RE: Control Inbound Internet Traffic.

Hello Karim / Amr,

A few options...

1 - The SP side CAN police the traffic before it reaches your interface. QoS
can be done well before traffic reaches the CE.
2 - You can work with the SP to implement a form of remotely triggered black
hole routing where when you have a certain tag, the SP drops the traffic
accordingly. This requires some coordination with the SP and some good
policies with your 24/7 department for an action plan to implement this (if
your concern is DDoS/DoS. Or, you can work with the SP to use a similar
function that will not necessarily drop the traffic but will have the SP apply
additional intelligent filtering to the traffic before it is sent to you.
(again, mostly for DDoS purposes.
3 - Have the SPs QoS limit the type of traffic (similar to policing) that you
want limited. This will be done well before the traffic hits your inbound
interface.
4 - At the end of the day, if you do most of your business as e-commerce, get
tons of bandwidth and/ or devices that can handle tons of traffic and/or do
inbound queuing on the local CE.

Andre

________________________________
From: karim jamali [mailto:karim.jamali_at_gmail.com]
Sent: Tuesday, December 08, 2009 9:48 AM
To: Dufour, Andre; Cisco certification; muhammad.nasim_at_gmail.com
Subject: Re: Control Inbound Internet Traffic.

Hi Andre,

Just to clarify things, BGP ORF is used to limit the BGP updates (about public
routes) on the Provider side rather than filtering them on your side. It has
nothing to do with traffic itself (FTP/HTTP...etc) all traffic types that can
go across the internet by different applications & different types of
users..It is just used to limit BGP updates according to the customer's
wishes. I would go with Muhammad's suggestion that it has to be done on the
provider side. We will wait to hear the opinions of the great experts on this
issue but the way i see it is:
1)Policing will make 0 effect, because eventhough you are limiting the inbound
traffic from the internet that traffic already came to your outside interface
and was policed there. Thus the bandwidth is already consumed.
2) Shaping or bandwidth commands are queueing mechanisms that can only be
applied outbound. Thus no sense exists in applying them inbound.

Thus,the only solution I see is limit the traffic from the ISP side.

Best Regards,

On Tue, Dec 8, 2009 at 4:39 PM, Dufour, Andre
<Andre.Dufour_at_paetec.com<mailto:Andre.Dufour_at_paetec.com>> wrote:
What about BGP ORF?

As long as the capabilities are available on both neighbors, this is a good
option.

INE has a lot of great free material on their site that explains it in an
easy-to-know fashion.

http://blog.internetworkexpert.com/2008/05/05/understanding-bgp-outbound-rout
e-filtering-bgp-orf/

Andre

-----Original Message-----
From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
[mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of
Muhammad Nasim
Sent: Tuesday, December 08, 2009 9:34 AM
To: Amr Masoud
Cc: ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>
Subject: Re: Control Inbound Internet Traffic.

What your concern can be addressed at the ISP site.

You can no stop any kind of traffice coming to your router external interface
(or inbound traffi)

What you can do is that you can coordinate with you service provider and
discuss with them and then they can put policing and other mehanism on the
interface connected with your router external interface.

Kind of Managed service as well we can say

HTH

2009/12/8 Amr Masoud <amr.eng_at_gmail.com<mailto:amr.eng_at_gmail.com>>

> Dears,
>
> How we can control (Police or shape or reserve BW ) traffic coming
> from Internet to my network (download traffic). Lets say I need to
> shape CLASS-A to 1 Mbps and reserve BW for CLASS-B with 2 Mbps.
>
> First: For Policing if we policed the incoming traffic at external
> interface, then fine, traffic that is coming to internal side will
> be policed when it comes to internal side . But the whole traffc
> already came to the external interface and already consumed the
> download BW of the external interface !!
>
> Second: For BW reservation, it is a queuing mechanism. so it has to be
> applied outbound, so it will be applied to internal interface as outbound.
> So again the same problem, this traffic still not guaranteed at
> external interface :(
>
> I hope you got what I am trying to explain, and hope to hear from
> people who already faced this issue in life networks.
>
>
> Regards.
> Amr Mahmoud
>
>
> Blogs and organic groups at http://www.ccie.net<http://www.ccie.net/>
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

--
Muhammad Nasim
Network Engineer
Saudi Arabia
Blogs and organic groups at http://www.ccie.net<http://www.ccie.net/>