Limiting bandwidth per user on the 1800 Series

Discussion in 'Cisco' started by Nate Silva, Oct 3, 2007.

  1. Nate  Silva

    Nate Silva Guest

    We're considering an 1811 to replace our SonicWALL.

    One requirement is to prevent LAN users from hogging bandwidth. Let's
    say one user is downloading a large file from a high-bandwidth site.
    That could saturate our T1.

    With the 1811 is there a way to limit an individual user on the LAN
    side to (for example) 500 Kbps?

    Regards,
    Nate
     
    Nate Silva, Oct 3, 2007
    #1
    1. Advertising

  2. Nate  Silva

    Trendkill Guest

    On Oct 3, 2:43 pm, Nate Silva <> wrote:
    > We're considering an 1811 to replace our SonicWALL.
    >
    > One requirement is to prevent LAN users from hogging bandwidth. Let's
    > say one user is downloading a large file from a high-bandwidth site.
    > That could saturate our T1.
    >
    > With the 1811 is there a way to limit an individual user on the LAN
    > side to (for example) 500 Kbps?
    >
    > Regards,
    > Nate


    Not that I am aware of. Routers do not have any type of underlying
    authentication (so they can't tell who is who), and only know about
    streams of data (source/destination IPs and ports). You can input a
    QoS policy to classify all web traffic in a certain way and limit
    things like FTPs or other bandwidth-intensive applications, but even
    then, it will only mark and prioritize the traffic going out of the
    router to the internet, and not back in. Unless you have a higher
    level application server or proxy that can provide this function, you
    are going to be stuck.
     
    Trendkill, Oct 3, 2007
    #2
    1. Advertising

  3. Nate  Silva

    Nate Silva Guest

    On Oct 3, 12:01 pm, Trendkill <> wrote:
    > Not that I am aware of. Routers do not have any type of underlying
    > authentication (so they can't tell who is who), and only know about
    > streams of data (source/destination IPs and ports). You can input a
    > QoS policy to classify all web traffic in a certain way and limit
    > things like FTPs or other bandwidth-intensive applications, but even
    > then, it will only mark and prioritize the traffic going out of the
    > router to the internet, and not back in. Unless you have a higher
    > level application server or proxy that can provide this function, you
    > are going to be stuck.


    Limiting per stream would work. It doesn't have to be per literal
    user. But from what you're saying it could only limit the outbound
    traffic and not back in?

    Regards,
    Nate
     
    Nate Silva, Oct 3, 2007
    #3
  4. Nate  Silva

    Trendkill Guest

    On Oct 3, 3:16 pm, Nate Silva <> wrote:
    > On Oct 3, 12:01 pm, Trendkill <> wrote:
    >
    > > Not that I am aware of. Routers do not have any type of underlying
    > > authentication (so they can't tell who is who), and only know about
    > > streams of data (source/destination IPs and ports). You can input a
    > > QoS policy to classify all web traffic in a certain way and limit
    > > things like FTPs or other bandwidth-intensive applications, but even
    > > then, it will only mark and prioritize the traffic going out of the
    > > router to the internet, and not back in. Unless you have a higher
    > > level application server or proxy that can provide this function, you
    > > are going to be stuck.

    >
    > Limiting per stream would work. It doesn't have to be per literal
    > user. But from what you're saying it could only limit the outbound
    > traffic and not back in?
    >
    > Regards,
    > Nate


    Yes as the traffic would not be marked at the other side, and once it
    traverses your t1, your router could mark it, but what good would it
    do (its already come across the t1). And it would not be per stream,
    it would be class of traffic (all ftp, all web, all traffic to/from a
    certain site), basically it would depend on an access list. I don't
    know of any other ways to implement QoS to do what you are looking
    for.......
     
    Trendkill, Oct 3, 2007
    #4
  5. In article <>,
    Trendkill <> wrote:
    >On Oct 3, 3:16 pm, Nate Silva <> wrote:
    >> But from what you're saying it could only limit the outbound
    >> traffic and not back in?


    >Yes as the traffic would not be marked at the other side, and once it
    >traverses your t1, your router could mark it, but what good would it
    >do (its already come across the t1).


    If it is TCP and you drop it as it comes in to your router,
    then the end-to-end TCP flow control mechanisms would kick in,
    causing the sender to back-off and lower the window size. You end
    up paying for a window-full of packets to go across your T1, but
    traffic after that would be moderated.
     
    Walter Roberson, Oct 4, 2007
    #5
  6. Nate  Silva

    Guest

    On Oct 3, 2:43 pm, Nate Silva <> wrote:
    > We're considering an 1811 to replace our SonicWALL.
    >
    > One requirement is to prevent LAN users from hogging bandwidth. Let's
    > say one user is downloading a large file from a high-bandwidth site.
    > That could saturate our T1.
    >
    > With the 1811 is there a way to limit an individual user on the LAN
    > side to (for example) 500 Kbps?
    >
    > Regards,
    > Nate


    If you have Cisco access switches you can limit it at the endpoint
    using a quota system like this:

    http://www.lehigh.edu/networksoftware/penaltybox.html
     
    , Oct 4, 2007
    #6
  7. ~ We're considering an 1811 to replace our SonicWALL.
    ~
    ~ One requirement is to prevent LAN users from hogging bandwidth. Let's
    ~ say one user is downloading a large file from a high-bandwidth site.
    ~ That could saturate our T1.
    ~
    ~ With the 1811 is there a way to limit an individual user on the LAN
    ~ side to (for example) 500 Kbps?
    ~
    ~ Regards,
    ~ Nate

    If each "user" can be uniquely identified as a single IP address, then
    you can use GTS or CAR to shape/police/what-ye-call it the traffic
    to/from that address down to the desired rate.

    Aaron
     
    Aaron Leonard, Oct 4, 2007
    #7
  8. Nate  Silva

    Trendkill Guest

    On Oct 4, 3:48 pm, Aaron Leonard <> wrote:
    > ~ We're considering an 1811 to replace our SonicWALL.
    > ~
    > ~ One requirement is to prevent LAN users from hogging bandwidth. Let's
    > ~ say one user is downloading a large file from a high-bandwidth site.
    > ~ That could saturate our T1.
    > ~
    > ~ With the 1811 is there a way to limit an individual user on the LAN
    > ~ side to (for example) 500 Kbps?
    > ~
    > ~ Regards,
    > ~ Nate
    >
    > If each "user" can be uniquely identified as a single IP address, then
    > you can use GTS or CAR to shape/police/what-ye-call it the traffic
    > to/from that address down to the desired rate.
    >
    > Aaron


    Yes, I forgot that was available on the smaller routers these days,
    although it is still only for outgoing traffic only. Incoming you are
    hosed unless you drop traffic like another poster said, and even then,
    not a great solution.
     
    Trendkill, Oct 4, 2007
    #8
  9. On Thu, 04 Oct 2007 13:13:04 -0700, Trendkill <> wrote:

    ~ On Oct 4, 3:48 pm, Aaron Leonard <> wrote:
    ~ > ~ We're considering an 1811 to replace our SonicWALL.
    ~ > ~
    ~ > ~ One requirement is to prevent LAN users from hogging bandwidth. Let's
    ~ > ~ say one user is downloading a large file from a high-bandwidth site.
    ~ > ~ That could saturate our T1.
    ~ > ~
    ~ > ~ With the 1811 is there a way to limit an individual user on the LAN
    ~ > ~ side to (for example) 500 Kbps?
    ~ > ~
    ~ > ~ Regards,
    ~ > ~ Nate
    ~ >
    ~ > If each "user" can be uniquely identified as a single IP address, then
    ~ > you can use GTS or CAR to shape/police/what-ye-call it the traffic
    ~ > to/from that address down to the desired rate.
    ~ >
    ~ > Aaron
    ~
    ~ Yes, I forgot that was available on the smaller routers these days,
    ~ although it is still only for outgoing traffic only. Incoming you are
    ~ hosed unless you drop traffic like another poster said, and even then,
    ~ not a great solution.

    One interface's incoming is another interface's outgoing.

    Not sure what your aversion to dropping traffic is. If your goal is
    to limit user x to 500Kbps, then what would you propose that you do
    when the offered load to/from this user is 1Mbps?
     
    Aaron Leonard, Oct 5, 2007
    #9
  10. Nate  Silva

    Trendkill Guest

    On Oct 5, 3:21 pm, Aaron Leonard <> wrote:
    > On Thu, 04 Oct 2007 13:13:04 -0700, Trendkill <> wrote:
    >
    > ~ On Oct 4, 3:48 pm, Aaron Leonard <> wrote:
    > ~ > ~ We're considering an 1811 to replace our SonicWALL.
    > ~ > ~
    > ~ > ~ One requirement is to prevent LAN users from hogging bandwidth. Let's
    > ~ > ~ say one user is downloading a large file from a high-bandwidth site.
    > ~ > ~ That could saturate our T1.
    > ~ > ~
    > ~ > ~ With the 1811 is there a way to limit an individual user on the LAN
    > ~ > ~ side to (for example) 500 Kbps?
    > ~ > ~
    > ~ > ~ Regards,
    > ~ > ~ Nate
    > ~ >
    > ~ > If each "user" can be uniquely identified as a single IP address, then
    > ~ > you can use GTS or CAR to shape/police/what-ye-call it the traffic
    > ~ > to/from that address down to the desired rate.
    > ~ >
    > ~ > Aaron
    > ~
    > ~ Yes, I forgot that was available on the smaller routers these days,
    > ~ although it is still only for outgoing traffic only. Incoming you are
    > ~ hosed unless you drop traffic like another poster said, and even then,
    > ~ not a great solution.
    >
    > One interface's incoming is another interface's outgoing.
    >
    > Not sure what your aversion to dropping traffic is. If your goal is
    > to limit user x to 500Kbps, then what would you propose that you do
    > when the offered load to/from this user is 1Mbps?


    My aversion to dropping traffic is just that its not as optimal as
    controlling both sides of a link and prioritizing traffic based on
    class. In this case, it is the internet, and if that is the only
    option, that is fine. As for the incoming/outgoing discussion, the
    circuit is to the internet. If you want to use a CAR to drop traffic,
    then traffic over a certain threshold will be dropped and will need to
    be retransmitted. While this is ok, what does your ACL look like?
    Anything destined for a single IP? Anything port 80 and destined to a
    specific IP? If its 11pm at night and nothing else is going on, are
    you OK nixing anything over 500kb for this node just because? CAR is
    a quick and dirty solution that does have a purpose, but it generally
    backs an engineer into a corner, particularly as you start putting 500
    k statements on each user. Do they cannibalize their own bandwidth
    (give 500 to all web traffic), or do you then split it up further by
    destination IP? Does this presume that there is no legitimate web
    traffic? Do you carve that special traffic out separately, which then
    you are fighting CAR statements against each other? As I stated
    earlier, you need to use whats available and makes sense, and I'm not
    anti anything that is a solution or a step in the right direction, but
    the above solution is not 'clean' or scalable. Since it is to the
    internet, there aren't many options....so I'm just saying the OP needs
    to be very careful as he/she thinks through this solution.

    At this point I would look at what kind of traffic is causing
    problems? Is it business related? Do you have a proxy that blocks
    non-business traffic if this link is a core competency for other
    legitimate traffic? If it is legitimate data retrieval, can it be
    scheduled? If this is a small business, can you get a dsl or cable
    circuit for internet and keep your t1 for business traffic and do
    policy-based routing? If you end up having to drop traffic, that
    works, just be careful how you implement it is all I'm saying.
     
    Trendkill, Oct 5, 2007
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?iso-8859-2?Q?Jan_Werbi=F1ski?=

    bandwidth limiting per user

    =?iso-8859-2?Q?Jan_Werbi=F1ski?=, Jan 14, 2005, in forum: Cisco
    Replies:
    4
    Views:
    11,238
    vusal339
    May 22, 2009
  2. Skybuck Flying
    Replies:
    0
    Views:
    4,916
    Skybuck Flying
    Jan 19, 2006
  3. Replies:
    5
    Views:
    14,483
    Leigh
    Jan 24, 2006
  4. RobO
    Replies:
    1
    Views:
    620
    www.BradReese.Com
    Jan 14, 2007
  5. Patrick Cervicek
    Replies:
    0
    Views:
    884
    Patrick Cervicek
    Aug 7, 2007
Loading...

Share This Page