Rate-limit to Internet traffic (switch x firewall)
Good afternoon gentlemen
I need to configure rate-limits to customer Internet traffic. Customer has 3 traffic classes (VPN, mail and website), each one with its respective input and output rate policing.
I have to perform this configuration in some place of the DMZ infrastructure. The DMZ infrastructure is composed by the frontend firewall 5550 and a layer 2 switch 3560.
Consider that firewall outside interface is connected to that switch through an access port and that switch is connected to an Internet device the same way.
Now the questions are:
1 - Where should I configure the traffic rate-limits - firewall or layer 2 switch?
2 - Considering firewall, what's the recommended configuration?....My doubts are related to firewall be able to perform police inbound and outbound the same interface and some traffic classes relate to the firewall, not only through the firewall (for example, VPN traffic to the outside interface)
3 - Considering that switch, is that possible a layer 2 switch perform such inspection in a interface?....Could it overload the CPU?
That Internet device I'm not allowed to perform some configuration
1. On the firewall (if you must - router is much preferred)
2. There is a good document - a bit old but still valid - elsewhere on this site. Here is a link to it.
3. Generally not recommended on a small L2 switch as the features are typically much more limited. The processing power is of some concern as well. If it's a newer / bigger switch then this may be an option .
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :