Port Size Question (Cisco)

I have a situation where I am looking for general best practice information.

I have a full T1 for internet access and I have about 200 or so users spread around the counrty that are coming through a frame network to access that internet out of our hub (corporate office).  My question is that the users are overrunning the connection between streaming music and then you have several VPN users coming inbound.... so what is typically done short of throwing more bandwidth at the issue?  Are the connections usually rate limited?

Basically I need some best practice type things like how a queue would be used or how rate limiting might be considered.... because one huge item is the vpn users.. they can easily overrun my T1 with their broadband connection....

Thanks for your help... please only comment if you have extensive experience in Cisco routers..

My hub router is a 3620.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

We limit the bandwidth connection of our vpn users to 128K burstable to 512K.  We limit streaming by blocking it with a firewall.
I would kill streaming as pseudo said via a firewall; if these guys are using a network for corporate purpose and listening to streaming music isnt a job at the company you need to put into place network access policies that keep people using the network as it should be.  However, on the flip side, with 200 or more users coming inbound we would recommend at least a bonded DS1 connection.  If you start doing traffic shaping you'll increase load on the router and depending on what your current CPU usage is you might want to consider it twice before implementation.
NTGuru705Author Commented:
Can anyone give me some tips for psuedo's sugguestion... ie. things to research into the How of this?

Also on AM6 comments how do you do it if the app can use port 80?

Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

NTGuru, what are your VPN users connecting to - the router or a server or a concentrator?  We're using a Nortel Contivity Concentrator - so the bandwidth limitation on the VPN configurations is a configurable paramater on the concentrator.

As far as the streaming goes - yeah, if they're using port 80 to stream it's tough to detect.  You might not be able to do it with just the router.  We've got Checkpoint firewalls which can look at higher layers than 4 (TCP/UDP) to determine what the application is REALLY doing.


Another idea is to identify the big streaming sites and the RATE LIMIT them using route mapping - which is beyond my level of expertise.  So, the thing with P2P apps - and some streaming apps - is if you block them, they port hop or tunnel thorugh other ports.  But if you only RATE LIMIT them, then they "think" they're on a slow connection and there's nothing to be done about that.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NTGuru705Author Commented:
our VPN box is a Watchguard 1000 firewall.

I would love to learn more about the RATE LIMIT... any ideas?
NTGuru705Author Commented:
Can anyone comment on the RATE LIMIT... basically point me in the right direction.

If I wanted to rate limit http traffic for a user to be maxed at say 128k how would I go about that?  What are my options?

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.