I have a situation where I have a group of users that are eating up 100% of the bandwidth in the office. I am limiting the amount of upstream and downstream bandwidth used by these selected users being NAT’ed by my asa.
I have all the users in a selected address range
object network BANDWIDTH-HOGS subnet 10.9.6.0 255.255.255.0
We are going to limit both inbound and outbound to the Internet so I need two access lists
access-list RATE-LIMIT-IN-ACL extended permit ip any4 object BANDWIDTH-HOGS access-list RATE-LIMIT-OUT-ACL extended permit ip object BANDWIDTH-HOGS any4
class-map RATE-LIMIT-IN-MAP match access-list RATE-LIMIT-IN-ACL exit class-map RATE-LIMIT-OUT-MAP match access-list RATE-LIMIT-OUT-ACL exit
Here is where we limit the bandwidth
They are limited to 20 Mbps inbound and 1 Mbps outbound
policy-map LIMIT-POLICY class RATE-LIMIT-IN-MAP police input 20000000 100000 exit class RATE-LIMIT-OUT-MAP police output 1000000 80000 exit exit
This line applies the policy to the “outside” interface
service-policy LIMIT-POLICY interface OUTSIDE
If you modify the access lists, you can limit the bandwidth based upon services (i.e. limit the bandwidth only when accessing http: or https:) or selected sites
We want to rate limit a local internal host when sending data to a specific external public server. When it starts its daily transfer, it eats up all the bandwidth and all users have problems accessing the Internet during that time. The local host is 192.168.1.10 and the external public server is 100.100.100.1. We need to limit the traffic to 100kbps and burst size 8000.
access-list ACL-RATE-LIMIT-SERVER extended permit ip host 192.168.1.10 host 100.100.100.1 class-map RATE-LIMIT match access-list ACL-RATE-LIMIT-SERVER policy-map LIMIT-POLICY class RATE-LIMIT police output 100000 8000 service-policy LIMIT-POLICY interface OUTSIDE