[unisog] Blocking inbound Internet traffic

Johan M. Andersen johan at columbia.edu
Thu May 8 18:14:52 GMT 2003


> We're looking into rate limits per IP (rather than port).  I'm curious to
> hear from people who are doing something like this.  How have you
> implemented this?  How effective has it been?  What do your users think?
> etc.

We use netflow collection plus an oracle database plus cisco policy maps to
put people over their quota into a very tiny pipe. We only have a quota on
their upload bandwidth currently. This makes it pretty transparent to most
of the users (no one here cares how quickly someone else can leech their
files :). It was REALLY effective, so much so that we could up the quota to
100megabytes of upload data per hour per IP. All of the stuff we wrote to do
this is open source, and we will probably be publishing it soon. We were
worried about trying to make a packeteer-type solution work over multiple
oc3's but this seems to be doing pretty well. It also has the benefit of
being content-neutral. We do not inspect what our students are doing, we
only give them resource limits to make sure usage is fair for the entire
university. 
 
If anyone is interested in making something like this work using cisco gear,
and (mostly :) open source software, let me know.

/johan



More information about the unisog mailing list