Search This Blog

Tuesday, 5 June 2012

Cisco ASA - Rate Limit Outbound Connections

How to rate limit the bandwidth for an outbound conection through an ASA 5510.

Cisco ASA CLI

The Cisco ASA 5510 will allow for control over the bandwidth and burst rate allowed through an interface, the config below will show how you can control outbound bandwidth through the outside interface.

First create an access list that will match the interesting traffic, in this case the IP address 10.10.0.40 represents the internal server on our network used for testing.

access-list acl-police-bandwidth extended permit ip host 10.10.0.40 any
access-list acl-police-bandwidth extended permit ip any host 10.10.0.40

Next a class map is required to match the traffic we want in our policy map, if you have used Zone Based Firewall before then this will make sense. The class map matches the access list we have created.

class-map cmap-police-bandwidth
match access-list acl-police-bandwidth

Now we need to create a service policy, this will match the class map. This is the Cisco way of nesting objects, it is logical but can be confusing sometimes.

policy-map pmap-police-bandwidth
class cmap-police-bandwidth
police output 1000000 2000
police input 1000000 2000

Last we create a service policy and this is assigned to an interface. In this case this will inspect all traffic in both directions through our Internet facing interface but because we are using PAT we can match only on traffic to and from our internal IP address and so allow all other IP addresses utilise as much bandwidth as they need.

service-policy pmap-police-bandwidth interface WaveNet

2 comments: