Hi Justin,
I have an ISP situation where there is about 1000 users sitting behind Cisco
> 3550 switches. Each port is 1 user and is configured with an individual
> VLAN where each VLAN is assigned a small network subnet and corresponding
> DHCP scope.
>
> The problem is that it seems (so I have been told) is these 3550's will not
> effectively bandwidth limit at the port level. Incoming bandwith is
> limited
> as configured, but outgoing is not. So, I am looking at a pf solution but
> google is not turning up any specific information for such a situation.
>
This is not true. It's more tricky, but you can actually limit both inbound
and outbound at the port level, and it's quite effective too. Of course
OpenBSD is capable of that too, but for 1000 vlans you'll have to split the
load across multiple firewalls (or multiple cluster of firewalls) since
there're hardcoded limits on the number of queues you can create (256 cbqs
and 64 hfsc if I remember well, it's been discussed in the past however!)
The config for the 3550 is something like this:
Define the class-maps (all-in and all-out are different because of hardware
limitations)
class-map match-any all-out
match ip dscp default
class-map match-any all-in
match access-group 100
Define the policy maps:
policy-map 1mbit-in
class all-in
police 1024000 192000 exceed-action drop
policy-map 1mbit-out
class all-out
police 1024000 192000 exceed-action drop
And apply the policies to the interfaces:
interface FastEthernet0/4
description CustomerX
no switchport
ip address 1.2.3.4 255.255.255.x (or if it's a switchport, just "switchport
mode access" and then "switchport access vlan x")
ip rip advertise 3
no cdp enable
service-policy input 1mbit-in
service-policy output 1mbit-out
Also note that this is rate-limiting, not bandwidth shaping, but it may fit
your requirements!
Cheers,
]\/[arco
