I have a new metro ethernet connection, line speed 1Gbit, providing VPN and IP transit. I am paying for substantially less than line speed, however, and my ISP has said the onus is on me to limit my inbound and outbound traffic in order to stay within my commit. Currently the setup is this:
ISP ----- Media Converter ----- Managed Switch ----- Firewall ----- LAN
Where my firewall has two external interfaces, one for the VPN on one VLAN, the other for internet on a second VLAN. The managed switch is pretty basic and provides no rate limiting whatsoever. I have set up outbound traffic shaping on my firewall, but I am stumped about inbound. My firewall offers no ingress policing, though I can set up outbound shaping on my LAN interface.
My questions are these. Would outbound traffic shaping on my LAN interface be sufficient to keep us within limits? If not, and I switched firewalls for something with inbound policing, would that be sufficient? It seems to me that if a packet has left my ISP, then it doesn't matter whether I drop it or not, it is still counted.
Thanks in advance.