Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1423
Views
0
Helpful
6
Replies

Determine how much traffic is from streaming services on ASA

Michael Bartholomæussen
Level 1
Level 1

‎03-11-2020 06:13 AM

Hi all,

 

On an ASA5525-X, how do I determine how much traffic is from streaming services, Netflix, Spotify, YouTube and so on, and how to effectively deny the traffic, if any? The use case would be, how limit AnyConnect users so they don't consume unnecessary ASA bandwidth/compute on streaming services.

 

Kind regards,

 

Michael

0 Helpful
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎03-11-2020 06:58 AM

If you have setup netflow you can view what kind of bandwidth using each application/service.

 

if you looking to restrict VPN user bandwidth, you can start implementing the QoS on network for the Any connect users

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Michael Bartholomæussen
Level 1
Level 1
In response to balaji.bandi

‎03-11-2020 07:11 AM

I don't have any netflow application configured, and I guess that It will only reveal how much traffic the AnyConnect clients consume for streaming.

About QoS, could I prioritize TCP traffic from the clients, thus ensuring internal resources (RDP, shares, applications etc.) and preferable drop UDP traffic if necessary? (i know it's not fool proof)
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Michael Bartholomæussen

‎03-11-2020 07:19 AM

QoS you can do that based on your priority test will be low preferred.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni

‎03-11-2020 10:02 AM

Hi,

 

    For AnyConnect users, you could use split-tunnelling, so all unneeded traffic is routed directly to the local breakout, instead of the VPN tunnel. This would be the best option.

    Now to really stand a chance and block that traffic in case you don't want split-tunnelling, or for your internal users, you would need a smart proxy deployed, or you could use MPF on the ASA(but this is far from being bullet proof):

 

class-map match-all NETFLIX

 match protocol http host "*netflix.com*"

 

 

Regards,

Cristian Matei.

 

0 Helpful

Michael Bartholomæussen
Level 1
Level 1
In response to Cristian Matei

‎03-11-2020 12:22 PM

The reason i can't do spilt-tunnel, is because our public IP is whitelisted with a lot of services around the globe. If I had a complete overview I'd might be able to hack something together.

I'll have a look at MPF, but as you said yourself, it's far from bullet proof and requires some manual grunt work to function properly :)

Just out of curiosity, what smart proxy solutions could have dealt with my issue?
0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to Michael Bartholomæussen

‎03-11-2020 02:13 PM

Hi,

 

   You would need to do URL Filtering and/or app blocking. For example Cisco WSA is one such proxy; you may not be able to block everything which is tunnelled over HTTP/HTTPS with the basic functionality, but with some advanced tuning you'll make it.

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card