Thursday, 16 June 2016

Throttling internal internet access with the ASA

To perform this we will utilize a service policy - the example below only limits download speed (not upload speed) - since the latter is not usually contested.

Define an access list to match the traffic we wish to throttle (including subnets we do not wish to e.g. internal ones):

access-list rate-limit-acl extended deny ip 10.50.0.0 255.255.0.0 10.100.0.0 255.255.0.0
access-list rate-limit-acl extended permit ip any 10.100.0.0 255.255.0.0

Create a class-map to classify the traffic:

class-map throttle_classmap
match access-list rate-limit-acl
exit

Define a policy map to setup qos (this will limit bandwidth to 2 megabits and allow a burst speed of 16000 bits) :

policy-map throttle_policymap
class throttle_classmap
police output 2000000 16000
police input 2000000 16000
exit
exit

and finally create a service policy apply it to your inside interface:

service-policy throttle_policymap interface inside

0 comments:

Post a comment