cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3334
Views
5
Helpful
4
Replies

Cisco Asa traffic shaping for single IP

andresitotubia
Level 1
Level 1

Hi,

I would like to know if there is a way to apply in the Cisco asa 5510 traffic shaping not for a interface but a single IP address.

For example i would like to limit the bandwith for the IP address of my FTP server.

Can someone help me ?.

Thanks !

4 Replies 4

Kureli Sankar
Cisco Employee
Cisco Employee

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Andres,

Lets say the ip addres of the host is 192.168.10.1 and we want to limit the bandwith when he goes to the internet

So first you need to match the traffic

access-list test permit tcp host 192.168.10.1 any eq 80

access-list test permit tcp host 192.168.10.1 any eq 443

Now lets create the map-class

map-class BD

match access-list test

Now lets create the Policy-map

Policy-map BD_LIMIT

class BD

shape average 86000 (Bits per second)

Finally Apply it to an interface

Service-policy BD_LIMIT interface outside

I hope this example show you how this needs to be configured, Any doubt let me know

Regards,

Julio
Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

Thank you for your quick response. I was not able to finish this cause when im traying to apply the shape average under the class BD i get this error:

ERROR: 'shape' can only be configured for class "class-default"

I think that if i apply this to the class-defaul its not going to match with the access list

Any idea ?

Thanks again

On Julio's sample you need to be a little careful. The sample talks about RFC 1918 address space and the policy-map is applied on the outside interface. If the ASA is internet facing this address will not be matched at all being non-routable private address space.

You are correct shaping can only be applied to class-default:

shaping sample:

class-map VOICE

match dscp ef

policy-map CHILD-POLICY

class VOICE

  priority

policy-map PARENT-POLICY

class class-default

  shape average 256000 2560

  service-policy CHILD-POLICY

service-policy PARTENT-POLICY interface outside

If you need to rate limit traffic to the webserver follow this

policy/priority sample:

access-list www-traffic permit tcp any ho x.x.x.x eq 80

class-map HTTP-TRAFFIC

match access-l www-traffic

class-map VOICE

match dscp ef

policy-map police-priority

class VOICE

  pirority

class HTTP-TRAFFIC

police output 200000

service-policy police-priority interface outside

-KS

Review Cisco Networking for a $25 gift card