12-07-2010 12:21 AM - edited 03-04-2019 10:42 AM
hi! We've 2 FWs that are physically seperated but sharing one outgoing internet line. One is used for wifi guest access and aonther fw is used by the office users. Recently, i noticed that the guest network is utilizing more than 50% of our internet bandwidth. Is there anyway that i can restrict or cap network usage in the guest network? can anything be done in the switch level? or any suggestion?
thks
12-07-2010 12:34 AM
Hi,
If you want to limit bandwidth to internet from some users then if your switching fabric supports it you can use CB policing.
Regards.
12-07-2010 12:41 AM
hi! what's cb policing? and how do i check whether my switch support that? Can this be done by network segment or it must be by users? in our guest network/wifi there isn't any user login required.
thx
12-07-2010 12:47 AM
Hi,
do a sh ver on your switch and post output.
CB policing means Class-Based policing and it can be configured on some switches but also on routers and ASA.
You create class-maps where you are matching traffic and then in a policy-map you say which action to impose on this traffic like policing
you then apply this policy-map to interface ingress or egress with the service-policy command.
Policing: you decide a max bandwidth and when exceeding you can drop traffic or remark and transmit.
Regards.
12-07-2010 12:57 AM
hi! Here's the sh ver info. Does that mean i just need to apply the policy to the port that's connected to the guest fw? Can you provide with a simple example that i can start with? eg. cap the traffic going out/in from the internet to just 2mbps.
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-ENTSERVICESK9-M), Version 12.2(52)SG, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
ROM: 12.2(31r)SGA1
Pod Revision 14, Force Revision 31, Tie Revision 32
System image file is "bootflash:cat4500-entservicesk9-mz.122-52.SG.bin"
Thks.
12-07-2010 01:16 AM
Hi,
take a look here: http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/52sg/configuration/guide/qos.html#wp1045519
regards.
12-08-2010 07:11 AM
hi! that seems to be a bit difficult for me to comprehend. Is there a easier way of doing it? Basically, the guest segment i'm having is the only segment avail. so, it's ok if i can just limit anything coming or going out of the port connected to the firewall to certain bandwidth. Thanks.
12-08-2010 07:37 AM
Hi,
you must do policing to accomplish this.
here is an example.
1) create ACL to identify traffic
ip access-list extended HTTP permit any any eq 80
ip access-list extended HTTP permit any any eq 8080
ip access-list extended HTTPS permit any any eq 443
2) create class-map to match this traffic
class-map match-any WEB
match access-group name HTTP
match access-group name HTTPS
3) create policy-map to specify action for this traffic
policy-map POLICE_WEB
class WEB
police 512000 this will limit web traffic to ports 80,8080 and 443 to 512 kbps all exceeding traffic will be dropped.
4) apply policy
interface xx
service-policy input POLICE_WEB
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide