[unisog] Quota system based on netflows

Jonathan Glass jonathan.glass at oit.gatech.edu
Tue Jan 30 15:16:28 GMT 2007


Joe Bazeley wrote:
> We're looking to implement a bandwidth-limiting system for our
> residential users, something on the order of "if you use more than X
> gigs in a 24 hour period we'll put a bandwidth cap on your connection
> until the time period resets".  I've heard other schools do this by
> monitoring netflow data and putting some scripts together around that
> data.  If there are any schools who have implemented something like this
> in a Cisco environment and would be willing to answer some questions
> about their setup, please send me an email and I'll follow up with
> specific questions.
> 
> Thanks,
> 
> Joe Bazeley
> Loyola University Chicago
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
> 

Just to present a counter-point, I'll share our setup.

We simply apply a policy limit of 1Mbps incoming *from* each network
port to non-campus destinations.  It just throws away packets if one
tries to put more than than that on the wire.  In other words, they can
absorb as much as they want from the internet, but they can't serve more
than 1Mbps.

policy-map limit-traffic
  class campus-traffic
    police 1000000000 2000000 exceed-action drop
  class internet-traffic
    police 992000 32000 exceed-action drop

-- 
Jonathan Glass, RHCE, MCP    Information Security Engineer III
OIT Information Security       Georgia Institute of Technology
Atlanta, Georgia 30332-0700          Office/Cell: 404-385-6900
Key ID: 0xAB50FF20     Size: 2048 Bits     Created: 11/17/2004
Fingerprint: 3CD2 1BC6 4485 720B AB45 FF3E 8B3B D6F5 AB50 FF20


More information about the unisog mailing list