RATE LIMIT (police) SSL VPN USERS ON ASA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2013 03:45 PM
Hi All,
We have a customer who has an ASA at head office and they want to limit bandwidth available to their remote users who login using the any connect client. We are considering a simple QoS policing policy which may work, but does anyone have a better solution or is this the best way?
Thanks,
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2013 12:37 PM
Hello,
I understand that you want to configure bandwidth limits for each AnyConnect client connection.
Unfortunately, the ASA does not currently support QoS policing of traffic on a per-user or per-IP-address basis:
https://supportforums.cisco.com/docs/DOC-1361#Q_Does_ASA_SSL_VPN_AnyConnect_Client_or_Clie
ntless_support_QOS_and_policing_bandwidth_management_capabilites
The feature has been requested but it seems it will not be integrated in the near future.
The available workaround is to use simple QoS as you mention but it is not scalable at all.
You may police the ASA WAN bandwidth based on the public IP address of each remote-access AnyConnect user hogging bandwidth:
access-list SSLVPN_LIMIT extended permit udp host
(ASA ip address) eq 443
access-list SSLVPN_LIMIT extended permit tcp host
(ASA ip address)
eq 443
!
class-map SSLVPN
match access-list SSLVPN_LIMIT
!
policy-map LIMIT
class SSLVPN
police input 1500000
police output 1500000
!
service-policy LIMIT interface outside
Thanks,
Itzcoatl
