Cisco ASA Per-User Throttling

joshuacmoore · ‎10-27-2014

Hello,

I am well aware as how to create policies in the ASA for specific hosts or IPs but what I want to do is create a generalized policy that gets applied to all users on an interface but at a per-user level.

For example, I want to have all users on interface "inside" subjected to a 10meg policer per-user. Not 10meg policer applied to the whole inside interface. Same thing for connection limits. I want to limit at the granular level of per user so that each user can have only 100 connections coming from their individual IP.

The problem is that I can accomplish this with policy maps if I create one for each IP address but I need to do this for large subsets at a time (/24 blocks) and create a policy for each IP on that /24 is not practical.

Any thoughts or recommendations? I'm testing this on my ASA 5505 with 9.2 code.

Vibhor Amrodia · ‎10-27-2014

Hi,

This would not be possible to configure on the ASA device. You would have to create Specific polices for every user separately to apply the user limit for policing the traffic.

Thanks and Regards,

Vibhor Amrodia

joshuacmoore · ‎10-27-2014

Aside from the config being massive, is there a limitation on the amount of individual user policers allowed?

Vibhor Amrodia · ‎10-27-2014

Hi,

You have a limit for Number of Class-Maps inside of the policy of 256.

If this is something important as a requirement , you can try it although this is something not recommended.

Thanks and Regards,

Vibhor Amrodia