We're considering an 1811 to replace our SonicWALL.
One requirement is to prevent LAN users from hogging bandwidth. Let's say one user is downloading a large file from a high-bandwidth site. That could saturate our T1.
With the 1811 is there a way to limit an individual user on the LAN side to (for example) 500 Kbps?
Regards, Nate
Not that I am aware of. Routers do not have any type of underlying authentication (so they can't tell who is who), and only know about streams of data (source/destination IPs and ports). You can input a QoS policy to classify all web traffic in a certain way and limit things like FTPs or other bandwidth-intensive applications, but even then, it will only mark and prioritize the traffic going out of the router to the internet, and not back in. Unless you have a higher level application server or proxy that can provide this function, you are going to be stuck.
Limiting per stream would work. It doesn't have to be per literal user. But from what you're saying it could only limit the outbound traffic and not back in?
Regards, Nate
Yes as the traffic would not be marked at the other side, and once it traverses your t1, your router could mark it, but what good would it do (its already come across the t1). And it would not be per stream, it would be class of traffic (all ftp, all web, all traffic to/from a certain site), basically it would depend on an access list. I don't know of any other ways to implement QoS to do what you are looking for.......
If it is TCP and you drop it as it comes in to your router, then the end-to-end TCP flow control mechanisms would kick in, causing the sender to back-off and lower the window size. You end up paying for a window-full of packets to go across your T1, but traffic after that would be moderated.
If you have Cisco access switches you can limit it at the endpoint using a quota system like this:
~ We're considering an 1811 to replace our SonicWALL. ~ ~ One requirement is to prevent LAN users from hogging bandwidth. Let's ~ say one user is downloading a large file from a high-bandwidth site. ~ That could saturate our T1. ~ ~ With the 1811 is there a way to limit an individual user on the LAN ~ side to (for example) 500 Kbps? ~ ~ Regards, ~ Nate
If each "user" can be uniquely identified as a single IP address, then you can use GTS or CAR to shape/police/what-ye-call it the traffic to/from that address down to the desired rate.
Aaron
Yes, I forgot that was available on the smaller routers these days, although it is still only for outgoing traffic only. Incoming you are hosed unless you drop traffic like another poster said, and even then, not a great solution.
~ On Oct 4, 3:48 pm, Aaron Leonard wrote: ~ > ~ We're considering an 1811 to replace our SonicWALL. ~ > ~ ~ > ~ One requirement is to prevent LAN users from hogging bandwidth. Let's ~ > ~ say one user is downloading a large file from a high-bandwidth site. ~ > ~ That could saturate our T1. ~ > ~ ~ > ~ With the 1811 is there a way to limit an individual user on the LAN ~ > ~ side to (for example) 500 Kbps? ~ > ~ ~ > ~ Regards, ~ > ~ Nate ~ >
~ > If each "user" can be uniquely identified as a single IP address, then ~ > you can use GTS or CAR to shape/police/what-ye-call it the traffic ~ > to/from that address down to the desired rate. ~ >
~ > Aaron ~ ~ Yes, I forgot that was available on the smaller routers these days, ~ although it is still only for outgoing traffic only. Incoming you are ~ hosed unless you drop traffic like another poster said, and even then, ~ not a great solution.
One interface's incoming is another interface's outgoing.
Not sure what your aversion to dropping traffic is. If your goal is to limit user x to 500Kbps, then what would you propose that you do when the offered load to/from this user is 1Mbps?
On Oct 5, 3:21 pm, Aaron Leonard wrote:
My aversion to dropping traffic is just that its not as optimal as controlling both sides of a link and prioritizing traffic based on class. In this case, it is the internet, and if that is the only option, that is fine. As for the incoming/outgoing discussion, the circuit is to the internet. If you want to use a CAR to drop traffic, then traffic over a certain threshold will be dropped and will need to be retransmitted. While this is ok, what does your ACL look like? Anything destined for a single IP? Anything port 80 and destined to a specific IP? If its 11pm at night and nothing else is going on, are you OK nixing anything over 500kb for this node just because? CAR is a quick and dirty solution that does have a purpose, but it generally backs an engineer into a corner, particularly as you start putting 500 k statements on each user. Do they cannibalize their own bandwidth (give 500 to all web traffic), or do you then split it up further by destination IP? Does this presume that there is no legitimate web traffic? Do you carve that special traffic out separately, which then you are fighting CAR statements against each other? As I stated earlier, you need to use whats available and makes sense, and I'm not anti anything that is a solution or a step in the right direction, but the above solution is not 'clean' or scalable. Since it is to the internet, there aren't many options....so I'm just saying the OP needs to be very careful as he/she thinks through this solution.
At this point I would look at what kind of traffic is causing problems? Is it business related? Do you have a proxy that blocks non-business traffic if this link is a core competency for other legitimate traffic? If it is legitimate data retrieval, can it be scheduled? If this is a small business, can you get a dsl or cable circuit for internet and keep your t1 for business traffic and do policy-based routing? If you end up having to drop traffic, that works, just be careful how you implement it is all I'm saying.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.