Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Using the Cisco ASA Identity Firewall for Traffic Shaping or Bandwidth Control?

Posted on 2014-03-18
1
Medium Priority
?
646 Views
Last Modified: 2014-03-24
Hello,

I have just discovered and been briefly reading up on Cisco's "new to me" Identity Firewall feature set.  

I am specifically trying to determine if it can be used for the purposes of bandwidth control or traffic shaping based on users.  For example, once it has attached its self via the million steps to active directory and the mine field of it completely breaking existing things navigated, is it able to associate network activity with users on the network, can I then create policies for each user or active directory user group?

Specifically policies that would allow users or users referenced by their associated groups access to only a certain amount of the total interface's bandwidth?  IE, no one user on the network can ever utilize more than 500 Kbytes per second.  So a cat video(s) or a sports cast(s) doesn't end up killing an important webex conference for example?  

Now I know there are a few ways that this COULD be done (allow/disallow known ports/IPs or microflow on mega expensive catalyst switches), none of which are really any good or scale able.  Basically I am trying to get the ASA to act like a Next Generation Firewall and allow for some form of user based bandwidth control.  

Also, if this is possible, I am guessing the ASA will need 1GB of RAM as opposed to 256MB?

Thanks for the info.
0
Comment
Question by:CnicNV
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 20

Accepted Solution

by:
rauenpc earned 1500 total points
ID: 39937697
I've never done this specifically (I've done IDFW but not traffic shaping based on IDFW), but the commands are allowed, so I assume that you can do this. I would definitely recommend going with 1Gb RAM (or the max) and also upgrade your code to the latest so that you can support IDFW for 2008R2 and 2012. The bigger question I would have would be if you configure this for an individual user, it seems clear that the user will not be allowed beyond the max. However, if you configure a group will each user be allowed up to the max, or will the collective group of users be allowed up to the max (as an aggregate)? That I don't know and would probably want to test.

access-list AL-WEB-TRAFFIC extended permit tcp user LOCAL\Administrator any any eq https

class-map CM-POLICE-WEB
 match access-list AL-WEB-TRAFFIC
!
!
policy-map PM-POLICE-WEB
 class CM-POLICE-WEB
  police input 1000000
!
service-policy PM-POLICE-WEB interface outside
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question