Traffic Rate Limiting on Cisco ASA
With the new modular policy framework (MPF) introduced in ASA versions 7.x and 8.x, the firewall administrator is now able to apply policing and rate limiting to traffic passing through the ASA appliance. I got a few questions from people how this functionality works and decided to throw in a quick example below which you can easily modify accordingly to match your needs.
Scenario:
We want to rate limit a local internal host when accessing a specific external public server. The local host is 192.168.1.10 and the external public server is 100.100.100.1. We need to limit the traffic to 100kbps and burst size 8000.
Configuration Snippet:
ASA(config)#access-list rate-limit-acl extended permit ip host 192.168.1.10 host 100.100.100.1
ASA(config)#class-map rate-limit
ASA(config-cmap)#match access-list rate-limit-acl
ASA(config)#policy-map limit-policy
ASA(config-pmap)#class rate-limit
ASA(config-pmap-c)#police output 100000 8000
ASA(config)#service-policy limit-policy interface outside
Related posts:
- Policy NAT on Cisco ASA Firewall
- Access Lists and NAT on Cisco ASA Firewalls. Some Clarifications
- How to Configure Access Control Lists on a Cisco ASA 5500 Firewall
Tagged with: asa rate limit • asa traffic limit • asa traffic throttle
Filed under: Cisco ASA Configuration • Cisco ASA General
Like this post? Subscribe to my RSS feed and get loads more!
I have applied a same configs, and when i do the sh service-pol int out
i dont see any hits,
SA-5540# sh service-pol int out
Interface outside:
Service-policy: XXX-policy
Class-map: XXX-map
Output police Interface outside:
cir 1000000 bps, bc 10000 bytes
conformed 0 packets, 0 bytes; actions: drop
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Hello Kris,
Maybe the flow of traffic in your scenario is different. Try to use the following:
ASA(config-pmap-c)#police input 100000 8000