cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5915
Views
30
Helpful
7
Replies

Cisco ASA Limit Bandwidth Per Subnet For Multiple Subnets

jdgriffiths
Level 1
Level 1

Hi

I have an ASA which is managing internet access from mutiple VLANs configured on a 3560 switch. I want to be able to limit the 100MB internet connection on the ASA on a per subnet (VLAN) basis for the multiple subnets configured on the switch.....

so for example

VLAN10 - 10.0.10.0 - limit to 5MB

VLAN20 - 10.0.20.0 - limit to 10MB

VLAN30 - 10.0.30.0 - limit to 3MB

and so on

Is this possible.......if so, configuration example would be greatly appreciated

Thanks

James

1 Accepted Solution

Accepted Solutions

Julio Carvajal
VIP Alumni
VIP Alumni

Hello James,

It can be done... So you will need to create a MPF rule for each of those subnets

Example for vlan 10

access-list vlan10_rate_limit permit ip 10.0.10.0 255.255.255.0 any

class-map rate_vlan_10

match access-list vlan10_rate_limit

policy-map global_policy

class rate_vlan_10

police input 5000000 conform-action transmit exceed-action drop

( You could set a burst rate if you want)

Any other question..Sure.. Just remember to rate all of my answers

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

7 Replies 7

Julio Carvajal
VIP Alumni
VIP Alumni

Hello James,

It can be done... So you will need to create a MPF rule for each of those subnets

Example for vlan 10

access-list vlan10_rate_limit permit ip 10.0.10.0 255.255.255.0 any

class-map rate_vlan_10

match access-list vlan10_rate_limit

policy-map global_policy

class rate_vlan_10

police input 5000000 conform-action transmit exceed-action drop

( You could set a burst rate if you want)

Any other question..Sure.. Just remember to rate all of my answers

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thank you for your quick and comprehensive reply! Couple of questions......I assume this needs to be applied to the outside interface? Can multiple MPF rules be applied to the interface to allow all VLANs to be limited as needed?

Hello James,

It's one service policy per interface ( you can have a global one { Applied to all of the interfaces }.

Now one policy can have different class-maps where you can assign different actions to the answer is yes.

Any other question..Sure.. Just remember to rate all of my answers

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Excellent - so to apply to the outside interface, the commands would be ......

service-policy global_policy global
service-policy global_policy interface outside

using your "global_policy" example from above - Is this correct?

James

Hello James,

That is correct

service-policy global_policy global

Will apply the policy-map global_policy to all the interfaces


service-policy global_policy interface outside

Will apply the global_policy to just the interface outside

This will not be a good desing as you are using the same 2 policies in different service-policies, the best option would be to apply it globally or just on the outside interface

Now an important fact if by any chance you have 2 different policies and one is global and the other one is applied to an interface, you might ask:

What will the ASA use?

The ASA will focus on the more specific one (the interface policy)

Any other question..Sure.. Just remember to rate all of my answers

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thank you so much

Hello James,

My pleasure to help

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: