|
Posted by Mysticmoose06 on March 28, 2007, 10:04 pm
If you were Registered and logged in, you could reply and use other advanced thread options > This looks ok... but...
> Be sure that your ACL 171 is configured to PERMIT traffic to the
> important web site.
> When that when you apply the policy-map to the interface on the 2611,
> remember that it's an out-going policy map. Therefore, if the
> saturation problem is on the incoming direction, you'll need to do
> some tricks to make this work.
>
> To fix this, apply a bandwidth statement and policy-map on your inside
> ethernet interface. Assuming you have only one T1 , this would be
> (example):
> interface ethernet 0/0
> bandwidth 1544
> service-policy output student-data
>
> Also, you'll need to make sure ACL 171 is built in such a manner as to
> be bi-directional.
> If the destination web site is 12.13.14.15 then ACL 171 would look
> something like this:
>
> access-list 171 remark identify important traffic !<-- always
> document your ACL's
> access-list 171 remark database site
> access-list 171 permit ip any host 12.13.14.15
> access-list 171 permit ip host 12.13.14.15 any
>
> With this set up, any traffic that is not identified by ACL 171, would
> get the "best effort" treatment.
> Also, remember... the traffic exceeds the percentage of bandwidth
> you've reserved for any particular class is subject to the "best
> effort" treatment.
> Alternatively, you could create two separate ACL's with two seperate
> policy-maps. This would reduce CPU utilization slightly, and would
> increase memory utilization.
>
> Another thing that you could do to *help the situation would be to
> further classify traffic. The below example all depends on your
> companies' policies on internet usage. Here's the summary:
> Class-A
> ... low-bandwidth high-priority traffic
> ... (telnet, snmp, snmp-trap, etc)
> ... guarantee 10% bandwidth
> Class-B
> ... your extremely important traffic (as in ACL 171)
> ... guarantee 40% bandwidth
> Class-C
> ... your somewhat important traffic (define as necessary)
> ... guarantee 25% bandwidth
> Class-D
> ... traffic to those Bandwidth Sucking (BS) sites
> ... ie. youtube, video.google, myspace, etc.
> ... limit to 128Kb/s
> Class-F
> ... point-to-point file sharing and other unwanted traffic
> ... drop -or- limit to very small (8Kb/s)
>
> The configuration would look something like this:
> class-map match-any CLASS-A
> match access-group name Priority-ACL
> class-map match-any CLASS-B
> match access-group name HIGH-PRIORITY-SITES
> class-map match-any CLASS-C
> match access-group name MED-PRIORITY-SITES
> class-map match-any CLASS-D
> match access-group name LOW-PRIORITY-SITES
> match protocol http url "*youtube*"
> match protocol http url "*video.google*"
> match protocol http url "*myspace*"
> class-map match-any CLASS-F
> match protocol gnutella
> match protocol kazaa2
> match protocol fasttrack
> match protocol napster
> match protocol cuseeme
> match protocol vdolive
> match protocol realaudio
> match protocol edonkey
> match protocol bittorrent
> !
> policy-map QoS-POLICY
> class CLASS-A
> priority percent 10
> class CLASS-B
> bandwidth percent 40
> class CLASS-C
> bandwidth percent 25
> class CLASS-D
> police 128000 1500 1500 conform-action transmit exceed-action drop
> class CLASS-F
> police 8000 1500 1500 conform-action transmit exceed-action drop
> !
> ip access-list extended Priority-ACL
> remark Low-bandwidth High-Priority
> permit tcp any eq telnet <your-inside-net-address>
> permit udp any eq snmp <your-inside-net-address>
> permit udp any eq snmptrap <your-inside-net-address>
> permit udp any eq tftp <your-inside-net-address>
> permit tcp <your-inside-net-address> any eq telnet
> permit udp <your-inside-net-address> any eq snmp
> permit udp <your-inside-net-address> any eq snmptrap
> permit udp <your-inside-net-address> any eq tftp
> !
> ip access-list extended HIGH-PRIORITY-SITES
> remark Build your ACL 171 here.
> !
> ip access-list extended MED-PRIORITY-SITES
> remark Build your not-so important traffic acl here
> !
> ip access-list extended LOW-PRIORITY-SITES
> remark identify any traffic that you want to limit it's speed
>
> You'll need to enable NBAR on the router in order to do the CLASS-F
> part. This will add memory and CPU requirements on your router. (it
> might be time to upgrade your internet router as well)
>
> Good luck
> JC
Wow thanks for the detailed response. I essentially just want to give
people bandwidth to the student data when needed and then drop when
not. I'm looking forward to testing this.
Quick question: On our 2611, we have a t-1 card serial 0/0 and an
ethernet. You're saying I have to put the policy map on the ethernet
port? I would assume I have to put it on the serial (i.e. T1)? I'm
little confused on the placement and direction.
Thanks again JC for the help.
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map