11-14-2020 10:26 AM - edited 11-14-2020 10:26 AM
hi , i have ASR1006 with IOS XE 16.09
i am looking to limit connection for per user Session ,
i read about commend
set connection per-client-max
but this commend i can't find in my policy-map
so how to imit connection for per user Session in ASR1006 IOS XE
11-14-2020 01:04 PM
Hello,
the command you mention is for ASA firewalls. If you want to limit the user sessions on the ASR, you could use a Zone Based Firewall in combination with a parameter map. The parameter map does the session limit. In the configuration example, hosts 192.168.1.11 and 192.168.1.12 would be limited to one session:
zone security LAN
zone security WAN
!
ip access-list extended IN_OUT_ACL
permit ip 192.168.1.0 0.0.0.255 any
!
ip access-list extended PER_CLIENT_LIMIT_ACL
permit ip host 192.168.1.11 any
permit ip host 192.168.1.12 any
!
class-map type inspect match-any IN_OUT_CLASS
match access-group IN_OUT_ACL
!
class-map type inspect match-any PER_CLIENT_LIMIT_CLASS
match access-group name PER_CLIENT_LIMIT_ACL
!
parameter-map type inspect PER_CLIENT_LIMIT_PARAMETER_MAP
sessions maximum 1
!
policy-map type inspect PER_CLIENT_LIMIT_POLICY_MAP
class type inspect PER_CLIENT_LIMIT_CLASS
inspect PER_CLIENT_LIMIT_PARAMETER_MAP
class type inspect IN_OUT_CLASS
inspect
class class-default
drop
!
zone-pair security LAN_WAN_ZP source LAN destination WAN
service-policy type inspect PER_CLIENT_LIMIT_POLICY_MAP
!
interface GigabitEthernet0/0
description Link to ISP
zone-member security WAN
!
interface GigabitEthernet0/1
description LAN Interface
zone-member security LAN
11-14-2020 01:19 PM
Hello
i mean TCP session connection limit for per session
11-14-2020 01:58 PM
Hello,
change the access list:
ip access-list extended PER_CLIENT_LIMIT_ACL
permit ip host 192.168.1.11 any
permit ip host 192.168.1.12 any
to
ip access-list extended PER_CLIENT_LIMIT_ACL
permit tcp host 192.168.1.11 any
permit tcp host 192.168.1.12 any
11-14-2020 02:18 PM
Thanks
that will limit tcp connection for per user?
11-14-2020 02:31 PM
Hello ,, thanks for help
i mean i don't want to limit count users connected
limit TCP downloads connection
for example when user use program ( internet downlead manager )
the program open 16 connection , and when he use torrnet ,that's open more connections
so i looking to to limit it
11-14-2020 03:08 PM
Hello,
in theory, the ZBF should limit the TCP connections to one per IP address. You might want to test if this achieves what you want.
11-14-2020 03:11 PM
hello
but now i have more of 5000 User
i can't make ACL and
p access-list extended PER_CLIENT_LIMIT_ACL
permit tcp host 10.X.X.1 any
permit tcp host 10.X.X.2 any
permit tcp host 10.X.X.3 any
permit tcp host 10.X.X.4 any
permit tcp host 10.X.X.5 any
permit tcp host 10.X.X.6 any
...
so i must add 5000 Host
or just add 10.x.x.x0/24 and that will limit 1 connection for per ip address or will make all prefix with one connection ?
11-15-2020 12:45 AM
Hello,
you are right, the access list would have to be extremely long, and will probably bog down the router as a consequence. I am not sure if you can actually achieve what you want with a router. You might need a firewall. Maybe there is some way to accomplish this with RADIUS, I'll check and get back with you...
11-15-2020 06:03 AM
ok , thanks for your effort's
i will waiting you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide