cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1789
Views
5
Helpful
6
Replies

ASA Security Contexts - rate limit

niima
Level 1
Level 1

Dear experts,

 

Is one able to rate limit below items when configuring security context on a ASA5520?

 

1) NAT

2)MAC Learning

3) Stateful packet inspections

 

My understanding is that only ASDM sessions rate and connections rate as well as syslog msg rates are the only options to rate limit? Am I wrong? your input is much appreciated.

6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

Yes to all three - as well as several others you didn't mention. 

 

A complete listing can be found here:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/general/asa-99-general-config/ha-contexts.html#ID-2171-00000181

Hi Marvin,

 

Appreciate your prompt response. However I am a bit confused. The list mentions about mac-address and inspect. (attached)

 

mac-address: does it mean the rate limit of mac address learning in a second or its only the maximum number of macs in the mac table?

 

inspect: is it only Application inspections per second or its stateful packet inspection as well? (I don't think this two are the same, are they?)

 

 

You're welcome.

 

For mac address it's the latter.

 

Inspects is (are) application inspections per second.

 

What's the use case you're looking to address with the answer to these questions?

I am preparing for an exam, I came up to a question that I found in a discussion forum which many people are arguing on different answers.

 

It is asking: which three resource class limits can be set using a rate limit? (Choose three.)

A. address translation rate
B. Cisco ASDM session rate
C. connections rate
D. MAC-address learning rate (when in transparent mode)
E. syslog messages rate
F. stateful packet inspections rate

So what are your thoughts Melvin?

The answer would be c, e, and f.

 

The reason is because, as indicated in the link I provided earlier, those are the only parameters in that list that are limited by "rate" (vs. by a "concurrent" number).

Review Cisco Networking for a $25 gift card