1st craft a acl to match the client(s) or network(s)
e.g ( sales dept and networks 10.1.{0..3}.0/24 )
ip access-list extended sales
remark "whitelist address here if any"
deny ip 10.1.0.0 0.0.0.0 any
permit 10.1.0.0 0.0.3.255
2nd, built flow record based on source-addr
flow record sales-profile1
description "sales-profile"
match ipv4 source address
!
Now we make map-class using the match-all & apply this to a policy-map;
class-map match-all limit-sales
match access-group name sales
match access-group name sales
match flow record sales-profile1
!
!
!
!
policy-map police-traffic
!
policy-map police-traffic
description "set QoS level based on depts"
class limit-sales
police 1000000 80000
class limit-sales
police 1000000 80000
And you apply the policer to your interface and your are done. The match-all is critical since we want to match the src_address and then the specific /32 sources in the flow record.
Ken Felix
Freelance Network / Security Engineer
kfelix ----a---t---socpuppets ---d---o---t---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment