CnicNV
asked on
Using the Cisco ASA Identity Firewall for Traffic Shaping or Bandwidth Control?
Hello,
I have just discovered and been briefly reading up on Cisco's "new to me" Identity Firewall feature set.
I am specifically trying to determine if it can be used for the purposes of bandwidth control or traffic shaping based on users. For example, once it has attached its self via the million steps to active directory and the mine field of it completely breaking existing things navigated, is it able to associate network activity with users on the network, can I then create policies for each user or active directory user group?
Specifically policies that would allow users or users referenced by their associated groups access to only a certain amount of the total interface's bandwidth? IE, no one user on the network can ever utilize more than 500 Kbytes per second. So a cat video(s) or a sports cast(s) doesn't end up killing an important webex conference for example?
Now I know there are a few ways that this COULD be done (allow/disallow known ports/IPs or microflow on mega expensive catalyst switches), none of which are really any good or scale able. Basically I am trying to get the ASA to act like a Next Generation Firewall and allow for some form of user based bandwidth control.
Also, if this is possible, I am guessing the ASA will need 1GB of RAM as opposed to 256MB?
Thanks for the info.
I have just discovered and been briefly reading up on Cisco's "new to me" Identity Firewall feature set.
I am specifically trying to determine if it can be used for the purposes of bandwidth control or traffic shaping based on users. For example, once it has attached its self via the million steps to active directory and the mine field of it completely breaking existing things navigated, is it able to associate network activity with users on the network, can I then create policies for each user or active directory user group?
Specifically policies that would allow users or users referenced by their associated groups access to only a certain amount of the total interface's bandwidth? IE, no one user on the network can ever utilize more than 500 Kbytes per second. So a cat video(s) or a sports cast(s) doesn't end up killing an important webex conference for example?
Now I know there are a few ways that this COULD be done (allow/disallow known ports/IPs or microflow on mega expensive catalyst switches), none of which are really any good or scale able. Basically I am trying to get the ASA to act like a Next Generation Firewall and allow for some form of user based bandwidth control.
Also, if this is possible, I am guessing the ASA will need 1GB of RAM as opposed to 256MB?
Thanks for the info.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.