Configuration 1

I have a situation where I have a group of users that are eating up 100% of the bandwidth in the office. I am limiting the amount of upstream and downstream bandwidth used by these selected users being NAT’ed by my asa.

I have all the users in a selected address range

  
object network BANDWIDTH-HOGS
subnet 10.9.6.0 255.255.255.0

We are going to limit both inbound and outbound to the Internet so I need two access lists

access-list RATE-LIMIT-IN-ACL extended permit ip any4 object BANDWIDTH-HOGS
access-list RATE-LIMIT-OUT-ACL extended permit ip  object BANDWIDTH-HOGS any4

class-map RATE-LIMIT-IN-MAP
match access-list RATE-LIMIT-IN-ACL
exit

class-map RATE-LIMIT-OUT-MAP
match access-list RATE-LIMIT-OUT-ACL
exit

Here is where we limit the bandwidth
They are limited to 20 Mbps inbound and 1 Mbps outbound

policy-map LIMIT-POLICY
  class RATE-LIMIT-IN-MAP
    police input 20000000 100000
  exit
  class RATE-LIMIT-OUT-MAP
    police output 1000000 80000
   exit
exit

This line applies the policy to the “outside” interface

service-policy LIMIT-POLICY interface OUTSIDE

If you modify the access lists, you can limit the bandwidth based upon services (i.e. limit the bandwidth only when accessing http: or https:) or selected sites

Configuration 2

We want to rate limit a local internal host when sending data to a specific external public server. When it starts its daily transfer, it eats up all the bandwidth and all users have problems accessing the Internet during that time. The local host is 192.168.1.10 and the external public server is 100.100.100.1. We need to limit the traffic to 100kbps and burst size 8000.

Configuration Snippet:

access-list ACL-RATE-LIMIT-SERVER extended permit ip host 192.168.1.10 host 100.100.100.1

class-map RATE-LIMIT
match access-list ACL-RATE-LIMIT-SERVER

policy-map LIMIT-POLICY
class RATE-LIMIT
police output 100000 8000

service-policy LIMIT-POLICY interface OUTSIDE