cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
584
Views
0
Helpful
3
Replies

Throttling Individual User Bandwidth

jcioara
Level 1
Level 1

Hello -

I just ran into an instance where a single user on a network completely maxxed out a 100Mbps Internet connection for 30 minutes downloading. I'd like to create a policy on the Cisco ASA that throttles bandwidth per user. In a nutshell, I would like the policy to say, "there's no one user on this network who can use more than 25 Mbps."

Does anyone know the way to do this? I don't want to throttle the whole subnet with a policing policy (all users on the network share 25 Mbps) or any one IP address.

Seems simple, but I just can't think of the solution - penny for your thoughts!

Jeremy

3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Jeremy,

As you said sounds easy but I would say is kind of messy (I have not done it in the past)

But lets talk about the options

One that will not work

Cause if you use something like

class-map test

match any

policy-map global-policy

class test

police output 25000

any kind of traffic (I mean if there are 2 connections across the firewall) will be policed at that level which is not what you are looking for!

Second option (This is the best I could think at the moment lol)

Maybe like this (Let's say internal network is 192.168.10.0/24)

access-list test permit ip host 192.168.10.1 any

access-list test permit ip host 192.168.10.2 any

access-list test permit ip host 192.168.10.3 any

And keeps going...

Then

class-map test

match access-list test

policy-map global-policy

class test

police output 250000

That would match each of the ACL lines and then filter it properly, what do you think?

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I had thought about doing it that way...which is what prompted this post - a 255 item access-list simply to define per-user bandwidht limits? There's got to be a better way...

...right?

If not, how do ya'll prevent a single user from jeopordizing the Internet connection by downloading gobs of data?

Jeremy

Hello Jeremy,

I do agree on the fact that this could be really problematic ( I mean it could be boring and we could be making our ASA's running configuration really big) but as you want to do it to all of the host but PER host I don't see any other way to match this traffic.

Do you?

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card