Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Rate-limit to Internet traffic (switch x firewall)

Good afternoon gentlemen


I need to configure rate-limits to customer Internet traffic. Customer has 3 traffic classes (VPN, mail and website), each one with its respective input and output rate policing.


I have to perform this configuration in some place of the DMZ infrastructure. The DMZ infrastructure is composed by the frontend firewall 5550 and a layer 2 switch 3560.


Consider that firewall outside interface is connected to that switch through an access port and that switch is connected to an Internet device the same way.


Now the questions are:


1 - Where should I configure the traffic rate-limits - firewall or layer 2 switch?


2 - Considering firewall, what's the recommended configuration?....My doubts are related to firewall be able to perform police inbound and outbound the same interface and some traffic classes relate to the firewall, not only through the firewall (for example, VPN traffic to the outside interface)


3 - Considering that switch, is that possible a layer 2 switch perform such inspection in a interface?....Could it overload the CPU?


That Internet device I'm not allowed to perform some configuration





Everyone's tags (1)
Hall of Fame Super Silver

1. On the firewall (if you

1. On the firewall (if you must - router is much preferred)

2. There is a good document - a bit old but still valid - elsewhere on this site. Here is a link to it.

3. Generally not recommended on a small L2 switch as the features are typically much more limited. The processing power is of some concern as well. If it's a newer / bigger switch then this may be an option .

CreatePlease login to create content