Limit Bandwith by port or IP address

I have a customer who owns a commercial building. They are bringing in their own Internet to the building and want to sell the service to customers.  They want to be able to limit the bandwidth each customer gets. It is my understanding that this can be done a few ways. I spoke with Cisco and they suggested a 1941 Router and it can do it by ethernet port (limiting each port to 1, 10, 100, or unlimited). But it only has 2 ports.  The customer may want to do the management themselves so I really would like something easy to manage.  Anyone have any clues. I think I can do it using QOS but that can get complicated, so the interface is important.  Would it be easier to install a mulithomed pc and run all internet thru it and use a nic for each network and run software to do the work?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Istvan KalmarHead of IT Security Division Commented:

In this case he ned a traffic limiter, or hotspot controller, booth of them able to limit bandwith / IP address!
We use HP controllers this situation!
Sonicwall can do all of this and its easy to manage.
its not as expensive as the Cisco but it will do what you need. you can let a port connect at 100full but only give them a 1MB connection to the internet. I use an NSA 3500 but smaller models can do it as long as they have the enhanced firmware.
I have included a screen shoot of what the management console looks like, as you can see the QoS is the next tab.

This solution works very well for us and it costs 1/4 of what cisco wanted to charge to do the same thing.

with this service you could even sell security as an upgrade, it has a gateway anti-virus and anti-spyware, and IDS/IPS system built in as an add on service.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Let's say, as an example, that you want to set up 40 offices in the building.  Here's what I would do.

Assigned each office a set of IP addresses.  Such as 10.0.1.x/24, 10.0.2.x/24, 10.0.3.x/24, etc...
Then run a 48 port switch, with an ethernet drop to each of teh 40 offices.
Set up the switch with 47 vlan's, with the 48th port being a vlan trunk.
The vlan trunk will hook to the router that is connected to the internet.

On ther router:
Filter each vlan subinterface so only the proper IP addresses (10.0.x.x) are getting through, so customers can't steal each other's bandwidth.
Set up a class-map for each set of IP addresses.
Create an upload-speed service-policy, which will have all the class-maps with a "shape average xxxxx" to describe how much bandwidth each business is allowed outgoing.
Create a download-speed service-policy, which will have all the class-maps with a "shape average xxxx" to describe how much bandwidth each business is allowed incoming.
Assign the upload-speed service-policy to the outgoing internet interface.
Assign the download-speed service-policy to the incoming interface.

I'm going to think this through in case I've missed something...

You run a 48 port switch buy a switch that does inbound rate limiting per port.  A 48 port Cisco should be able to handle 47 offices in the building.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

leebaskin, that's an interesting idea!  But it looks like it can only limit one interface in that screenshot.  What is on the QoS tab?
Actually, when you setup an access rule you can apply the bandwidth to that rule...
This is done with policy based routing, it’s easy, you identify the user (in this case the port) and when you create the access rule for the firewall you either set bandwidth management or not. Right there in that same window. It’s stupid easy, that’s why I love it.
Qos is a bit more involved but still pretty easy. You have to define the qos traffic then apply depending on where the traffic will be routed. There is a little more to it but this too is easy.

Sounds like this will work.  As long as you can apply an ethernet bandwidth policy to each individual VLAN and control the incoming/outgoing speeds separately, you'll be good to go.
thats how I am doing it. I even use this device to manage the VLANS as apposed to a Layer 3 switch.
u can easily to this in a cisco router aswell, using the feature of traffic shaping. We use that a lot for our premium customers with their own registered networks. u set it up once and then u can forget about it.
My proposed solution above is doing traffic shaping.  Which brings up a question.  Can zone alarm do traffic shaping or is it tail drop?
I fully agree to sidetrack, everything you´ll need is included in IOS/QoS. You can achieve different characteristics for differernt IPs/ranges using QoS-policies with the MQC. You can shape or police the traffic, based on access-list, or even using radius for specific users, assigning different bandwidths. I haven´t used the radius option myself at the moment, but i read about the possibility. Quite interesting, i think.
Correct, my proposed solution above is doing traffic shaping using IOS/QoS/MQC and VLAN for customer separation.

But if zone alarm can do all that, then Leebaskin has a cool, easy to administer, solution.
I am not up to date with Zone Alarm; it’s been a while since I have used it. But Zone Alarm is a personal firewall right? How is that going to handle bandwidth for different networks?

I would shy away from using a multi-homed PC for commercial usage, this may work good at home but the issues and management overhead that comes along with using a multi-homed PC for routing is not worth the effort. Do it right, use hardware that is designed to handle this on a commercial level, Cisco and SonicWall do this with less hassle then a PC.   – that’s my two cents
My bad.  I meant to say Sonicwall, not Zonealarm.
degoodwinAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.