Re: How to limit download rate per IP on 5510ASA 8.3 IOS

Difan Zhao · ‎12-20-2010

Hi experts,

How do I cap the download rate to 500kbps per each IP? I have tried the following config but it limits the total download to 500kbps for the entire subnet... In this lab scenario the inside network is 192.168.201.0/24.The outside is Internet.

!

access-list ACL_RateLimit extended permit ip any 192.168.201.0 255.255.255.0
access-list ACL_RateLimit extended permit ip 192.168.201.0 255.255.255.0 any

!

class-map CMAP_RateLimit
match access-list ACL_RateLimit

!

policy-map PMAP_RateLimit
class CMAP_RateLimit
police input 500000

!

service-policy PMAP_RateLimit interface outside

!

How should I configure the ACL to match individual IP instead of the entire subnet?

I'm also wondering if there is way to send a snmptrap or syslog message if some IP was downloading at high rate. Can the ASA do it?

Thanks!

Difan Zhao · ‎12-21-2010

I still can't figure out... Does anybody know?

Happy holidays guys.

Panos Kampanakis · ‎12-21-2010

You can't limit on a per host basis. Only if you match them in different ACLs can you police their traffic.

There is the "set connection per-host-max" but that limits the maximum simultaneous connections per host only.

I hope it answers your question, even though it doesn't provide a solution on the ASA.

PK

Difan Zhao · ‎12-22-2010

It's little bit sad to know that Cisco doesn't have this feature... I think it should be quite common feature that many customers need... Many other firewalls can do it with a single click...

But that set per-client-connection is good feature to have. One last question, do you have a recommended value that I should use which will be enough for normal web browsing use?

Thanks,

Panos Kampanakis · ‎12-22-2010

It really depends on the app. But generally speaking, most people use something close to 50.

PK