Solved: Managing Bandwidth of Public IP'd servers using 5505's

Douglas Sensenig · ‎11-14-2013

Hi

Summary: How to limit bandwith of servers with public ip addreses using 5505"s?

Our datacenter is trying to manage its bandwidth using its current infrastructure: Cisco 6509 with L3 Supervisor card, 2950/2960s (L2) and 5505's. We have several contiguous class C IPV4 address's allocated using different sized VLAN's. Servers behind 5505's' with private ip addresses have their bandwidth limited using class/policy map and police input police output commands. We now want use 5505's to limit the bandwidth of all servers with public IP addresses. I.E., put 5505's between the 6509 and the servers without changing the servers current ip addresses. There is only an outside interface and dmz interface. No inside interface and no NATing. I hope you can help.

Infrastructure:

ISP -- 6509/Sup Card --- 2950/2960S - VLAN's -- 5505

-- VLAN's -- 5505.

6509 default route: set ip route 0.0.0.0/0.0.0.0 yyy.xxx.144.1

Requirements: 2 public ip addresses in the DMZ with bandwidth limited to 10Mb.

First question:

The outside and dmz interfaces have to be different subnets (VLAN's), correct? For example:

6509 VLAN ip address: 200.200.200.0/24

outside inteface ip address: 200.200.200.2/29

dmz interface ip address: 200.200.200.129/29

Second question. How is the default route configured for the DMZ? What is the next hop?

route DMZ xxx.xxx.xxx.xxxx yyy.yyy.yyy.yyy <next hop>

Third question:

If two different subnets (vlan's) are required, can they be subnets of a larger VLAN?

200.200.200.0/22 - larger VLAN

200.200.200.0/30 - outside interface

200.200.200.0/28 - dmz

Forth question:

To access a highter security level from a lower security you need ACL's. Which means that the outside interface will need two IP address mapped to two addresses in the DMZ. One to one mapping. What would the ACL look like?

Any assistance in pointing me in the right direction is greatly appreciated.

All the best

Julio Carvajal · ‎11-15-2013

Hello,

First question:

The outside and dmz interfaces have to be different subnets (VLAN's), correct? For example:

6509 VLAN ip address: 200.200.200.0/24

outside inteface ip address: 200.200.200.2/29

dmz interface ip address: 200.200.200.129/29

Yes, unless running on transparent Mode.

Second question. How is the default route configured for the DMZ? What is the next hop?

route DMZ xxx.xxx.xxx.xxxx yyy.yyy.yyy.yyy

Do you reach the internet via the DMZ, if not why would you point the default route to the DMZ.

Third question:

If two different subnets (vlan's) are required, can they be subnets of a larger VLAN?

200.200.200.0/22 - larger VLAN

200.200.200.0/30 - outside interface

200.200.200.0/28 - dmz

No, they cannot overlap.

Forth question:

To access a highter security level from a lower security you need ACL's. Which means that the outside interface will need two IP address mapped to two addresses in the DMZ. One to one mapping. What would the ACL look like?

Yes, an ACL is required.

IF your dmz host is 10.10.10.1 and you want to access it from any outside user TCP on port 80 ( and if you are running 8.3 or higher) then

access-list out-in permit tcp any host 10.10.10.1 eq 80

access-group out-in in interface outside

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎11-15-2013

Hello,

First question:

The outside and dmz interfaces have to be different subnets (VLAN's), correct? For example:

6509 VLAN ip address: 200.200.200.0/24

outside inteface ip address: 200.200.200.2/29

dmz interface ip address: 200.200.200.129/29

Yes, unless running on transparent Mode.

Second question. How is the default route configured for the DMZ? What is the next hop?

route DMZ xxx.xxx.xxx.xxxx yyy.yyy.yyy.yyy

Do you reach the internet via the DMZ, if not why would you point the default route to the DMZ.

Third question:

If two different subnets (vlan's) are required, can they be subnets of a larger VLAN?

200.200.200.0/22 - larger VLAN

200.200.200.0/30 - outside interface

200.200.200.0/28 - dmz

No, they cannot overlap.

Forth question:

To access a highter security level from a lower security you need ACL's. Which means that the outside interface will need two IP address mapped to two addresses in the DMZ. One to one mapping. What would the ACL look like?

Yes, an ACL is required.

IF your dmz host is 10.10.10.1 and you want to access it from any outside user TCP on port 80 ( and if you are running 8.3 or higher) then

access-list out-in permit tcp any host 10.10.10.1 eq 80

access-group out-in in interface outside

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Douglas Sensenig · ‎11-17-2013

Julio,

Thank you for taking to answer my questions. We were trying to make the 5505 do something which it was not designed to do, manage bandwidth instead of its intended role of being a firewall. We will be upgrading our network infrastructure with equipment which can manage bandwidth among other things.

Again, thank you for taking time to answer my questions.

Doug

Julio Carvajal · ‎11-17-2013

Hello Dougla,s

Any time buddy, have a great day

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC