extensive a 6500's shaping features are. Also, generally you can only shape outbound, but you can often police either inbound or outbound.


If your devices support it, it's possible to both police early to control the sender's transmission rate via policing and later manage possible congestion with a shaper or other queuing.


For another approach, if instead of 8 Mbps, 10 Mbps was acceptable, you might also configured Ethernet at 10 Mbps on the source's Ethernet port. (Might even be doable with timed scripts.)

Super Bronze

Re: Rate Limiting/Policing

Marwan, yup, I understood what you meant, but from your second post, I presume you didn't realize I didn't see your post until after I had posted mine. I had considered, after seeing yours, adding a postscript acknowledgment of your post to my post, but figured the close post times, 4 minutes, showed what likely happened (i.e. I'm a slow typist).

Another reason I didn't amend my post, I thought there was some value in my suggesting doing the policing on the 6509, rather than later downstream such as your suggestion of policing on the ASA's outside interface.

Of course, it's likely bandwidth is less an issue until you get closer to the WAN bottleneck, but in principle, I'm sure you'll agree that perhaps an (inbound) policer on the 6509 would be even closer to the source, as described in the OP.

CreatePlease to create content