cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
500
Views
4
Helpful
4
Replies

How to limit download rate per IP on 5510ASA 8.3 IOS

Difan Zhao
Level 5
Level 5

Hi experts,

How do I cap the download rate to 500kbps per each IP? I have tried the following config but it limits the total download to 500kbps for the entire subnet... In this lab scenario the inside network is 192.168.201.0/24.The outside is Internet.

!

access-list ACL_RateLimit extended permit ip any 192.168.201.0 255.255.255.0
access-list ACL_RateLimit extended permit ip 192.168.201.0 255.255.255.0 any

!

class-map CMAP_RateLimit
match access-list ACL_RateLimit

!

policy-map PMAP_RateLimit
class CMAP_RateLimit
  police input 500000

!

service-policy PMAP_RateLimit interface outside

!

How should I configure the ACL to match individual IP instead of the entire subnet?

I'm also wondering if there is way to send a snmptrap or syslog message if some IP was downloading at high rate. Can the ASA do it?

Thanks!

4 Replies 4

Difan Zhao
Level 5
Level 5

I still can't figure out... Does anybody know?

Happy holidays guys.

Panos Kampanakis
Cisco Employee
Cisco Employee

You can't limit on a per host basis. Only if you match them in different ACLs can you police their traffic.

There is the "set connection per-host-max" but that limits the maximum simultaneous connections per host only.

I hope it answers your question, even though it doesn't provide a solution on the ASA.

PK

It's little bit sad to know that Cisco doesn't have this feature... I think it should be quite common feature that many customers need... Many other firewalls can do it with a single click...

But that set per-client-connection is good feature to have. One last question, do you have a recommended value that I should use which will be enough for normal web browsing use?

Thanks,

It really depends on the app. But generally speaking, most people use something close to 50.

PK

Review Cisco Networking for a $25 gift card