Limit traffic on port - Cisco 3750

Unanswered Question
Apr 1st, 2008
User Badges:

Hi,


On one of the ports on my Cisco 3750 I have an ftp server which the inside Lan and internet users have access to.


The problem is I don't have an QoS on the Internet pipe, so bandwidth can be eaten up. Just had an external user put a 1.5gb file onto it and my Internet pipe flatlined almost.


The Cisco 3750 has multiple vlans which are setup as sub interfaces via my Cisco ASA.


The Internet router is controlled only by our ISP and said unless we upgrade to their MPLS service they can't do anything!


Any other ideas would be most welcome, I just don't like ftp taking priority over VPN's and email etc.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joseph W. Doherty Tue, 04/01/2008 - 07:44
User Badges:
  • Super Bronze, 10000 points or more

"The Internet router is controlled only by our ISP and said unless we upgrade to their MPLS service they can't do anything!"


Normally what this means is:


"The Internet router is controlled only by our ISP and said unless we upgrade to their MPLS service they won't do anything!"


Unclear how using MPLS would be of much benefit since you did mention Internet.


That aside, on the 3750, I believe you can at least police traffic rates, so it may be possible to limit how fast the FTP server can push data to other hosts. Ideally, such a restriction only toward bandwidth constrained paths. Better yet would be a shaper, might not be possible on a normal 3750. (Either, as a solution is far from perfect since the FTP server can't just use excess available bandwidth, and whatever you limit it to, outbound, can at times, still be too much.)


Traffic being received by the FTP server is going to continue to be an issue. Reason being, controls downstream of the congestion point, usually aren't very effective unless very severe.


What you really want to control is the (QoS) queuing policy at the congestion points, for instance the two ends of your Internet connection. If your ISP is unwilling to take any action beyond using MPLS (or the other "popular" ISP solution, "you need more bandwidth"), you might shop for a more cooperative ISP (they're hard to find in this regard). Sometimes it's of benefit to mention to the current ISP you're doing so.


You're long term solution are either additional bandwidth and/or better bandwidth management. Besides whatever your local ISPs offer, you might also investigate whether there's a local Internet peering exchange.

whiteford Tue, 04/01/2008 - 07:49
User Badges:

I was thinking or getting a DSL line just for the ftp server, it has 2 nics, so I could have one nic into the ASA and the other into an 877 or something?

Joseph W. Doherty Tue, 04/01/2008 - 17:25
User Badges:
  • Super Bronze, 10000 points or more

An interesting idea. One problem would be how would VPN users get to the server? Ideally, you don't want them to push/pull via the VPN or they will fill your Internet link.

Rick Morris Wed, 04/02/2008 - 09:22
User Badges:
  • Silver, 250 points or more

Have not done it, but in the ASA you are using sub-interfaces, would it be possible to rate limit there?

Don't have an ASA to test with, just wonder if the option is even there.

mattcalderon Wed, 04/02/2008 - 09:28
User Badges:
  • Silver, 250 points or more

On your interface vlan on your 3750 you can look into applying a policy map and matching based on an access list with the FTP server as the host. Then proceed to rate limit or police traffic based on destination.




http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpoli_ps1835_TSD_Products_Configuration_Guide_Chapter.html#wp1006389

Actions

This Discussion