Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

RATE LIMIT (police) SSL VPN USERS ON ASA

Hi All,

We have a customer who has an ASA at head office and they want to limit bandwidth available to their remote users who login using the any connect client. We are considering a simple QoS policing policy which may work, but does anyone have a better solution or is this the best way?

Thanks,

1 REPLY
Cisco Employee

RATE LIMIT (police) SSL VPN USERS ON ASA

Hello,

I understand that you want to configure bandwidth limits for each AnyConnect client connection. 

Unfortunately, the ASA does not currently support QoS policing of traffic on a per-user or per-IP-address basis:

https://supportforums.cisco.com/docs/DOC-1361#Q_Does_ASA_SSL_VPN_AnyConnect_Client_or_Clie

ntless_support_QOS_and_policing_bandwidth_management_capabilites

The feature has been requested but it seems it will not be integrated in the near future.

The available workaround is to use simple QoS as you mention but it is not scalable at all.

  You may police the ASA WAN bandwidth based on the public IP address of each remote-access AnyConnect user hogging bandwidth:

access-list SSLVPN_LIMIT extended permit udp host host

(ASA ip address) eq 443

access-list SSLVPN_LIMIT extended permit tcp host host

(ASA ip address)

eq 443

!

class-map SSLVPN

match access-list SSLVPN_LIMIT

!

policy-map LIMIT

class SSLVPN

    police input 1500000

     police output 1500000

!

service-policy LIMIT interface outside

Thanks,

Itzcoatl

1186
Views
0
Helpful
1
Replies
CreatePlease login to create content