cisco nat limit max request per pc per port

Printable View

November 22nd, 2004, 02:43 PM
phishphreek

cisco nat limit max request per pc per port

I share an aDSL connection with a couple people in my house. In the evening, I tend to play some online games in which upstream bandwidth is very important. I had posted about my router keeping "tons of dynamic nat entries" in memory and not clearing them out frequently enough. I thought this was slowing me down and causing my router to mess up. It was therefore affecting my ping on the game server. I was wrong. The router was right.

I found out that someone who is on my network has a habbit of visiting dozens of pr0n sites later in the evening and downloading large pictures and video clips. I don't have a problem with that... what I have a problem with is... he is downloading dozens of clips at a time slowing the connection down. We share the connection but I pay for it. I don't want to cut him off... but I want to frag and he is eating up the bandwidth.

I'm using the latest and greatest Cicso IOS 12.3.xT on a Cisco Broadband 831 router.
(it does not have the QoS included in this image... I need to get more flash to get that image. :( )

Is there any way for me to limit the max connections from a certain IP to certain ports?
example: limit max port 80 connections to 10. etc.

Or, is there a way for me to shape the traffic or give certain protocols priority?

I've seen tutorials on how to shape traffic and limit connections using a linux box... and that will be my last resort. I'd like to try to resolve this with current hardware, just modify the config, if possible.

Thanks in advance!
November 22nd, 2004, 04:20 PM
dinowuff

phishpreek:

Could you let me see the results of show ip route and ip config?

Also, is the client in question wired or wireless?
November 22nd, 2004, 05:02 PM
Maestr0

Phish, use a transparent Squid proxy with delay pools. You can basically set the bandwidth exactly the way you want it.

-Maestr0
November 23rd, 2004, 05:13 PM
sec_ware

rate limiting NAT translation

Hi

A pity that your image does not support QoS. However, I don't know whether it would
help you for your specific problem. I only used it for increasing the quality of VoIP and, hey,
it worked.

However, there might be another solution, assuming you have enabled NAT ...
Cisco IOS >12.3.4T supports rate limiting NAT translation[1], with which you can limit
the maximum number of "NAT ports" ( :) ) per specific host or even access control list.
One interesting feature of it is the detection of virii/worms, which tend to spread
themselves around, opening many connections.

So you could try to restrict the max number of
NAT entries to 8 for a specific host (not so nice) :

Quote:

ip nat translation max-entries host 192.168.1.xxx 8

or, maybe better, limit it for a specific access control list. For example: the
access-list 100 will be limited to 4 concurrent connections:

Quote:

ip nat translation max-entries list 100 4

That access control list could look like

Quote:

...
access-list 100 permit tcp 192.168.1.xxx any eq 80
...

or something more appropriate.

Cheers

/edit: here it is
[1] http://www.cisco.com/en/US/products/...0801d09f0.html