Cisco ASA Bandwidth limiting issue
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-25-2014 01:14 AM - edited 03-11-2019 08:49 PM
Hi All,
We have 8 Mbps of bandwidth from one of our ISP, terminated on a Router (gi 0/0), from that router port (gi 0/1) is connected to my Lan1 and another port (gi 0/0) is connected to Cisco ASA (Lan2).
Management has decided to give 2Mbps(upload and download) limit to our Lan2 Network, out of that 8Mbps ILL, so to achive this, i did the following configuration in cisco ASA .
access-list rate-limit-acl extended permit ip any host x.x.x.63
access-list rate-limit-acl extended permit ip any host a.b.c.112
access-list rate-limit-acl extended permit ip host x.x.x.63 any
access-list rate-limit-acl extended permit ip host a.b.c.112 any
class-map rate-limit
match access-list rate-limit-acl
policy-map limit-policy
class rate-limit
police output 2000000 4000
police input 2000000 4000
service-policy limit-policy interface ouside
Dont understand , what went wrong and where , its not working , the specified hosts in the ACL are enjoying the full bandwith (8 Mbps). Even i have tried applying the Service-policy to inside interface but no luck.
Request all the experts for advice.
Regards,
Ashraf
- Labels:
-
NGFW Firewalls

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-25-2014 10:50 AM
Hello, Ashraf.
I guess you have applied policy on outside interface, however, ACL is configured with private IP-addresses.
PS: try to apply policy in the inside interface and provide show service-policy limit-policy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-25-2014 09:28 PM
Hello MikhailovskyVV ,
Thanks for the reply,
1. The ACL corresponds to the traffic flowing from inside (private ip) to outside (public ip) and vise versa .
in the ACL "any" corresponds to inside hosts and "x.x.x.63" , a.b.c.112 are public ip's.
2. Following is the output of show service-policy limit-policy , after i applied the service-policy to inside interface.
ciscoasa# sh service-policy
Interface inside:
Service-policy: limit-policy
Class-map: rate-limit
Output police Interface inside:
cir 2000000 bps, bc 4000 bytes
conformed 4 packets, 260 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Input police Interface inside:
cir 2000000 bps, bc 4000 bytes
conformed 0 packets, 0 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
3. Do we need to create two saparate policy-map, per interface with police input or police output statement.
Regards,
Ashraf
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-26-2014 09:12 PM
Can somebody pls provide some input.
Regards,
Ashraf
