Re: traffic

dkblee · ‎12-07-2010

hi! We've 2 FWs that are physically seperated but sharing one outgoing internet line. One is used for wifi guest access and aonther fw is used by the office users. Recently, i noticed that the guest network is utilizing more than 50% of our internet bandwidth. Is there anyway that i can restrict or cap network usage in the guest network? can anything be done in the switch level? or any suggestion?

thks

cadet alain · ‎12-07-2010

Hi,

If you want to limit bandwidth to internet from some users then if your switching fabric supports it you can use CB policing.

Regards.

Don't forget to rate helpful posts.

dkblee · ‎12-07-2010

hi! what's cb policing? and how do i check whether my switch support that? Can this be done by network segment or it must be by users? in our guest network/wifi there isn't any user login required.

thx

cadet alain · ‎12-07-2010

Hi,

do a sh ver on your switch and post output.

CB policing means Class-Based policing and it can be configured on some switches but also on routers and ASA.

You create class-maps where you are matching traffic and then in a policy-map you say which action to impose on this traffic like policing

you then apply this policy-map to interface ingress or egress with the service-policy command.

Policing: you decide a max bandwidth and when exceeding you can drop traffic or remark and transmit.

Regards.

Don't forget to rate helpful posts.

dkblee · ‎12-07-2010

hi! Here's the sh ver info. Does that mean i just need to apply the policy to the port that's connected to the guest fw? Can you provide with a simple example that i can start with? eg. cap the traffic going out/in from the internet to just 2mbps.

Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-ENTSERVICESK9-M), Version 12.2(52)SG, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
ROM: 12.2(31r)SGA1
Pod Revision 14, Force Revision 31, Tie Revision 32

System image file is "bootflash:cat4500-entservicesk9-mz.122-52.SG.bin"

Thks.

cadet alain · ‎12-07-2010

Hi,

take a look here: http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/52sg/configuration/guide/qos.html#wp1045519

regards.

Don't forget to rate helpful posts.

dkblee · ‎12-08-2010

hi! that seems to be a bit difficult for me to comprehend. Is there a easier way of doing it? Basically, the guest segment i'm having is the only segment avail. so, it's ok if i can just limit anything coming or going out of the port connected to the firewall to certain bandwidth. Thanks.

cadet alain · ‎12-08-2010

Hi,

you must do policing to accomplish this.

here is an example.

1) create ACL to identify traffic

ip access-list extended HTTP permit any any eq 80

ip access-list extended HTTP permit any any eq 8080

ip access-list extended HTTPS permit any any eq 443

2) create class-map to match this traffic

class-map match-any WEB

match access-group name HTTP

match access-group name HTTPS

3) create policy-map to specify action for this traffic

policy-map POLICE_WEB

class WEB

police 512000 this will limit web traffic to ports 80,8080 and 443 to 512 kbps all exceeding traffic will be dropped.

4) apply policy

interface xx

service-policy input POLICE_WEB

Regards

Don't forget to rate helpful posts.