Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
866
Views
0
Helpful
1
Replies

Limiting a number of connections on FWSM

Fernando Patzlaff
Level 1
Level 1

‎12-11-2013 05:11 AM - edited ‎03-11-2019 08:16 PM

I've a FWSM in active/passive configuration, with 4.0.8 version of software without configuration of context. This equipament can support 256k connections.

I want to limit this guy to receive at most 150k connections.

I've read

http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/context.html#wp1055963

...

Configuring a Class

To add or change a class in the system configuration, follow these steps. After you add the class, you can add more limits as required by following this procedure again for the same class name and specifying additional limits. You do not need to reenter existing resource commands; the commands you already set remain in place unless you remove them with the no form of the command. You can change the value of a particular resource limit by reentering the command with a new value.

To configure a resource class, follow these steps:

Step 1 To specify the class name and enter the class configuration mode, enter the following command in the system execution space:

FWSM(config)# class name

The name is a string up to 20 characters long. To set the limits for the default class, enter default for the name.

Step 2 To set the resource limits, see the following options:

To set all resource limits (shown in Table 5-1), enter the following command:

FWSM(config-resmgmt)# limit-resource all {number% | 0}

The number is an integer greater than or equal to 1. 0 (without a percent sign (%)) sets the resources to unlimited. You can assign more than 100% if you want to oversubscribe the device.

To set a particular resource limit, enter the following command:

FWSM(config-resmgmt)# limit-resource [rate] resource_name number[%]

For this particular resource, the limit overrides the limit set for all. Enter the rate argument to set the rate per second for certain resources. See Table 5-1 for resources for which you can set the rate per second.

Table 5-1 lists the resource types and the limits. See also the show resource types command.

...

But the command class doesn't exist. Just class-map exist.

fw01-rprlbm-pae/act/9(config)# class-map inspection_default

fw01-rprlbm-pae/act/9(config-cmap)# ?

MPF class-map configuration commands:

  description  Specify class-map description

  exit         Exit from MPF class-map configuration mode

  help         Help for MPF class-map configuration commands

  match        Configure classification criteria

  no           Negate or set default values of a command

  rename       Rename this class-map

fw01-rprlbm-pae/act/9(config-cmap)# limi?

ERROR: % Unrecognized command

fw01-rprlbm-pae/act/9(config-cmap)#

Ok I've tried class-map too, but limit-resource command doesn't exist.

Inside policy-map (showed below) I can set a number of connections. But I need to set 150k connections, but this command limits to 64k. Ok, I can create some ACL and apply 64k of each ACL. But I don't want this. I want to set 150k to entire box. Anyone have any idea to help me?

fw01-rprlbm-pae/act/9(config)# policy-map global_policy

fw01-rprlbm-pae/act/9(config-pmap)#  class inspection_default

fw01-rprlbm-pae/act/9(config-pmap-c)# ?

MPF policy-map class configuration commands:

  deny     Pisa Protocol Control Services

  exit     Exit from MPF class action configuration mode

  help     Help for MPF policy-map class/match submode commands

  inspect  Protocol inspection services

  no       Negate or set default values of a command

  permit   Pisa Protocol Control Services

  quit     Exit from MPF class action configuration mode

  set      Set connection values

fw01-rprlbm-pae/act/9(config-pmap-c)# set

fw01-rprlbm-pae/act/9(config-pmap-c)# set ?

mpf-policy-map-class mode commands/options:

  connection  Configure connection parameters

fw01-rprlbm-pae/act/9(config-pmap-c)# set conn

fw01-rprlbm-pae/act/9(config-pmap-c)# set connection ?

mpf-policy-map-class mode commands/options:

  advanced-options        Configure advanced connection parameters

  conn-max                Keyword to set the maximum number of all simultaneous

                          connections that are allowed.  Default is 0 which

                          means unlimited connections.

  conn-rate-limit         Keyword to set the connection rate that is

                          allowed.Default is 0 which means no rate limiting. In

                          seconds.

  random-sequence-number  Enable/disable TCP sequence number randomization.

                          Default is to enable TCP sequence number

                          randomization

  timeout                 Configure connection timeout parameters

fw01-rprlbm-pae/act/9(config-pmap-c)# set connection conn

fw01-rprlbm-pae/act/9(config-pmap-c)# set connection conn-ma

fw01-rprlbm-pae/act/9(config-pmap-c)# set connection conn-max ?

mpf-policy-map-class mode commands/options:

  <0-65535>  Enter the maximum number of simultaneous connections

fw01-rprlbm-pae/act/9(config-pmap-c)# set connection conn-max

Labels:
0 Helpful
1 Reply 1

Itzcoatl Espinosa
Cisco Employee
Cisco Employee

‎01-09-2014 01:26 PM

Hello,

The limit resources commands appear on system context only. This means that the firewall should be configured in multiple context mode in order to enable those commands.

This can not be done under the context itself or under an active/standby FWSM.

I hope it helps.

regards,

Itzcoatl

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card