Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
443
Views
0
Helpful
3
Replies

Throttling Individual User Bandwidth

jcioara
Level 1
Level 1

‎09-11-2013 01:11 PM - edited ‎03-11-2019 07:37 PM

Hello -

I just ran into an instance where a single user on a network completely maxxed out a 100Mbps Internet connection for 30 minutes downloading. I'd like to create a policy on the Cisco ASA that throttles bandwidth per user. In a nutshell, I would like the policy to say, "there's no one user on this network who can use more than 25 Mbps."

Does anyone know the way to do this? I don't want to throttle the whole subnet with a policing policy (all users on the network share 25 Mbps) or any one IP address.

Seems simple, but I just can't think of the solution - penny for your thoughts!

Jeremy

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎09-11-2013 04:32 PM

Hello Jeremy,

As you said sounds easy but I would say is kind of messy (I have not done it in the past)

But lets talk about the options

One that will not work

Cause if you use something like

class-map test

match any

policy-map global-policy

class test

police output 25000

any kind of traffic (I mean if there are 2 connections across the firewall) will be policed at that level which is not what you are looking for!

Second option (This is the best I could think at the moment lol)

Maybe like this (Let's say internal network is 192.168.10.0/24)

access-list test permit ip host 192.168.10.1 any

access-list test permit ip host 192.168.10.2 any

access-list test permit ip host 192.168.10.3 any

And keeps going...

Then

class-map test

match access-list test

policy-map global-policy

class test

police output 250000

That would match each of the ACL lines and then filter it properly, what do you think?

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

jcioara
Level 1
Level 1
In response to Julio Carvajal

‎09-11-2013 09:58 PM

I had thought about doing it that way...which is what prompted this post - a 255 item access-list simply to define per-user bandwidht limits? There's got to be a better way...

...right?

If not, how do ya'll prevent a single user from jeopordizing the Internet connection by downloading gobs of data?

Jeremy

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to jcioara

‎09-11-2013 10:03 PM

Hello Jeremy,

I do agree on the fact that this could be really problematic ( I mean it could be boring and we could be making our ASA's running configuration really big) but as you want to do it to all of the host but PER host I don't see any other way to match this traffic.

Do you?

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card