We also have a Cisco network and have expressed frustration to Cisco about
the available alternatives. It is hard to construct Access Lists to deal
with anything but fixed ports. NBAR on the 7200's and the PIX seem to be
the only incursions into application-specific bandwidth management. You
could try CAR or policy routing to label and restrict the secondary
applications. We have started looking at boxes by Top Layer and Packeteer
to do LAN-based bandwidth management prior to handing the traffic off to the
router. Only your ISP will be able to restrict things incoming and few ISPs
have the will or abilities to do so.
Thanks-
-Craig
-----Original Message-----
From: Stewart Dean [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 18, 2000 6:00 AM
To: [EMAIL PROTECTED]
Subject: Q2: How to Deal with Bandwidth Abuse
I have responsibilities at a small (approx 2200 user) liberal arts college.
We
have been slowly getting the expenditure to do appropriate upgrades to the
network and IT infrastructure, usually the crisis du jour that finally
makes it
clear to the administration that, yes, they really do have to loosen the
purse
string.
We have been dodging various bullets related to a) having one T1 line and
b)
the students have Napster/Gnutella/Scour. Things have come to a head, and
we are looking better handle what we presume to be student bandwidth abuse.
The students will have their own T1 line, and the faculty and staff another.
Still, we need to get a handle on locating bandwidth abuse offenders and
counseling them.
I'd like hear your experience with this problem. We have a pretty much
all
Cisco environment: a 5500 as a backbone, fiber to 2924s. All connections
are
out of a single switched port, or will be soon after we phase out the last
of our
old IBM hubs.
If there's a better place to ask this question, please suggest.
How do you track bandwidth abusers at the firewall? Can you identify
locations heavily used by abusers? What tactics have you come up with to
deal
with Gnutella and Scour?
to shift access control from router access control lists to a true firewall
in order
to get the benefits of logging, stateful connection handling and the
like.---
// "I build my cars to go, not to stop", Ettore Bugatti
// Stewart Dean Kingston, NY
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
