I have been tasked with providing Internet to a number of clients on our internal LAN, without affecting our own Internet bandwidth.
I would propose using a Cisco 1800 with the IOS Firewall Feature set to provide network edge security and my immediate thought is to order multiple ADSL lines (as needed) and connect them to a free interface on the Firewall (via a switch). This interface will use sub-interfaces to connect to the different ADSL connections, and by using PBR and customer source addressing, route traffic over the ADSL lines.
I have attached a diagram to represent this. Arguably I could mix and match which networks go over which ADSL lines, i.e. policy route a few customers over 1 ADSL and observe bottlenecks, I could then order in additional ADSL lines and policy route new customers over them.
Does this sound like a viable solution ?
Solved! Go to Solution.
I agree this solution looks like to be reasonable if all they need is internet access.
I would suggest to confine the customers on a DMZ vlan so that you can decide if they can access your intranet and what part or not.
that is the free interface on your firewall so you already have thought of this !
hope to help
Many thanks for your response. This proposed solution doesnt touch our network edge solution, inc DMZ. It will be completely isolated.
I have one final question: Would I be able to configure QoS rate limiting on the 1800 ISR, for example, if we were to order an 8Mbit ADSL line to begin with, and split bandwidth between 4 customers using rate limiting to only allow each customer to use 2Mbit of the link ?
Thanks in advance
No, you won't be able to.
The reason is that you would like to limit download bandwidth, but to do that you would need to control the upstream ISP router (that is clearly impossible).
If you limit receiving to 2 mbps, nothing prevents an user to start some activity for 8 mbps, even if he receives only 2, then remaining 6 are "already on the wire" and nothing can be done about it.
However, often ISPs have some fair queuing mechanism enabled to mitigate things like that, so you shouldn't worry too much before it happens.
Also note that on the 1800 router have no slots for additional interfaces, so you should look instead at least to a 2801 that allows you to use three HWIC-1ADSl interfaces.
As an appreciation to those providing answers, please rate useful posts with the scrollbox below!
I am assuming that you are refering to the upstream ISP router as the blue routers on my diagram. If so, if we had control of these routers (using a Cisco 877 /w ADSL PoTs) could we apply the rate limiting there to acheive the desired effect ?
No, the ISP router are more upstream and you cannot control them. There is really no solution to your problem, especially for udp based applications. Note that if you use external modem/router with ethernet connections, beside having more devices, you will have even less control on the overall solution.
Form here the recommendation of using a router like a 28xx that can host direactly the ADSL interfaces.
So what you are recommending is the 28xx router actually terminating all the ADSL connections, then using PBR to load balance customer traffic based on source ip / application across the various PPP links ?
Assuming that I have interpreted this correctly, is it then possible to set the next hop in PBR to be a directly connected ADSL interface (e.g Dialer x).
Thanks for your help.
I will order the 2811 ISR and 4 ADSL HWIC modules. This should provide me with sufficient bandwidth for hosting multiple clients.
I have one final question. Do you know how many Vlans (dot1q trunks) the 2800 supports ?
Hi, the limit should be 1400.
This is dictated by the maximum IDB (an internal data structure) for the 2811.
Thanks for the appreciation and good luck!