Hi Julio，

Delouah Todd · ‎05-23-2013

Hello,

I need some advice. We have an ASA 5525 running version 8.6(1)2 and a 10 MG pipe. I have execs that want to limit bandwidth on users for stuff like youtube, stream media, and downloads. I found the article on ‘Bandwidth Management(Rate Limit) Using QoS Policies’ so it appears our firewall can do what we want. I’m not a cisco person. My knowledge is limited when it comes to configuration – that’s why we have SmartNet :). The advice I need is what to ask for, so to speak, when I put a case in. Can bandwidth be limited on end users and/or can they limit the ‘bandwidth rate limit’ to just youtube, steaming media, and downloads? If so, what should the limit be? and I’m assume this would be for ‘incoming’ traffic only? we’re running into some bandwidth hogs – usually youtube and/or streaming media. We have a Barracuda web filter which we’ve used to block and monitor activity but I simply do not have time to babysit this all day. I should also mention we do have critical data running up and down the pipe; such as credit card processing, DB replication between in house DB and hosted website, TPCx and EDI, FTP, and such that we don’t want restricted.

Need input please,

Thanks,

D

Julio Carvajal · ‎05-23-2013

Hello Delouah,

You can certanly limit the amount of bandwith you provide to certain traffic across the ASA,

The thing is that you will only be able to match certain parameters (no one can match the HTTP header host value or the header URI value)

So you could do it to all the HTTP/HTTPS traffic or based on the source IP addresses restrict the traffic.

Do you follow me?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Delouah Todd · ‎05-23-2013

I follow. so could we do rate limit on HTTP/HTTPS on a range of IP's?

Julio Carvajal · ‎05-23-2013

Hello Delouah,

Yes you could, with no issues at all

What you now must do is determine how much bandwith you want to provide to this traffic

Then determine whether you will use traffic shapping or policing and afterwards you will be ready to open the case.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

zjnbxsspjm · ‎02-14-2017

Hi Julio，

Does the rate in traffic policing mean the total rate combined or a single connection? For example, I have the following command configured on my ASA. Does it mean every single connection get maximum 3000000 or the total traffic rate is 3000000? Is there any way to limit the rate per connection or ip ? Thanks.

access-list rate-limit extended permit ip any any

class-map rate-limit

match access-list rate-limit

policy-map rate-limit

class rate-limit

police output 3000000

police input 3000000

service-policy rate-limit interface outside

Delouah Todd · ‎05-23-2013

another questions jcarvaja....what would be the best rate to limit it too? 3 MB? 5 MB?

Julio Carvajal · ‎05-23-2013

Hello,

That's a question that you as the network admin of that organization could answer.

How much traffic for business purposes must travel via HTTP/HTTPS?

How much bandwith are you willing to provide to this 2 protocols?

Those are the kind of answers you need to answer before setting the number

Regards

Remember to rate all of the helpful posts, Just click the 5 stars at the left of each post

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Delouah Todd · ‎05-23-2013

so it looks like policing is going to be the fit for us. It's the inbound traffic that pegs out and it looks like shaping is for outbound only. and I'm thinking 3 MG will work.

Thanks much for the info Julio!

Julio Carvajal · ‎05-23-2013

Hey man my pleasure,

Just remember to rate all of the helpful posts and mark the question as anwered, as important as a thanks

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC