guest wireless access through ASA

Unanswered Question
Apr 13th, 2010

We have an interface on a ASA5520 connected to the internet.  On one of the other interfaces we have the wireless gateway configured for guests to access the internet when needed.  Now employees are using their personal laptops to take advantage of unregulated internet access which has on several occasions saturated the access to the internet to a standstill.  Is there a way to limit the through put by a percentage of the main internet interface or some way to limit their speed?  We only have a 10mg internet pipe.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Panos Kampanakis Tue, 04/13/2010 - 15:42

You can police the wireless users traffic based on ip address as explained here

They will still be contending but they will be contending between each other about the bandwidth you have given them and they will not oversubscribe your wired users if you give them less than 10Mbps.

You cannot limit bandwidth per user though, you can limit connections per user using Modular Policy Framework, but not actual speed.

I hope it helps.


aaroncward2 Wed, 04/14/2010 - 09:46

I guess i need to spend some time on MPF. I have the service policy: global policy but can i add other policy maps without interfering the global policy? And could this policy be set on the wireless interface?

Panos Kampanakis Wed, 04/14/2010 - 10:04

Yes you can apply a policy on a per interface basis

ASA(config)# access list CONNS-ACL extended permit ip any
ASA(config)# class-map CONNS-MAP
ASA(config-cmap)# match access-list CONNS-ACL

ASA(config)# policy-map CONNS-POLICY

ASA(config-pmap)# class CONNS-MAP
ASA(config-pmap-c)# set connection {[conn-max n] [embryonic-conn-max n] [per-client-embryonic-max n] [per-client-max n] [random-sequence-number {enable | disable}]}

ASA(config)# service-policy CONNS-POLICY {global | interface interface_name}

Note that you are limiting the connection number not the actual bandwidth with the "per-client-max" option.



This Discussion