Traffic Rate Limiting on Cisco ASA

"Sponsored Links"

With the new modular policy framework (MPF) introduced in ASA versions 7.x and 8.x, the firewall administrator is now able to apply policing and rate limiting to traffic passing through the ASA appliance. I got a few questions from people how this functionality works and decided to throw in a quick example below which you can easily modify accordingly to match your needs.


We want to rate limit a local internal host when accessing a specific external public server. The local host is and the external public server is We need to limit the traffic to 100kbps and burst size 8000.

Configuration Snippet:

ASA(config)#access-list rate-limit-acl extended permit ip host host

ASA(config)#class-map rate-limit
ASA(config-cmap)#match access-list rate-limit-acl

ASA(config)#policy-map limit-policy
ASA(config-pmap)#class rate-limit
ASA(config-pmap-c)#police output 100000 8000

ASA(config)#service-policy limit-policy interface outside

"Sponsored Links"


  1. Kris says

    I have applied a same configs, and when i do the sh service-pol int out
    i dont see any hits,

    SA-5540# sh service-pol int out

    Interface outside:
    Service-policy: XXX-policy
    Class-map: XXX-map
    Output police Interface outside:
    cir 1000000 bps, bc 10000 bytes
    conformed 0 packets, 0 bytes; actions: drop
    exceeded 0 packets, 0 bytes; actions: drop
    conformed 0 bps, exceed 0 bps

  2. BlogAdmin says

    Hello Kris,

    Maybe the flow of traffic in your scenario is different. Try to use the following:
    ASA(config-pmap-c)#police input 100000 8000

  3. Gary says

    I want to limit to internet access,so I did
    #access-list rate-limit-acl extended permit ip host host any
    but it shown :
    ERROR: % Invalid Hostname
    would you explain how can I did?

  4. BlogAdmin says


    The correct command is:

    access-list rate-limit-acl extended permit ip host any


Leave a Reply

Your email address will not be published. Required fields are marked *