Connection Limiting - Automatic IP Prioritization

JeremyPo · ‎05-30-2019

We have 20 separate devices that have a concurrent user limit of 5 each. These devices do not have any type of administrative features that allow the management of incoming connections. Therefore the first 5 users to connect, get in and could stay logged in indefinitely. We have over 40 users that need access to each device at different times. Some with higher priority than others.

Our current solution: Implemented an ASA-5506 with separate rules/groups of IP's. One small group, say "Priority 1" contains a handful of high priority IP's. The rest of the users/IP's are in a second group "Priority 2". If at a given time a device is full with 5 connections and someone from Priority 1 needs access, the second rule is disabled and one unlucky IP from the lower priority group is manually disconnected via console command to make room.

Is it possible to automate this in any way? Such as automatically disconnecting and temporarily blocking IP(s) from Priority 2 to allow users from Priority 1 to connect. And then automatically unblocking them once Priority 1 disconnects?

marce1000 · ‎05-31-2019

- In the modern always-connected world such schemes are undesirable. Make sure your infrastructure is robust and can accommodate all network clients.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Mark Malone · ‎06-01-2019

You could probably do it with EEM if you were good at scripting its allowed on ASAs , i agree Marces point network should be built to maintain the client infrastructure though , currently thats not a good way to operate probably should be redesigned if users are being kicked from the network no matter there priority they should still have basic access if required