Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

guest wireless access through ASA

We have an interface on a ASA5520 connected to the internet.  On one of the other interfaces we have the wireless gateway configured for guests to access the internet when needed.  Now employees are using their personal laptops to take advantage of unregulated internet access which has on several occasions saturated the access to the internet to a standstill.  Is there a way to limit the through put by a percentage of the main internet interface or some way to limit their speed?  We only have a 10mg internet pipe.

3 REPLIES
Cisco Employee

Re: guest wireless access through ASA

You can police the wireless users traffic based on ip address as explained here

https://supportforums.cisco.com/docs/DOC-1230#Traffic_Policing_with_Prioritization

They will still be contending but they will be contending between each other about the bandwidth you have given them and they will not oversubscribe your wired users if you give them less than 10Mbps.

You cannot limit bandwidth per user though, you can limit connections per user using Modular Policy Framework, but not actual speed.

I hope it helps.

PK

Community Member

Re: guest wireless access through ASA

I guess i need to spend some time on MPF. I have the service policy: global policy but can i add other policy maps without interfering the global policy? And could this policy be set on the wireless interface?

Cisco Employee

Re: guest wireless access through ASA

Yes you can apply a policy on a per interface basis

ASA(config)# access list CONNS-ACL extended permit ip any 10.1.1.1 255.255.255.255
ASA(config)# class-map CONNS-MAP
ASA(config-cmap)# match access-list CONNS-ACL

ASA(config)# policy-map CONNS-POLICY

ASA(config-pmap)# class CONNS-MAP
ASA(config-pmap-c)# set connection {[conn-max n] [embryonic-conn-max n] [per-client-embryonic-max n] [per-client-max n] [random-sequence-number {enable | disable}]}

ASA(config)# service-policy CONNS-POLICY {global | interface interface_name}

Note that you are limiting the connection number not the actual bandwidth with the "per-client-max" option.

PK

552
Views
3
Helpful
3
Replies
CreatePlease to create content