Skip to content

How to rate limit a host with Cisco ASA

Published: at 06:52 PM

Do you have a host on your network using up all the bandwidth? Maybe an offsite backup device keeps sending GBs of data offsite?

In my case, I deployed an AWS Storage gateway in file gateway mode. This works perfectly for my use case but there are a couple of “Gotcha’s” with the AWS file gateway versus a volume or tape library.

The main one is that you cannot schedule or rate limit the file gateway directly within the AWS Console. This is simply not built into the solution. To ensure the upload did not use all the bandwidth on the network, I used rate limiting on the Cisco ASA. Below is the configuration.

The first step is to create an ACL for the host (In this example the file gateway is I am allowing all IP traffic to and from this host.

access-list AWS-FileGW-Throttle extended permit ip host any
access-list AWS-FileGW-Throttle extended permit ip any host

Next, you need to create a class map to match the ACL that was just created.

match access-list AWS-FileGW-THROTTLE

After that, you need to configure a policy map that the ASA will use to police the traffic. In this example, I am rate-limiting the host to 10 Mbps with a burst rate of 1 Mbps.

police output 10000000 1000000
police input 10000000 1000000

Once these steps are complete you need to tie a service policy to the inside interface.

service-policy PM-AWS-THROTTLE interface inside

That’s it! Now go and check your network monitoring software/netflow and you’ll see it is working!