In one of my very first articles I talked about configuring a guest wireless network on the ASA. As mentioned in the article, this sort of configuration works well for public access and allows unknown users access to only the internet. Recently I had a request to limit the bandwidth that users had access to on the guest network. I had never configured something like this before but after thinking about it for awhile it made sense. You don’t want someone to get onto your guest network and be able to have access to the entire bandwidth available to the ASA. The code to police the input and output speed down to 2 meg is shown below. This same code could be applied to any available interface on the ASA to produce the same affect.
Notes
-Console prompts are show in green
-Text in blue are variable names I made up, feel free to change them
Create a class map and tell it to match all traffic
ASA(config)# class-map CM_GuestNetwork
ASA(config-cmap)# match any
Create a policy map and configure a class within it to police the input and output
ASA(config-cmap)# policy-map PM_GuestNetwork
ASA(config-pmap)# class CM_GuestNetwork
ASA(config-pmap-c)# police input 2000000
ASA(config-pmap-c)# police output 2000000
ASA(config-pmap-c)# exit
ASA(config-pmap)# exit
Apply the policy map to an interface
ASA(config)# service-policy PM_GuestNetwork interface GUEST
Shown below are the results of a speakeasy.net speed test prior to the change…