From: Usama Pervaiz (chaudri@gmail.com)
Date: Sun Nov 09 2008 - 17:24:41 ARST
Hello all,
I had a question on limiting and or policing traffic from a particular
website. So lets take 2 scenarios:
INSIDE ---------- R1 --------- OUTSIDE
fa0/0 fa0/1
1. We want only user in a particular subnet (subnet 132.15.11.0/24) to
have access to facebook (and we found the ip for facebook to be
1.1.1.1) so we are going to guarantee 128K to it for facebook for
that subnet. Following is the config:
class-map match-all FACEBOOK
match protocol http host *facebook.com*
match access-group 100
policy-map CORP
class FACEBOOK
bandwidth 128
access-list 100 permit ip host 1.1.1.1 132.15.11.0 0.0.0.255
int fa0/0
service-po output CORP
2. We want to limit the RETURN TRAFFIC from facebook to 64K to subnet
132.15.12.0/24. Following config
class-map match-all FACEBOOK-LIMIT
match protocol http host *facebook.com*
match access-group 101
policy-map CORP-IN
class FACEBOOK-LIMIT
police 64000
access-list 101 permit ip host 1.1.1.1 132.15.12.0 0.0.0.255
int fa0/1
service-policy input CORP-IN
Is the above config correct for the 2 scenarios. I am a little
confused on the direction that its applied. I have sees some solutions
apply the service-policy for policing in the output direction. Which
does not make sense to me with that same access-list.
Any and all help will be appreciated!!
Thanks.
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:30 ARST