Solved: Re: Some more details

mario.jost · ‎06-16-2017

We are looking for a new cisco router that does support limiting concurrent tcp connections to or from a specific ip.

We wanna be able to say that from public IP 8.8.8.8 only 15 TCP concurrent connections can be established. Additional connection requests get refused (dropped). As soon as a connection is closed (FYN) or timed out, another one (FCFS) will be allowed.

There isnt a whole lot of stuff to be found in the internet regarding what models support this feature. I just read that cisco routers cant do that and that only ASA firewalls can do this kind of stuff.

So i thought i'd pop this question in this community. Thanks and best regards,

Mario

Georg Pauwen · ‎09-19-2017

Hello,

as Reza suggested, the Cisco IOS firewall (zone based firewall) is stateful and can accomplish what you are trying to do. However, it is not simply one command, but would affect your entire configuration.

Before getting into the specifics of the configuration to limit the concurrent number of TCP sessions, have a look at the link below to get an idea of what ZBF does.

Is that feasible to implement in your situation ?

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/15-mt/sec-data-zbf-15-mt-book/sec-zone-pol-fw.html

View solution in original post

mario.jost · ‎05-15-2018

To answer my own question some years later with an actual configuration example as someone else might come across this thread. This is just a common configuration that allows stateful inspection for traffic from typical LAN clients allowing the return traffic as well. For a complete ZBF configuration, you'd need some extra zones and rules for the management access as well. I dont go into those details as examples for this can be found all over the internet.

First, we have to create access lists. One is allowing clients to surf, the other one includes the traffic that we want the sessions to be limited:

ip access-list extended LAN2WAN
 remark ----------------------------------
 remark allow surfing for lan clients
 permit ip any any
 remark ----------------------------------
ip access-list extended LAN2WANlimit
 remark ----------------------------------
 remark limit downloads from ubuntu servers
 permit ip any host 91.189.88.160
 remark ----------------------------------

Then, we create class maps, that reference on the access lists. you could do the classification in the class maps itself, but as you need access lists for some scenarios, i usually go for access lists for all classes.

class-map type inspect match-any LAN2WAN
 match access-group name LAN2WAN
class-map type inspect match-any LAN2WANlimit
 match access-group name LAN2WANlimit

Then, we create a parameter map that actually sets the limit of the concurrent sessions:

parameter-map type inspect LAN2WANlimit
 sessions maximum 5

Now comes a policy map that links both class maps. be aware of the correct order. As the traffic that we want to limit, falls into the first ACL LAN2WAN as well, we have to set the limiting class first.

policy-map type inspect LAN2WAN
 class type inspect LAN2WANlimit
  inspect LAN2WANlimit
 class type inspect LAN2WAN
  inspect 
 class class-default
  drop

Then, we apply that policy map to a zone pair:

zone-pair security LAN2WAN source LAN destination WAN
 service-policy type inspect LAN2WAN

The last thing we have to do is now, assign some interface to the zones:

interface Dialer1
 zone-member security WAN

interface GigabitEthernet1
 zone-member security LAN

As before, a client downloaded an ubuntu image with a downloadmanager that created 10 parallel sessions:

roTST01#show policy-map type inspect zone-pair LAN2WAN sessions | include 91.189.88.160
        Session 11217620 (10.0.0.2:51169)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 11216BA0 (10.0.0.2:51170)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 1121B8A0 (10.0.0.2:51171)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 112141A0 (10.0.0.2:51172)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 1120EDA0 (10.0.0.2:51173)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 11211EA0 (10.0.0.2:51174)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 1120E6A0 (10.0.0.2:51175)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 1120FF20 (10.0.0.2:51176)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 11215A20 (10.0.0.2:51177)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 11211420 (10.0.0.2:51178)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB

With the new rule in place, we can see that 5 connections are established and the 6th is in opening state:

roTST01#show policy-map type inspect zone-pair LAN2WAN sessions | include 91.189.88.160
        Session 112117A0 (10.0.0.2:51216)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 11218EA0 (10.0.0.2:51217)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 1121D4A0 (10.0.0.2:51218)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 1121AE20 (10.0.0.2:51219)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 1120FF20 (10.0.0.2:51220)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 112187A0 (10.0.0.2:51221)=>(91.189.88.160:80) tcp SIS_OPENING/TCP_SYNRCVD

This can be implemented in a 800 series (like 887va or 892FSP) router already.

View solution in original post

Reza Sharifi · ‎06-16-2017

For that level of details, I would use a firewall. Also, depending on platform, the router can easily get bug down with that type of ACL.

BTW, the firewall does not have to be ASA :-)

HTH

mario.jost · ‎06-16-2017

You are mentioning that you would use a firewall, but not that a router cannot support this feature. We are looking into a ISR 4451. If we could limit the connection counts via an ACL, how would we accomplish this? I would appreciate if you could post a sample config of such an ACL.

Thanks and best regards,
Mario

mario.jost · ‎09-18-2017

To clarify: we d'like to be able to limit the number of concurrent TCP connections from and to a specific IP. Not to the device (management) itself. In a command it might look like this:

limit connection tcp 10 source gi1/0/1 destination 192.168.15.11

Where the source is the WAN interface and the destination is a server within our network. Is there any device from Cisco that can do such a thing?

Georg Pauwen · ‎09-19-2017

Hello,

as Reza suggested, the Cisco IOS firewall (zone based firewall) is stateful and can accomplish what you are trying to do. However, it is not simply one command, but would affect your entire configuration.

Before getting into the specifics of the configuration to limit the concurrent number of TCP sessions, have a look at the link below to get an idea of what ZBF does.

Is that feasible to implement in your situation ?

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/15-mt/sec-data-zbf-15-mt-book/sec-zone-pol-fw.html

PaulP · ‎09-19-2017

I extracted the paragraph which talks about limiting the number of concurrent connections.

I did know you could do this with ZBF but glad I know now :) I marked as helpful

Although this can be done, the policer has to be applied to a zone pair and not to individual flows.

"The Rate-Limiting Inspected Traffic feature allows users to rate limit traffic within a Cisco firewall (inspect) policy. Also, users can limit the absolute number of sessions that can exist on a zone pair.

The following commands were introduced by this feature: police (zone policy) and sessionsmaximum."

mario.jost · ‎05-15-2018

To answer my own question some years later with an actual configuration example as someone else might come across this thread. This is just a common configuration that allows stateful inspection for traffic from typical LAN clients allowing the return traffic as well. For a complete ZBF configuration, you'd need some extra zones and rules for the management access as well. I dont go into those details as examples for this can be found all over the internet.

First, we have to create access lists. One is allowing clients to surf, the other one includes the traffic that we want the sessions to be limited:

ip access-list extended LAN2WAN
 remark ----------------------------------
 remark allow surfing for lan clients
 permit ip any any
 remark ----------------------------------
ip access-list extended LAN2WANlimit
 remark ----------------------------------
 remark limit downloads from ubuntu servers
 permit ip any host 91.189.88.160
 remark ----------------------------------

Then, we create class maps, that reference on the access lists. you could do the classification in the class maps itself, but as you need access lists for some scenarios, i usually go for access lists for all classes.

class-map type inspect match-any LAN2WAN
 match access-group name LAN2WAN
class-map type inspect match-any LAN2WANlimit
 match access-group name LAN2WANlimit

Then, we create a parameter map that actually sets the limit of the concurrent sessions:

parameter-map type inspect LAN2WANlimit
 sessions maximum 5

Now comes a policy map that links both class maps. be aware of the correct order. As the traffic that we want to limit, falls into the first ACL LAN2WAN as well, we have to set the limiting class first.

policy-map type inspect LAN2WAN
 class type inspect LAN2WANlimit
  inspect LAN2WANlimit
 class type inspect LAN2WAN
  inspect 
 class class-default
  drop

Then, we apply that policy map to a zone pair:

zone-pair security LAN2WAN source LAN destination WAN
 service-policy type inspect LAN2WAN

The last thing we have to do is now, assign some interface to the zones:

interface Dialer1
 zone-member security WAN

interface GigabitEthernet1
 zone-member security LAN

As before, a client downloaded an ubuntu image with a downloadmanager that created 10 parallel sessions:

roTST01#show policy-map type inspect zone-pair LAN2WAN sessions | include 91.189.88.160
        Session 11217620 (10.0.0.2:51169)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 11216BA0 (10.0.0.2:51170)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 1121B8A0 (10.0.0.2:51171)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 112141A0 (10.0.0.2:51172)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 1120EDA0 (10.0.0.2:51173)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 11211EA0 (10.0.0.2:51174)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 1120E6A0 (10.0.0.2:51175)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 1120FF20 (10.0.0.2:51176)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 11215A20 (10.0.0.2:51177)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 11211420 (10.0.0.2:51178)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB

With the new rule in place, we can see that 5 connections are established and the 6th is in opening state:

roTST01#show policy-map type inspect zone-pair LAN2WAN sessions | include 91.189.88.160
        Session 112117A0 (10.0.0.2:51216)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 11218EA0 (10.0.0.2:51217)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 1121D4A0 (10.0.0.2:51218)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 1121AE20 (10.0.0.2:51219)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 1120FF20 (10.0.0.2:51220)=>(91.189.88.160:80) tcp SIS_OPEN/TCP_ESTAB 
        Session 112187A0 (10.0.0.2:51221)=>(91.189.88.160:80) tcp SIS_OPENING/TCP_SYNRCVD

This can be implemented in a 800 series (like 887va or 892FSP) router already.

What Cisco Router can limit concurrent TCP connections