Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1434
Views
0
Helpful
1
Replies

ASA Rate Limiting

Go to solution
Andrew Walles
Level 1
Level 1

‎04-20-2011 08:54 AM - edited ‎03-11-2019 01:23 PM

I have a requirement to apply rate limiting to our guest wireless network for internet traffic. I have a cisco asa 5510 I am using three interfaces; inside, outside and a DMZ.

I have a Cisco wireless network with a master wireless LAN controller and an anchor controller. The anchor controller is deployed in the DMZ and all guest wireless traffic is tunneled from the LAN to the anchor controller in the DMZ which it then gets routed via the ASA to the internet.

All other internet bound traffic from the LAN is routed via the inside interface on the ASA.

I would like to apply rate limiting to all network traffic from the anchor controller on the DMZ interface. I do not want to apply any rate limiting to any traffic on the inside interface.

I have read that the ASA supports rate limiting, my questions are:

1> Can the rate limiting policy be applied to the DMZ interface?

2> Do I need to apply any policies to the inside interface?

Thanks

Andy

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Shrikant Sundaresh
Cisco Employee
Cisco Employee

‎04-20-2011 04:35 PM

Hi Andy,

Simple answers:

1> Yes

2> No

If you would like the configuration that needs to be done, then you can do the following:

access-list policyacl permit ip any

access-list policyacl permit ip any

!--- Access list matches traffic which needs to be policed>

class-map policy-class

     match address policyacl

!--- class map identifies that traffic ---!

policy-map policy-dmz

     class policy-class

          police input

          police output

!--- policing policies are applied to the class ---!

service-policy policy-dmz interface

!-- the policy is applied to the DMZ interface --!

This will police traffic according to the numbers mentioned in the policy map.

If traffic is going to be traversing ASA between inside and DMZ, then you would need to modify the config slightly, else traffic from inside to dmz would also get policed.

So basically you would apply the DMZ -> Internet policing policy on the DMZ interface, and the Internet -> DMZ policing on the outside interface.

However, for that, you should ensure that DMZ traffic gets PAT onto a different IP than the inside interface. (Else ASA can't distinguish between traffic to the inside and traffic to DMZ, since on the outside interface all traffic would be destined to the same ip.)

Hope this helps.

-Shrikant

P.S: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Shrikant Sundaresh
Cisco Employee
Cisco Employee

‎04-20-2011 04:35 PM

Hi Andy,

Simple answers:

1> Yes

2> No

If you would like the configuration that needs to be done, then you can do the following:

access-list policyacl permit ip any

access-list policyacl permit ip any

!--- Access list matches traffic which needs to be policed>

class-map policy-class

     match address policyacl

!--- class map identifies that traffic ---!

policy-map policy-dmz

     class policy-class

          police input

          police output

!--- policing policies are applied to the class ---!

service-policy policy-dmz interface

!-- the policy is applied to the DMZ interface --!

This will police traffic according to the numbers mentioned in the policy map.

If traffic is going to be traversing ASA between inside and DMZ, then you would need to modify the config slightly, else traffic from inside to dmz would also get policed.

So basically you would apply the DMZ -> Internet policing policy on the DMZ interface, and the Internet -> DMZ policing on the outside interface.

However, for that, you should ensure that DMZ traffic gets PAT onto a different IP than the inside interface. (Else ASA can't distinguish between traffic to the inside and traffic to DMZ, since on the outside interface all traffic would be destined to the same ip.)

Hope this helps.

-Shrikant

P.S: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card