Per user traffic policing

JoeBirds

Hey guys,

On a 2900 series router, is it possible to perform internet traffic policing PER TCP session (single user) on 80 or 443? In other words, I'm wanting to take a user's port 80/443 internet traffic and police it down to a certain speed.

Any ideas are greatly appreciated.

networker050184

Sure, you can match on protocol traffic, ACL, etc. Just have to figure out what works best for you. Look into policing with MQC and it should get you in the right direction.

JoeBirds

You can't define any internal IP addresses in an ACL that will be used to match internet traffic as it hits the public interface of the router. All addresses are still public at that point.

networker050184

Depends at what point in the network you are matching.

JoeBirds

I think an example will help me better explain:

Say that I have a LAN of users - two of which love to stream videos and download crap. Is there a way to implement a service policy to police traffic on port 80 and 443 for those two users only?

The only area I can think to put the service policy would be inward (input) on the public interface, but that leaves me with an issue. I cannot match traffic to those user's private IP addresses from what is still technically public traffic. Sure I could match all of the traffic coming from port 80 and 443 in my ACL match, but that would throttle the entire LAN.

I really do not think there is an easy way of doing it, if at all.

networker050184

Ok I gotcha. Yeah not likely something a router is ging to be good at. You might be able to find a way to match and drop, but as you say not a ver elegant solution. Unfortunately just not what the router is designed for.