Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
401
Views
5
Helpful
1
Replies

rate-limit

Benjamin Saito
Level 1
Level 1

‎06-04-2013 08:16 AM - edited ‎03-11-2019 06:52 PM

Hi, I have someone who is worried about denial-of-service attacks. They have 11 vm's that share a connection and want to set it up so that there is a maximum amount of traffic allowed to hit each vm, so if there is a DDoS attack it will only affect that one VM instead of all the VM's on the same connection. What is the best way to go about this from the ASA? This is behind a 5515 with asa code version 8.6. Is there a way to rate-limit by ip address?  Thanks!

Labels:
0 Helpful
1 Reply 1

Andrew Phirsov
Level 7
Level 7

‎06-04-2013 10:03 AM

The feature is called traffic policing. Basically, what you should do is this:

1. Define traffic to each server by using corresponding ACLs

2. Define class map for each server

3. Define policy map or use global policy to apply policing.

Example:

server 1 has ip 10.0.0.1 and provides http access from the outside

server 2 has ip 10.0.0.2 and provides https access from the outside

1.

access-list SERVER_1_TRAFFIC permit tcp any host 10.0.0.1 eq 80

access-list SERVER_2_TRAFFIC permit tcp any host 10.0.0.2 eq 443

2.

class-map SERVER1

match access-list SERVER_1_TRAFFIC

class-map SERVER2

match access-list SERVER_2_TRAFFIC

3.

policy-map global_policy

  class SERVER1

  police input 100000 (bps) 10000 (bps)

  police output .....

  class SERVER2

  police input 200000 (bps) 10000 (bps)

  police output .....

Here's the guide:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns_qos.html#wp1065257

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card