Re: Traffic Rate Limiting on Cisco ASA 5545

Amna Omar · ‎04-03-2018

Hello,

We have a dedicated and synchronous 75Mbps internet link on the outside of an ASA5545 Firewall. version 9.8(2), I want to control this rate, as a lot of people from the inside are heavily consuming the bandwidth.

I want to customize 60Mbps for inside.

how I can do it?

Bogdan Nita · ‎04-03-2018

A simple example would be:

access-list inside-traffic-acl permit ip <inside-net> any
access-list inside-traffic-acl permit ip any <inside-net> 
!
class-map inside-traffic-cmap
 match access-list inside-traffic-acl
!
policy-map inside-traffic-pmap
 class inside-traffic-cmap
  police output 60000000 conform-action transmit exceed-action drop
  police input 60000000 conform-action transmit exceed-action drop
!
service-policy inside-traffic-pmap interface inside
!
priority-queue inside

for more details check out:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/firewall/asa-99-firewall-config/conns-qos.html#ID-2133-00000004

HTH

Bogdan

Amna Omar · ‎04-03-2018

Thanks Bogdan Nita

Please, 1- What about this configuration in below and what's Burst Size and how calculate ?

2- How can be sure the commands are successful?

3- How can be sure the 15 Mbps will be exploited by users outside the network

***********************************************************************************************

ASA(config)#access-list rate-limit-acl extended permit ip host 192.168.1.10 host 100.100.100.1

ASA(config)#class-map rate-limit

ASA(config-cmap)#match access-list rate-limit-acl

ASA(config)#policy-map limit-policy

ASA(config-pmap)#class rate-limit

ASA(config-pmap-c)#police output 100000 8000

ASA(config)#service-policy limit-policy interface outside

Bogdan Nita · ‎04-04-2018

Hi @Amna Omar,

1. If you leave the conform-burst value empty the asa will calculate the value for you. Burst value (bc) can be viewed with show service-policy police.
2. show service-policy police , you should be able to see packets hitting the policy and if the cir is exceeded, dropped packets.
3. traffic that is not being policed should be able to use the remaining bandwidth

Amna Omar · ‎04-04-2018

hello @Bogdan Nita

please I have other questions,

1- Can I apply these commands now ? Please confirm
and if yes, why not applied the policy on outside interface?

access-list inside-traffic-acl permit ip <inside-net> any
access-list inside-traffic-acl permit ip any <inside-net>
!
class-map inside-traffic-cmap
match access-list inside-traffic-acl
!
policy-map inside-traffic-pmap
class inside-traffic-cmap
police output 60000000 conform-action transmit exceed-action drop
police input 60000000 conform-action transmit exceed-action drop
!
service-policy inside-traffic-pmap interface inside
!
priority-queue inside

2- police output & police input mean " upload & download on Interface"?

Bogdan Nita · ‎04-05-2018

1. Commands can be applied during working hours if that is what you mean, traffic will be limited to the configured cir after applying the config.
Policy can be applied on any interface or global (applies the policy map to all interfaces)

2. correct, traffic policing is supported in inbound and/or outbound directions on asa
- output—Enables policing of traffic flowing in the output direction.
- input—Enables policing of traffic flowing in the input direction.

Amna Omar · ‎04-05-2018

about commands, I mean commands you wrote only, or there's any adding.

Bogdan Nita · ‎04-06-2018

The config should police input and output traffic on the inside interface, no additional command needed.

You could actually drop the priority-queue command because there is no prioritization being done.

Amna Omar · ‎04-06-2018

@Bogdan Nita Thank you so much