cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1174
Views
7
Helpful
9
Replies

[IOS XE] connection per-client limit

hi , i have ASR1006 with IOS XE 16.09

i am looking to limit connection for per user Session , 

 i read about commend 

 set connection per-client-max

but this commend i can't find in my policy-map 

 

so how to imit connection for per user Session  in ASR1006 IOS XE 

9 Replies 9

Hello,

 

the command you mention is for ASA firewalls. If you want to limit the user sessions on the ASR, you could use a Zone Based Firewall in combination with a parameter map. The parameter map does the session limit. In the configuration example, hosts 192.168.1.11 and 192.168.1.12 would be limited to one session:

 

zone security LAN
zone security WAN
!
ip access-list extended IN_OUT_ACL
permit ip 192.168.1.0 0.0.0.255 any
!
ip access-list extended PER_CLIENT_LIMIT_ACL
permit ip host 192.168.1.11 any
permit ip host 192.168.1.12 any
!
class-map type inspect match-any IN_OUT_CLASS
match access-group IN_OUT_ACL
!
class-map type inspect match-any PER_CLIENT_LIMIT_CLASS
match access-group name PER_CLIENT_LIMIT_ACL
!
parameter-map type inspect PER_CLIENT_LIMIT_PARAMETER_MAP
sessions maximum 1
!
policy-map type inspect PER_CLIENT_LIMIT_POLICY_MAP
class type inspect PER_CLIENT_LIMIT_CLASS
inspect PER_CLIENT_LIMIT_PARAMETER_MAP
class type inspect IN_OUT_CLASS
inspect
class class-default
drop
!
zone-pair security LAN_WAN_ZP source LAN destination WAN
service-policy type inspect PER_CLIENT_LIMIT_POLICY_MAP
!
interface GigabitEthernet0/0
description Link to ISP
zone-member security WAN
!
interface GigabitEthernet0/1
description LAN Interface
zone-member security LAN

Hello

i mean TCP session connection limit for per session 

Hello,

 

change the access list:

 

ip access-list extended PER_CLIENT_LIMIT_ACL
permit ip host 192.168.1.11 any
permit ip host 192.168.1.12 any

 

to

 

ip access-list extended PER_CLIENT_LIMIT_ACL
permit tcp host 192.168.1.11 any
permit tcp host 192.168.1.12 any

Thanks 

that will limit tcp connection for per user?

Hello ,, thanks for help

i mean i don't want to limit  count users connected 

limit TCP downloads connection  

for example when user use program ( internet downlead manager )

the program open 16 connection , and when he use torrnet ,that's open more connections 

so i looking to to limit it 

Hello,

 

in theory, the ZBF should limit the TCP connections to one per IP address. You might want to test if this achieves what you want.

hello 

but now i have more of 5000 User

i can't make ACL and 

p access-list extended PER_CLIENT_LIMIT_ACL
permit tcp host 10.X.X.1 any
permit tcp host 10.X.X.2 any

permit tcp host 10.X.X.3 any

permit tcp host 10.X.X.4 any

permit tcp host 10.X.X.5 any

permit tcp host 10.X.X.6 any

...

 

 

 

so i must add 5000 Host

or just add 10.x.x.x0/24 and that will limit 1 connection for per ip address or will make all prefix with one connection ?

Hello,

 

you are right, the access list would have to be extremely long, and will probably bog down the router as a consequence. I am not sure if you can actually achieve what you want with a router. You might need a firewall. Maybe there is some way to accomplish this with RADIUS, I'll check and get back with you...

ok , thanks for your effort's 
i will waiting you

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: