Solved: MFP

nikuhappy2010 · ‎08-02-2008

Hi, We have 1 MB dedicated link and network gets slower when mutiple users download anything. I know we can restrict them by using MFP but we have connected few sites by using STS tunnel and I dont want that MFP to be implement on my tunnel traffic. I want to use MFP only for internet purpose if any user download anything then he must not consume the higher speed more than 30 KB. If any user download anything from remote sites then the user must not be restrict. Please advice.

Marwan ALshawi · ‎08-03-2008

first i gusse u use a firewall

and the intended thing is MPF not MFP

which mean moduler policy framework

anyway the idea is to make policing in ur case what u need to do is to make an acl the match any traffic source from ur network and going to ur remote site netwrok

and put this traffic in a prority queue butnot must

lets say ur local network is 192.168.1.0/24

and remote network is 172.16.1.0/24

and ur L2L tunnel name in ur firewall config named 172.16.1.2

first creat ACL

access-list 100 DENY ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list 100 permit ip any any

this acl to match all traffic EXcept the tunnel traffic

the important thing is ur tunnel group config and name so i assumed its name is [172.16.1.2]

so creat class map to match this tunnel traffic

class-map tunnel-traffic

match tunnel-group 172.16.1.2

match flow ip destination-address

make calss-map to match the traffic match by ACL 100

which include all traffic exept the tunnel traffic and the we gonna limit this traffic rate to 30kb

class-map non-tunneled

match access-list 100

then the policy time

policy-map policy1

class tunneled-traffic

police output 850000 conform-action transmit exceed-action transmit

class non-tunneled

police output 30000 conform-action transmit exceed-action drop

then apply the policy as follow

service-policy policy1 interface outside

assumeing that ur outside interface named outside

and with above config i put it the tunnel traffic about 850kb but if it go above it will be transmited too

on the other hand the non-tunneled traffic limited to 30kb and if it go beyond that linit it gonna be droped with drop comman mentioned above

finally

You can monitor policer activity with the following command:

Firewall# show service-policy [interface ifc_name]

good luck

Please, Rate if hlepful

View solution in original post

Marwan ALshawi · ‎08-03-2008

first i gusse u use a firewall

and the intended thing is MPF not MFP

which mean moduler policy framework

anyway the idea is to make policing in ur case what u need to do is to make an acl the match any traffic source from ur network and going to ur remote site netwrok

and put this traffic in a prority queue butnot must

lets say ur local network is 192.168.1.0/24

and remote network is 172.16.1.0/24

and ur L2L tunnel name in ur firewall config named 172.16.1.2

first creat ACL

access-list 100 DENY ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list 100 permit ip any any

this acl to match all traffic EXcept the tunnel traffic

the important thing is ur tunnel group config and name so i assumed its name is [172.16.1.2]

so creat class map to match this tunnel traffic

class-map tunnel-traffic

match tunnel-group 172.16.1.2

match flow ip destination-address

make calss-map to match the traffic match by ACL 100

which include all traffic exept the tunnel traffic and the we gonna limit this traffic rate to 30kb

class-map non-tunneled

match access-list 100

then the policy time

policy-map policy1

class tunneled-traffic

police output 850000 conform-action transmit exceed-action transmit

class non-tunneled

police output 30000 conform-action transmit exceed-action drop

then apply the policy as follow

service-policy policy1 interface outside

assumeing that ur outside interface named outside

and with above config i put it the tunnel traffic about 850kb but if it go above it will be transmited too

on the other hand the non-tunneled traffic limited to 30kb and if it go beyond that linit it gonna be droped with drop comman mentioned above

finally

You can monitor policer activity with the following command:

Firewall# show service-policy [interface ifc_name]

good luck

Please, Rate if hlepful

nikuhappy2010 · ‎08-03-2008

Hi, Thank you for proving such a valuable information..

Marwan ALshawi · ‎08-03-2008

did u get work as u want ?

nikuhappy2010 · ‎08-04-2008

yeah..but wht abt other tunnels. you shown example of sngle tunnel.

TcsHungary · ‎08-07-2008

Hi ,

Is there a way to limit the network ,but to exclude some IP addresses?

Thanks,

Marwan ALshawi · ‎08-07-2008

sure

in the matching statemnt which is an ACL and class-map

first deny the hosts u dont want them to be limited them amch any

for example if we wanna exlude host with ip 192.168.1.1

do

access-list 100 deny ip host 192.168.1.1 any

access-list permit ip 192.168.1.0 255.255.255.0 any

in this case we excluded this host and included all the network within that rang

then

use this ACL with the rquired class-map and so on

please, if helful rate