Can IPS deploy traffic rate limiting policy to switch or router?

Similar Messages

• How can I deploy EFS using Group Policy and automatically encrypt computers for ALL users who login?

  How can I deploy EFS using Group Policy and Active Directory with a goal to automatically encrypt computers for ALL users who login? (NOT an option for me to use BitLocker)
  I was asked to deploy EFS to encrypt the user my documents folder and profile on all of the users laptops. The laptops are in common areas (board meeting rooms, etc) and security of files is a must.
  I successfully created a recovery certificate in AD. I created an OU and setup an EFS policy and users can now login and select to encrypt their own files. The issue is that management would like to have automaticy Encrypt ALL users my documents AUTOMATICALLY
  when a user login.
  Can this be done?
  Please help

  Hi,
  Any update?
  Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
  Best Regards,
  Andy Qi
  TechNet Subscriber Support
  If you are
  TechNet Subscription user and have any feedback on our support quality, please send your feedback
  here.
  Andy Qi
  TechNet Community Support

• Bandwidth rate-limiting on 3550-12T, G and 48 switches

  Hi folks,
  I'd like to nail-down the raw bandwidth on my switchports to divide a 9Mbit/s uplink between two client groups of 6 & 3Mbits/s respectively ("ring-fencing"). IOS is currently 12.1(14)EA1a and doesn't offer "rate-limit" on the interface in cfg mode. So: (a) can it be easily done on this platform with an IOS u/g? or (b) do I need new hardware?. I note that the 3750's don't support this command in hardware (yet?).
  Any help will be appreciated.
  Regards,
  Andy.

  Hello Andy,
  You should be able to restrict the bandwidth by per port and or per port/ per vlan on the Catalyst 3550. You are correct there is no rate-limit command on the Catalyst. This is a legacy command used restrict traffic rates. Routers and switches have now implemented this policing feature using the police command. There is a possibility you can gain further feature enhancments with IOS upgrades, but you should also be able to achieve your end result with your current IOS release.
  I point you to the following two Cisco documents for the details:
  Config Guide:
  http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114ea1/3550scg/swqos.htm
  and
  Tech Note:
  http://www.cisco.com/en/US/partner/products/hw/switches/ps646/products_tech_note09186a00800feff5.shtml#monitor
  I hope this helps to answer your question.
  Regards,
  Bill

• Policy-map based rate-limiting per vlan

  Hi
  I was thinking if someone could help me to come up with solution to a problem. Scenario as follow:
  I have a trunk interface with multiple vlans on:
  interface GigabitEthernet2/0/3
  description TRUNK-to-*********
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 415,416,610,1191-1193,1195
  switchport mode trunk
  duplex full
  storm-control broadcast level pps 1k
  storm-control multicast level pps 3k
  storm-control unicast level pps 250k
  storm-control action trap
  spanning-tree portfast trunk
  spanning-tree bpdufilter enable
  I'm trying to rate limit two of the vlans that are present on this trunk interface - vlan 415 and vlan 1192.
  So I'm putting the class-map (to be later applied under the policy-map which is not significant here):
  (config)#class-map match-any 120-mbps-class
  (config-cmap)#match input-interface vlan 415
  (config-cmap)#match input-interface vlan 1192
  Now, when you show the class-map I created, I can see this:
  sh class-map 120-mbps-class
  Class Map match-any 120-mbps-class (id 1)
     Match input-interface  Vlan415
     Match input-interface  FastEthernet0
  For some bizzare reason class-map is matching the Fa0. I have researched this, and this is most probably because you can only match 1 vlan instance under the class-map.
  And here's my problem - I can't police whole interface as the other vlans should not be policed - how can I police those two vlans ?
  Any thoughts ? All help appreciated as always.
  Rob.

  Hi Daniel,
  I have labed it and unfortuantely it does not work as expected. I have put 1x 3750 and 1x 2960 trunk between them, each box had an access port for laptop to create some traffic across. All vlan-based qos has been applied on 3750G.
  3750G config
  Interface g1/0/20
  descriprion trunk
  swicthport trunk encapsulation dot1q
  switchport mode trunk
  switchport trunk allowed vlan 100,120
  Interface g1/0/1
  description access
  switchport mode access
  switchport access vlan 100
  Interface vlan 100
  ip address 192.168.100.254
  service-policy input PARENT-POLICER
  Interface vlan 120
  ip address 10.10.10.1
  Policy-map PARENT-POLICER
  class PERMIT-ANY-CLASS
  trust COS
  service-policy CHILD-POLICER
  class-map match-any PERMIT-ANY-CLASS
  match access-group name POLICY-LIST
  Extended IP access list POLICY-LIST
      10 permit ip any any
  Policy-map CHILD-POLICER
  class INTERFACE-POLICE-CLASS
    police 100000 8000 exceed-action drop
  Class Map match-any INTERFACE-POLICE-CLASS
  Match input-interface  GigabitEthernet1/0/20
  2960 config:
  interface g0/20
  switchport mode trunk
  switchport trunk allowed vlan 100,120
  interface g0/1
  switchport mode access
  switchport access vlan 100
  interface vlan 100
  ip address 192.168.100.253
  interface vlan 120
  ip address 10.10.10.2
  So as you can see vlan 100 is the one it need to be rate limited (I have only rate limited to 100kbps just to see if it's working) and vlan 120 is only on the trunk ports to confirm if the traffic  for this one is not affected.
  Unfortunately when the policing is applied on 3750 vlan 100 (and policing is working fine) then I can see the packet loss while pinging between switches on vlan 120 suggesting that the policy is affecting the other vlan as well. When I take the policy out of the vlan 100 I cannot observe the packet loss on vlan 120 meaning is no longer affected.
  Not sure if I have explained this clear enough so far, if not let me know.
  Do you have any suggestions ?
  Thanks!

• Can we deploy Antimalware Policy Operations Manager 2007 to Operations Manager 2012?

  Can we deploy Antimalware Policy Operations Manager 2007 to Operations Manager 2012?

  Hi,
  Yes, you can check, you can update it to match the informaton here:
  http://blogs.technet.com/b/manageabilityguys/archive/2013/11/26/system-center-2012-r2-operations-manager-anti-virus-exclusions.aspx
  Reagrds,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• WLC - Rate-limiting with QoS Roles

  We have a large number of locations that we would like to deploy the 2100 series wireless controllers. Among other things, we would like to provide generic rate-limiting to all users(per-user bandwidth limits). This is a hospitality guest access environment and content filtering is really not a concern. We would, however, like to prevent one or a few users from saturating the circuit at the expense of other users. It looks like the WLCs can handle this with a QoS Profile assigned to the guest wlan and bandwidth-limiting QoS Roles applied to each user. The issue we may run into is web-authentication needs to be disabled. There is another device on these locations that will be providing those services.
  Is it possible to apply a QoS Role by default to all users who associate to a controller without authentication? Also, if anyone has attempted this design model I would greatly appreciate some input on any unexpected or undesirable results you may have noticed.
  I appreciate everyones help.

  Thanks so much for such a quick response. I may be misunderstanding some of the documentation and would really appreciate some clarity. I am understanding a QoS Profile to be applied to one or more WLANs and all user traffic from clients of those WLANs will fall under the qos policy as a group(bandwidth limitations would be applied to all of the user traffic combined). For example, a profile capping downstream bandwidth at 1544kbps would limit all user traffic from all of the clients associated to that ssid at 1544kbps. If we were to assume some degree of fair bandwidth distribution and there are 10 users receiving traffic at a given time, then each user would receive no more than 154.4kbps. Or, are QoS Profiles actual templates that are applied to each user that associates to that ssid? For instance, if we consider a profile capping 1544kbps downstream applied to a WLAN with 10 users associated. Each user would be able to download up to 1544kbps and the full bandwidth usage for that WLAN would be 15440kbps.
  Thanks again for your help.

• Traffic shaping/limiting 3560

  How can i shape/limit the interface of an cisco 3560 not to allow more than
  8mbit of outgoing and ingoing traffic?
  Will something like this work:
  class-map match-all any
  match ip dscp default
  policy-map 8mbps
  class any
  police 8388500 8000 exceed-action drop
  interface FastEthernet0/13
  switchport access vlan 940
  switchport mode access
  service-policy input 8mbps
  srr-queue bandwidth shape 12 12 12 12
  Jo Christian Buvarp

  Hi,
  your input config is ok and will limit traffic to 8 Mbps. on the output side, traffic is sorted into 4 queues. With shaped output, which you configured, each of the queues will be limited to 1/12 = approx. 8 Mbps. This will give you a total of up to 24 Mbps on output depending on how you sort traffic into the 4 queues.
  If you can make sure all traffic is marked as "default", this should give you the desired result. You can also assign traffic to queues following
  http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a00801e85dd.html#1163863
  with the command
  mls qos srr-queue output dscp-map queue queue-id threshold threshold-id dscp1...dscp8
  Hope this helps! Please rate all posts.
  Regards, Martin

• Rate Limiting - Will Content Engine 590 solve my problem?

  We have a Cache Engine 550 deployed in our network which is great for reducing traffic on the Link to the Internet, however I have now run into a little problem with the device as we are now trying to implement Bandwidth Shaping using the existing Cisco infrastructure and thus the Cisco IOS.
  One of the IOS features concerned is Committed Access Rate (CAR).
  We would like to do some traffic shaping according to certain IP Protocols such as FTP, HTTP as well as rate limiting certain of our customers (IP Blocks) so that they don’t saturate the Serial link to our ISP.
  The problem we have is that the Cache Engine 550 replaces the original requestors IP with its own as it (the CE) now takes over as the requestor to the Internet – thus we have all HTTP traffic via our ISP having the source as that of the Cache Engine.
  Due to this we cannot “Rate-Limit” a particular customer (IP range).
  Question-------
  Does the Content Engine 590 (ACNS, ICDN) enable me to complete my task and control the Serial connection the way I would like to?
  Can I do a sort of “IP Spoofing” so that the original IP is still in place, but the Content Engine still does its job of Caching?
  I have already looked at the Packeteer – unfortunately it only has Ethernet ports.
  The WiseWan 401 with HSSI port looked promising, but I feel that even though it will do great shaping and graphs it will still not solve the problem of a saturated link upstream to the ISP (from the boxes point of view), I will still sit with packets being dropped and thus bandwidth wasted.
  Anyone out there with any other solution?
  Thanks in advance.
  Lutz.

  Hi,
  We have just implemented IP spoofing in version 4.2 of ACNS code. (Caching) which will only run on a 590/560/507/7320 cache.
  Version 4.2 sould be available at the end of July early August. This will slove you problem with identifing traffic to rate limit.
  Cheers
  Phil

• Cisco firewall rate limited syslogs and MARS

  We're getting a ton of informational packets (tcp build / teardown) from firewalls here.  I can kill this at the source (drop to "notification" level, filter out the build / teardown events, etc.) but would rather not throw this stuff away (good clues in an investigation).
  I can filter this on the MARS side so rules don't fire, but that doesn't address the performance hit at the firewall, or the traffic on the network.
  I can rate limit at the firewall - if I do will MARS be able to parse this out properly - i.e if there's a rule that fires on a 100 count for example, and a firewall that's set to rate limit a certain event to, say, every 200 instances of the event, and single syslog shows up at MARS with rate limited information in the packet, will the MARS rule fire?
  hope this makes sense - thanks

  What kind of firewall are you running?  ASA?  FWSM?  Something else?
  If you're running an ASA, the ideal solution would be to implement Netflow Secure Event Logging (NSEL).  This feature uses Netflow v9 to handle security event logging along with traffic flow data.  Using NSEL can provide performance improvements over syslog, both on the ASA, and on your network. 
  Part of the configuration process includes a command to disable the redundant syslog types already handled by NSEL.  Many of those are the same types of logs you mentioned (buildups/teardowns, etc).  It's very simple to configure - you can read more about it here, in the ASA 8.2 CLI Configuration Guide:
  Configuring Network Secure Event Logging (NSEL)
  If you're running a FWSM, the same option isn't available.  Instead, you might want to reconsider disabling some of the log types that aren't really providing much benefit relative to the load.  In fact, Cisco themselves recommend disabling some of the more unimportant (but frequent) log types.
  From the "Cisco SIEM Deployment Guide", one of the "Smart Business Architecture" design guides (emphasis mine):
  At logging level Informational, Cisco recommends disabling the following messages, as they are of little interest for SIEM analysis:     305010: The address translation slot was deleted     305011: A TCP, UDP, or ICMP address translation slot was created     305012: The address translation slot was deletedTo disable these messages, use the following configuration commands:     no logging message 305010     no logging message 305011     no logging message 305012For more aggressive tuning, you may also consider disabling the following messages:     302014: A TCP connection between two hosts was deleted     302016: A UDP connection slot between two hosts was deletedIf dynamic Network Address Translation (NAT) is not configured on the appliance, message 302013 (for TCP connection slot creation) can also be disabled.
  So, that's at least 6 possible log types that can be disabled with no impact: 302013, 302014, 302016, 305010, 305011, and 305012.  And that's straight from Cisco's own documentation.
  Now, to expand on that ...
  - if 302016 (UDP teardown) can be disabled, why not 302015 (UDP create)?
  - similarly, what about 302020 and 302021 (ICMP)? Disable those as well?
  Final list:
  302013
  302014
  302015
  302016
  302020
  302021
  305010
  305011
  305012
  In the end, though, only you can determine which options are acceptable for your environment.
  Note: all 3020xx log types listed are disabled automatically during the NSEL configuration process.

• Cisco 2950 rate limiting

  Good evening I must limit the rate bandwidth of a host plugged on my Fastethernet.
  In my lab configuration I try in conjunction the comand: class-map policy-map and a access-list that match my interesting traffic as follow below:
  class-map match-all CM5
  match access-group name maclist1
  policy-map PM5
  class CM5
  police 50000000 4096 exceed-action drop
  mac access-list extended maclist1
  permit any any
  This the output of my #sh int
  5 minute input rate 5577000 bits/sec, 442 packets/sec
  5 minute output rate 247000 bits/sec, 388 packets/sec
  Anyone have try to limiting the bandwidth on the switch 2950 with IOS Version 12.1(22)E3
  Can anyone tell me the aright parameter of policy-map to limite the rate at 15 or 20Mbps?
  Any information that you can send me are welcomed.
  Best Regards
  Davide

  police 50000000 4096 exceed-action drop is policing at 50 Mbps. You want 15 Mbps. Also, you will not see drops until the ingress traffic rate on that port exceeds 50 Mbps. Eventhough, the input rate output is at 5 min interval which would not really gie you an accurate idea of how much traffic is ingressing, I doubt that the traffic is exceeding the policed value. In testing this also, you need to make sure that the upload is coming from the PC where the policed ingress is configured since the police is only supported in ingress. What that basically means is if you FTP/Download from the PC with the police you will find that the download speed is still well above the policed rate that's because the the download on this PC's perspective is an egress rate. Just something to think about when policing on ingress. This platfomr does not support egress policing.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/swqos.htm#wp1025402

• ASA5505 Can't pass traffic between inside (private) & outside (private)

  10.15.50.0/24 <---> 10.15.50.254 (inside / ASA5505 \ outside) 10.60.15.253 <---> 10.60.15.254 <--- (cloud) ---> (eventual destination 10.15.60.0/24)
  Goal:
  10.15.50.0/24 traffic will communicate with 10.15.60.0/24 while block all other.  Current config is any/any for troubleshooting.
  Example:
  10.15.50.249 pings 10.60.15.253 (inside of ASA) and fails.  Running it thru ASDM Packet Tracer shows the Outside ASA interface blocking but I have any/any on that interface.
  Question:
  What am I doing wrong?
  : Saved
  ASA Version 8.2(5)
  hostname SJ-HostB-ASA
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.15.50.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 10.60.15.253 255.255.255.252
  boot system disk0:/asa825-k8.bin
  ftp mode passive
  dns domain-lookup inside
  dns domain-lookup outside
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  access-list outside_access_in extended permit ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-645.bin
  no asdm history enable
  arp timeout 14400
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 10.60.15.254 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication enable console LOCAL
  aaa authentication http console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  aaa authorization command LOCAL
  aaa authorization exec LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  no sysopt connection permit-vpn
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp policy 1
  authentication pre-share
  encryption aes-256
  hash sha
  group 1
  lifetime 86400
  telnet 0.0.0.0 0.0.0.0 inside
  telnet timeout 30
  ssh 0.0.0.0 0.0.0.0 inside
  ssh timeout 30
  console timeout 30
  management-access inside
  threat-detection basic-threat
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server 10.15.50.243 source inside
  webvpn
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http
    destination address email
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  : end
  asdm image disk0:/asdm-645.bin
  no asdm history enable

  Hi,
  You can only PING / ICMP an ASA interface from behind that same interface.
  So users behind "inside" can PING / ICMP the "inside" interface IP address and users behind "outside" can PING / ICMP the "outside" interface IP address. Users can't PING / ICMP the remote interface from their perspective. The only exception is when users are coming through VPN connection and you use the "management-access " command. But this doesnt apply to your situation.
  You seem to be simulating an ICMP send from behind "inside" to the "outside" interface IP address if what you say is true.
  So attempt the Packet Tracer using some remote network IP address in the 10.15.60.0/24 network.
  You dont seem to have "nat-control" enabled so all traffic should be able to pass through the ASA without translation. So NAT shouldnt be a problem.
  You can also add the following configurations
  policy-map global_policy
  class inspection_default
    inspect icmp
    inspect icmp error
  - Jouni

• Rate limiting on Catalyst 2950T switches

  Hi,
  I would like to allow some users full access to internal servers, but only provide them with 2 Mbps access to the Internet. As far as I understand I cannot use the deny statement when defining the access-list for the class-map and therefore I am asking for your help. (The config below work well for rate-limiting all traffic, but I would need full access for traffic matching access-list 111):
  access-list 111 remark [ Traffic not to be rate limited ]
  access-list 111 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
  access-list 112 remark [ Traffic to be rate limited ]
  access-list 112 permit ip 10.0.0.0 0.255.255.255 any
  class-map match-all Internet-Class
  match access-group 112
  policy-map Internet
  description [ Rate limit Internet access ]
  class Internet-Class
  police 2000000 65536 exceed-action drop
  interface FastEthernet0/1
  service-policy input Internet
  interface FastEthernet0/24
  service-policy input Internet
  Any help would be very appreciated!
  Regards,
  Harald

  Thanks again for the reply!
  My "working" configuration is as follows:
  access-list 111 remark [ Traffic not to be rate limited ]
  access-list 111 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
  access-list 112 remark [ Traffic to be rate limited ]
  access-list 112 permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.255.255
  class-map match-all Local-Class
  match access-group 111
  class-map match-all Internet-Class
  match access-group 112
  policy-map Internet-Policy
  description [ Rate limit Internet access ]
  class Internet-Class
  police 2000000 65536 exceed-action drop
  class Local-Class
  police 98000000 65536
  interface FastEthernet0/1
  description [ Local LAN facing interface ]
  service-policy input Internet-Policy
  interface FastEthernet0/24
  description [ Internet facing interface ]
  service-policy input Internet-Policy
  However, I would like to change "172.16.0.0 0.0.255.255" in access-list 112 to "any" since it should apply to all Internet traffic. If I try to do that I get the mask error I previously mentioned.
  Regards,
  Harald

• Deploying Printers With Group Policy Preferences

  Ok so I know this is an old topic but I need to clarify my position a bit here to best decide how to deploy printers to our organization.
  We currently have about 600 printers on a Server 2012 R2 print server and we have 25 buildings. For several years we have deployed printers in GPO the old-fashioned way - user Deployed Printers. There have always been problems with this stemming
  from issues with multiple print driver installs on the client computers. That aside, the philosophy works out pretty well. We have NTFS permissions on the print queues that handle who can print to what. GPOs are linked to the staff OUs for each building that
  actually deploy the printers. This means that you have to have the GPO for a building and also have to have permission to the printer in order for it to actually install. When a user is removed from a particular building group then at next policy refresh the
  printers granted to that group go away. This is good.
  Based on the way that preferences work I think that they could solve our problems with occasional failed driver installs, but I can't find a way to reproduce the behavior I described above. If I use create, a user can be deployed a printer but if permission
  to that printer is removed then the printer stays behind and they get an access denied error when they attempt to print to it. Same with Update. Replace sort of mimics the desired behavior but deletes and recreates the printer every time policy refreshes.
  This wouldn't be a deal-breaker at logon, but it even happens while a user is logged in and policy updates in the background. They could potentially be attempting to print something and the printer will just disappear momentarily.
  Is there something else I am missing here that I can configure in order to take advantage of GPP printer deployments in our environment? Thanks!

  Hi Matt,
  As far as I know, if we choose to use GPP Printer extension to deploy printers, the printers will leave behind even if the policy is out of scope, unless we select the above mentioned option or delete the printers.
  >>There have always been problems with this stemming from issues with multiple print driver installs on the client computers.
  To tackle this issue, had we disabled the following policy setting?
  Computer Configuration\Policies\Administrative Templates\Printers : Point and Print Restrictions
  If not, we can disable this setting, which will disable driver installation warning messages and elevation prompts on computers.
  Regarding this policy setting, the following article can be referred to for more information.
  Control Printer Driver Installation Security
  http://technet.microsoft.com/en-us/library/cc753269.aspx
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here
  Best regards,
  Frank Shen
  Frank,
  Sorry for the delay, I recently had another issue take precedence over this one so didn't have much time to mull this over or test.
  We currently have policy set to enable Point and Print restrictions, but allow driver installation from our print server. This should effectively be the same as what you have recommended.
  I believe our driver installation issues have more to do with the large number of different printer models and sometimes the sheer number of printers that can be installed for each user. These are things that we have culturally always been there and probably
  won't change. What happens is that when a printer deployment fails no other printers will be installed after that one. The reason is that starting with Windows 7 the printer deployment policy will only be re-evaluated if changes to the policy are detected.
  So if a user is deployed 50 printers and one in the middle of the deployments fails, everything after that alphabetically fails and it doesn't retry until the GPO changes.
  So far from my limited testing GPP printers gets around this since each printer is essentially a separate object and installation of one does not seem to affect the others. However, I don't like the idea that there is no way to replicate the behavior we
  currently have which is to remove printers when the GPO is no longer applied. I may convince the powers that be that we need to change our philosophy about this and train our users to remove printers after they have changed buildings or positions, but for
  now I think we will stick with traditional printer GPOs rather than using GPP.
  Thanks for your help!

• Current outbound rate limiting capabilities

  Hello All,
  I have recently reviewed this thread from back in January-March: https://supportforums.cisco.com/thread/2002325?tstart=60 .  I have been facing the same predcament decrsibed be people in this thread.  That being end user machines get compromised and then send out large volumes of spam via legitimate accounts on our servers.  In our cases, the outbound from addresses have all been the actual user address.  The end user environment is ActiveDirectory & Exchange.
  If I cannot rate limit based on a sender address, then I am wondering if the 370D model would allow me to somehow define virtual gateways which would correspond to users found within a specific portion of my Active Directory environment.  For example, if all sales dept. staff were within a single AD OU, could I create a virtual gateway that corresponds to just these people and have that gateway set with different rate limits than another gateway which corresponds to a different group of users?
  Lastly, is it possible with any of the appliance models to define specific outbound rate limits for recipient domains?  For example, messages destined for hotmail.com would have a different rate limit than messages destined for gmail.com.  Would this functionality work with mixed recipient domains in the To: field?
  Thanks,

  Yes, you can define outgoing mail policy or outgoing content filter  based on sender's LDAP group (e.g. CN=West,OU=Sales,....) and then use a  filter action "Deliver from IP interface" to choose to deliver the  emails from selected IP interface.
  You can define delivery rate limit based on destination domain under 'Mail Policies'-'Destination Controls'.
  I recommend to enable antispam scanning for outgoing emails. You can add custom header if the message is a positively-identified spam.  Then you can use an outgoing content filter action to redirect spams to  be delivered from another IP interface or another mail host if outgoing  message contains the custom header. This can allow good and bad emails to be delivered from different IP interfaces.

• Virtual WLC 7.5 - AP Enforced Rate Limiting

  In the vWLC 7.5 deployment guide in the enhancments section, there is a feature called "AP Enforced Rate Limiting"
  But I cannot find any information beyond that.
  Here is the guide:
  http://www.cisco.com/en/US/docs/wireless/controller/technotes/7.5/Cisco_VirtualWirelessController75.html#wp43370
  Looking how this might be implemented.
  In particular to rate limit traffic by WLAN.
  My understanding is that the Bandwidth Contracts under the WLAN QOS settings do not apply.
  Thanks

  Rate  limiting is enforced at the AP level. It is not possible to enforce  rate limiting at the virtual controller level because per client  downstream rate limiting is not supported for central switching WLANs  when traffic is terminated at the virtual controller.
  Per  client downstream rate limiting is supported if the virtual controller  is a foreign controller tunneling traffic to another controller  platform, for example, a Cisco 5500 Series Wireless LAN Controller.
  Table 3 Rate Limiting with Cisco Virtual Wireless LAN   Controller
  Traffic
  FlexConnect   Central Switching
  Flex   Connect Local Switching
  Flex   Connect Standalone
  Per client Downstream
  Not Supported
  Supported
  Supported
  Per SSID Downstream
  Supported
  Supported
  Supported
  Per client Upstream
  Supported
  Supported
  Supported
  Per SSID Upstream
  Supported
  Supported
  Supported
  Please check the below guide which may be helpful for you
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn75.html