04-20-2011 08:54 AM - edited 03-11-2019 01:23 PM
I have a requirement to apply rate limiting to our guest wireless network for internet traffic. I have a cisco asa 5510 I am using three interfaces; inside, outside and a DMZ.
I have a Cisco wireless network with a master wireless LAN controller and an anchor controller. The anchor controller is deployed in the DMZ and all guest wireless traffic is tunneled from the LAN to the anchor controller in the DMZ which it then gets routed via the ASA to the internet.
All other internet bound traffic from the LAN is routed via the inside interface on the ASA.
I would like to apply rate limiting to all network traffic from the anchor controller on the DMZ interface. I do not want to apply any rate limiting to any traffic on the inside interface.
I have read that the ASA supports rate limiting, my questions are:
1> Can the rate limiting policy be applied to the DMZ interface?
2> Do I need to apply any policies to the inside interface?
Thanks
Andy
Solved! Go to Solution.
04-20-2011 04:35 PM
Hi Andy,
Simple answers:
1> Yes
2> No
If you would like the configuration that needs to be done, then you can do the following:
access-list policyacl permit ip
access-list policyacl permit ip any
!--- Access list matches traffic which needs to be policed>
class-map policy-class
match address policyacl
!--- class map identifies that traffic ---!
policy-map policy-dmz
class policy-class
police input
police output
!--- policing policies are applied to the class ---!
service-policy policy-dmz interface
!-- the policy is applied to the DMZ interface --!
This will police traffic according to the numbers mentioned in the policy map.
If traffic is going to be traversing ASA between inside and DMZ, then you would need to modify the config slightly, else traffic from inside to dmz would also get policed.
So basically you would apply the DMZ -> Internet policing policy on the DMZ interface, and the Internet -> DMZ policing on the outside interface.
However, for that, you should ensure that DMZ traffic gets PAT onto a different IP than the inside interface. (Else ASA can't distinguish between traffic to the inside and traffic to DMZ, since on the outside interface all traffic would be destined to the same ip.)
Hope this helps.
-Shrikant
P.S: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.
04-20-2011 04:35 PM
Hi Andy,
Simple answers:
1> Yes
2> No
If you would like the configuration that needs to be done, then you can do the following:
access-list policyacl permit ip
access-list policyacl permit ip any
!--- Access list matches traffic which needs to be policed>
class-map policy-class
match address policyacl
!--- class map identifies that traffic ---!
policy-map policy-dmz
class policy-class
police input
police output
!--- policing policies are applied to the class ---!
service-policy policy-dmz interface
!-- the policy is applied to the DMZ interface --!
This will police traffic according to the numbers mentioned in the policy map.
If traffic is going to be traversing ASA between inside and DMZ, then you would need to modify the config slightly, else traffic from inside to dmz would also get policed.
So basically you would apply the DMZ -> Internet policing policy on the DMZ interface, and the Internet -> DMZ policing on the outside interface.
However, for that, you should ensure that DMZ traffic gets PAT onto a different IP than the inside interface. (Else ASA can't distinguish between traffic to the inside and traffic to DMZ, since on the outside interface all traffic would be destined to the same ip.)
Hope this helps.
-Shrikant
P.S: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide