rate-limit

Benjamin Saito — Tue, 12 Mar 2019 01:52:52 GMT

Hi, I have someone who is worried about denial-of-service attacks. They have 11 vm's that share a connection and want to set it up so that there is a maximum amount of traffic allowed to hit each vm, so if there is a DDoS attack it will only affect that one VM instead of all the VM's on the same connection. What is the best way to go about this from the ASA? This is behind a 5515 with asa code version 8.6. Is there a way to rate-limit by ip address? Thanks!

rate-limit

Andrew Phirsov — Tue, 04 Jun 2013 17:03:29 GMT

The feature is called traffic policing. Basically, what you should do is this:

1. Define traffic to each server by using corresponding ACLs

2. Define class map for each server

3. Define policy map or use global policy to apply policing.

Example:

server 1 has ip 10.0.0.1 and provides http access from the outside

server 2 has ip 10.0.0.2 and provides https access from the outside

access-list SERVER_1_TRAFFIC permit tcp any host 10.0.0.1 eq 80

access-list SERVER_2_TRAFFIC permit tcp any host 10.0.0.2 eq 443

class-map SERVER1

match access-list SERVER_1_TRAFFIC

class-map SERVER2

match access-list SERVER_2_TRAFFIC

policy-map global_policy

class SERVER1

police input 100000 (bps) 10000 (bps)

police output .....

class SERVER2

police input 200000 (bps) 10000 (bps)

police output .....

Here's the guide:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns_qos.html#wp1065257

topic rate-limit in Network Security

rate-limit

rate-limit