Policing on PTP T-1

Unanswered Question
Oct 13th, 2008


You have a PTP full T-1 between your headquarters and a remote branch office. All traffic from the branch comes back over the T1. You want to police a specific type of traffic (winmx for example). Would you police "outbound" on the headquarters router before traffic crosses the T-1 or at the remote site "inbound" router? Cisco TAC seems to think you would police at the remote branch side.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Giuseppe Larosa Mon, 10/13/2008 - 09:39

Hello Brandon,

I would police traffic on the LAN side before it is sent out the T1 link.

And to have good control you could this on lan segment on branch and on lan segment on head quarter (where you could need multiple rules one for each branch and the use of nested policy-maps)

On the T1 I would use a scheduler outgoing to provide resources to traffic (LLQ for voIP and better treatment for important data traffic).

Hope to help


Jon Marshall Mon, 10/13/2008 - 09:42


A lot depends on the traffic patterns of the application. It's a little unclear from your explanation. When you say all traffic from the branch comes back over the T1 are the users of the app based in the HQ or branch office eg.

If the server hosting the app is at HQ and the large part of this app traffic are responses to requests to the branch requests then police outbound at HQ as it's kind of pointless policing inbound at remote branch as you have already used the bandwidth.


mbroberson1 Mon, 10/13/2008 - 11:06

I am wanting to police stuff like internet radio and winmx...not policing any work based application.

Jon Marshall Mon, 10/13/2008 - 14:56


The application was just an example. Think of it like this. There are a couple of scenarios and i'm not referring to any specific application.

1) There is a direct correlation between packets sent and packets received ie. a client in the branch office sends 100Kb of traffic and gets 100Kb in return traffic.

So in this scenario you could police the traffic inbound on the LAN interface at the branch site.

2) The client sends 10Kb and gets 100kb back. Now a typical web application does this - the request is usually a lot smaller than the response. So if you want to limit the total of the T1 that can be used you need to police the return traffic not the traffic initiated from the remote branch. In that case it would make more sense to police the traffic outbound at the WAN interface of HQ router connecting to remote branch router.

Note that if there was always a 10Kb to 100Kb relationship you could police at branch instead but it's never that simple. One 10Kb request might generate 100Kb back and another might generate 200Kb.

So that's is all i meant by traffic patterns. So what are you trying to police

a) the branch users traffic flooding the link with traffic going towards HQ


b) the branch users traffic flooding the link with traffic coming from HQ

If you are just not sure then police at both ends :)


mbroberson1 Thu, 10/16/2008 - 05:25


Thank You for this excellent respnose. I am trying to police traffic coming from HQ to branch...mainly internet abuse stuff.



Joseph W. Doherty Mon, 10/13/2008 - 16:36

In theory, you want to police as close to the source of the traffic as possible. This to keep from wasting any bandwidth further downstream.

In practice, you can police as late as the first bottleneck's egress; often your WAN egress. This is to free bandwidth where you have the least amount of available bandwidth.


Beside policing, you might also consider shaping or deprioritization. The latter would place non-business traffic into a "scavenger" class that obtains either little bandwidth and/or "left over" bandwidth.


This Discussion