Limit traffic on port - Cisco 3750

Unanswered Question
Apr 1st, 2008

Hi,

On one of the ports on my Cisco 3750 I have an ftp server which the inside Lan and internet users have access to.

The problem is I don't have an QoS on the Internet pipe, so bandwidth can be eaten up. Just had an external user put a 1.5gb file onto it and my Internet pipe flatlined almost.

The Cisco 3750 has multiple vlans which are setup as sub interfaces via my Cisco ASA.

The Internet router is controlled only by our ISP and said unless we upgrade to their MPLS service they can't do anything!

Any other ideas would be most welcome, I just don't like ftp taking priority over VPN's and email etc.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joseph W. Doherty Tue, 04/01/2008 - 07:44

"The Internet router is controlled only by our ISP and said unless we upgrade to their MPLS service they can't do anything!"

Normally what this means is:

"The Internet router is controlled only by our ISP and said unless we upgrade to their MPLS service they won't do anything!"

Unclear how using MPLS would be of much benefit since you did mention Internet.

That aside, on the 3750, I believe you can at least police traffic rates, so it may be possible to limit how fast the FTP server can push data to other hosts. Ideally, such a restriction only toward bandwidth constrained paths. Better yet would be a shaper, might not be possible on a normal 3750. (Either, as a solution is far from perfect since the FTP server can't just use excess available bandwidth, and whatever you limit it to, outbound, can at times, still be too much.)

Traffic being received by the FTP server is going to continue to be an issue. Reason being, controls downstream of the congestion point, usually aren't very effective unless very severe.

What you really want to control is the (QoS) queuing policy at the congestion points, for instance the two ends of your Internet connection. If your ISP is unwilling to take any action beyond using MPLS (or the other "popular" ISP solution, "you need more bandwidth"), you might shop for a more cooperative ISP (they're hard to find in this regard). Sometimes it's of benefit to mention to the current ISP you're doing so.

You're long term solution are either additional bandwidth and/or better bandwidth management. Besides whatever your local ISPs offer, you might also investigate whether there's a local Internet peering exchange.

whiteford Tue, 04/01/2008 - 07:49

I was thinking or getting a DSL line just for the ftp server, it has 2 nics, so I could have one nic into the ASA and the other into an 877 or something?

Joseph W. Doherty Tue, 04/01/2008 - 17:25

An interesting idea. One problem would be how would VPN users get to the server? Ideally, you don't want them to push/pull via the VPN or they will fill your Internet link.

Rick Morris Wed, 04/02/2008 - 09:22

Have not done it, but in the ASA you are using sub-interfaces, would it be possible to rate limit there?

Don't have an ASA to test with, just wonder if the option is even there.

Actions

This Discussion