[unisog] Blocking inbound Internet traffic
harnold at binghamton.edu
Thu May 8 18:32:07 GMT 2003
We've done it with our Packeteers and found it to make things *very* stable
as far as the network is concerned.
I'd be very interested in seeing what you've done with Cisco. We're
primarily Cisco and I have played with the netflow stuff somewhat.
From: Johan M. Andersen [mailto:johan at columbia.edu]
Sent: Thursday, May 08, 2003 2:15 PM
To: Sara Smollett
Cc: unisog at sans.org
> We're looking into rate limits per IP (rather than port). I'm curious
> to hear from people who are doing something like this. How have you
> implemented this? How effective has it been? What do your users think?
We use netflow collection plus an oracle database plus cisco policy maps to
put people over their quota into a very tiny pipe. We only have a quota on
their upload bandwidth currently. This makes it pretty transparent to most
of the users (no one here cares how quickly someone else can leech their
files :). It was REALLY effective, so much so that we could up the quota to
100megabytes of upload data per hour per IP. All of the stuff we wrote to do
this is open source, and we will probably be publishing it soon. We were
worried about trying to make a packeteer-type solution work over multiple
oc3's but this seems to be doing pretty well. It also has the benefit of
being content-neutral. We do not inspect what our students are doing, we
only give them resource limits to make sure usage is fair for the entire
If anyone is interested in making something like this work using cisco gear,
and (mostly :) open source software, let me know.
More information about the unisog