Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1686
Views
0
Helpful
2
Replies

Zone-Based Firewall on ASR 1000 Series With Virtual Template

FaisalAlBandar2523
Level 1
Level 1

‎11-28-2020 08:43 AM

Hello everyone,

 

I am trying to implement ZBF on an ASR 1001-X device, which is used as a subscriber gateway. The end result I have in mind, is to limit the number of concurrent sessions (per user) that a certain protocol is allowed to make.

The device has a Virtual-Template configured. I've made the necessary configurations to enable the ZBF, along with the session limit.

Then I added the Virtual-Template interface to the appropriate zone.

 

It worked! But not as I intended. Now the limit is applied across all users - so if one user exhausts the allowed number of concurrent sessions, other users have to wait, because the number is shared among them.

 

I've attached a file which contains the relevant pieces of configuration. In this example, I aim to make each user be able to perform 5 pings at the same time. The undesired result which I'm getting, is that all users have 5 concurrent pings which they share between them. So if one user is pinging 5 devices at the same time, all the other users cannot ping. This is not what I want to achieve.

 

How can I ensure that the limit is applied per user, and not across all users?

Faisal Al-Bandar
Preview file
2 KB
0 Helpful
2 Replies 2

Aref Alsouqi
VIP
VIP

‎11-29-2020 06:24 AM

Good question. I don't think that is possible, unless the router is proxying for user authentications, and receiving some attributes from the authentication server that would allow it to map specific users to a specific group. Then, that group reference could be used in the match condition on the class-map.

0 Helpful

FaisalAlBandar2523
Level 1
Level 1
In response to Aref Alsouqi

‎11-30-2020 08:42 AM

Hello Aref, and thank you for your reply.

The router is indeed relaying user authentication requests to an authentication server, which then replies back with the appropriate attributes. In this case, should one of the attributes be the zone to which the user belongs? Can the router (ASR) create zones on the fly, or should they be pre-configured in anticipation of user connections? We're talking about hundreds to possible thousands of subscribers, all connecting via virtual-access ports, which get their config from the aforementioned virtual-template.

Faisal Al-Bandar
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card