Solved: Cisco ASA Limit Bandwidth Per Subnet For Multiple Subnets

jdgriffiths · ‎09-17-2012

Hi

I have an ASA which is managing internet access from mutiple VLANs configured on a 3560 switch. I want to be able to limit the 100MB internet connection on the ASA on a per subnet (VLAN) basis for the multiple subnets configured on the switch.....

so for example

VLAN10 - 10.0.10.0 - limit to 5MB

VLAN20 - 10.0.20.0 - limit to 10MB

VLAN30 - 10.0.30.0 - limit to 3MB

and so on

Is this possible.......if so, configuration example would be greatly appreciated

Thanks

James

Julio Carvajal · ‎09-17-2012

Hello James,

It can be done... So you will need to create a MPF rule for each of those subnets

Example for vlan 10

access-list vlan10_rate_limit permit ip 10.0.10.0 255.255.255.0 any

class-map rate_vlan_10

match access-list vlan10_rate_limit

policy-map global_policy

class rate_vlan_10

police input 5000000 conform-action transmit exceed-action drop

( You could set a burst rate if you want)

Any other question..Sure.. Just remember to rate all of my answers

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎09-17-2012

Hello James,

It can be done... So you will need to create a MPF rule for each of those subnets

Example for vlan 10

access-list vlan10_rate_limit permit ip 10.0.10.0 255.255.255.0 any

class-map rate_vlan_10

match access-list vlan10_rate_limit

policy-map global_policy

class rate_vlan_10

police input 5000000 conform-action transmit exceed-action drop

( You could set a burst rate if you want)

Any other question..Sure.. Just remember to rate all of my answers

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jdgriffiths · ‎09-18-2012

Thank you for your quick and comprehensive reply! Couple of questions......I assume this needs to be applied to the outside interface? Can multiple MPF rules be applied to the interface to allow all VLANs to be limited as needed?

Julio Carvajal · ‎09-18-2012

Hello James,

It's one service policy per interface ( you can have a global one { Applied to all of the interfaces }.

Now one policy can have different class-maps where you can assign different actions to the answer is yes.

Any other question..Sure.. Just remember to rate all of my answers

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jdgriffiths · ‎09-18-2012

Excellent - so to apply to the outside interface, the commands would be ......

service-policy global_policy global
service-policy global_policy interface outside

using your "global_policy" example from above - Is this correct?

James

Julio Carvajal · ‎09-18-2012

Hello James,

That is correct

service-policy global_policy global

Will apply the policy-map global_policy to all the interfaces

service-policy global_policy interface outside

Will apply the global_policy to just the interface outside

This will not be a good desing as you are using the same 2 policies in different service-policies, the best option would be to apply it globally or just on the outside interface

Now an important fact if by any chance you have 2 different policies and one is global and the other one is applied to an interface, you might ask:

What will the ASA use?

The ASA will focus on the more specific one (the interface policy)

Any other question..Sure.. Just remember to rate all of my answers

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jdgriffiths · ‎09-18-2012

Thank you so much

Julio Carvajal · ‎09-18-2012

Hello James,

My pleasure to help

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC