rate limiting out of border

c.fuller · ‎04-19-2011

Hello -

I am finalizing a design for our guest dmz network. I need to protect our corporate internet bandwidth from being chewed up by our guest clients. I understand I can rate limit the traffic from the DMZ to our external facing interface inbound and outbound. However, I am concerned about the inbound traffic/bandwidth usage before it hits our external facing interface. Is this something I need to concern myself with? Or will the fact that I have QoS in place on our external interface allocating only 5% of our bandwith outbound be sufficient? I am envisioning a scenario where we have a serious bottleneck inbound at this interface for this DMZ (most clients will probably be file downloading/streaming video, etc)?

I am relatively new to this subject and want to make sure I am understanding the concepts correctly.

Do I need to be concerned with that inbound traffic? Or will the established outbound session (rate limited) be sufficient?

If so, what if anything can I do about it? Contact ISP and ask to apply QoS outbound to us? Not even sure if they would entertain that but just thought this would be one solution....I don't want inbound guest dmz traffic to chew up more the 5% of our internet pipe in any direction....

Thank you

Chucky

sean_evershed · ‎04-19-2011

Hi,

As an alternative you can police the guest traffic to 5% on the switch that their PCs are connected to before it even hits your border device.

I would also look at limiting the TCP and UDP ports that the guests can access on the Internet to only things like HTTP, HTTPS, VPN etc.