Thursday, 16 June 2016

Throttling internal internet access with the ASA

To perform this we will utilize a service policy - the example below only limits download speed (not upload speed) - since the latter is not usually contested.

Define an access list to match the traffic we wish to throttle (including subnets we do not wish to e.g. internal ones):

access-list rate-limit-acl extended deny ip
access-list rate-limit-acl extended permit ip any

Create a class-map to classify the traffic:

class-map throttle_classmap
match access-list rate-limit-acl

Define a policy map to setup qos (this will limit bandwidth to 2 megabits and allow a burst speed of 16000 bits) :

policy-map throttle_policymap
class throttle_classmap
police output 2000000 16000
police input 2000000 16000

and finally create a service policy apply it to your inside interface:

service-policy throttle_policymap interface inside


Post a Comment