Cisco – How to throttle Dropbox Traffic

ciscocisco-asafirewallqosSecurity

It appears that Dropbox uses Amazon AWS for it's storage, so I am not able to just block or trottle traffic to dropbox.com

Since there are a lot of web services that rely on AmazonAWS, I cannot just block that domain.

Do you have any suggestions on how to handle dropbox traffic?

I am working from a cisco ASA, but I suspect this applies to all firewall managers

Best Answer

Update your firewall to one that knows applications (commonly called "Next Generation Firewalls" these days). Palo Alto Networks is a good example. Instead of opening your firewall to IP-based destinations, you allow the application "Dropbox" and don't care about the destination. You are also able to put some QoS on top of Dropbox. For example, you could create a QoS policy that gives Dropbox a maximum of 5 mbps bandwidth.

A lot of other Firewall vendors have come up with similar solutions to the one of Palo Alto Networks. I know that Juniper SRX and Checkpoint do it now, not sure about Cisco though. The important thing is that your firewall understands applications (on layer 7) versus just layer3/4.

Related Solutions

Cisco – How to control WAN Download Bandwith on an ASA

If you think about it for a moment, you'll realize that the congestion is happening at the far end of your WAN circuit (i.e., at your provider). Their interface is not prioritizing real-time traffic, so you are seeing poor audio and video performance. It is as if you are at the finish line of an auto race, but your team can't get out of their driveway because of all the big trucks on the highway. Unfortunately, this means that there is not a lot you can do from your end. The traffic has already been delayed by the time it gets to you.

One possibility is to use a packet shaping appliance. This will control your FTP traffic by modifying the window size in the ACK packets your ftp server sends back. If the window size is reduced, the sender will have to slow down. This of course means buying another appliance, which you may not be able to do. But there isn't much you can do on the ASA.

You could also talk with your provider -- perhaps they would be willing to add some QoS on their side (doubtful, but worth asking).

Cisco ASA – Remote Users Cannot Access Site-to-Site Tunnel

Got a response on the cisco forums that solved my problem.

you are missing NAT exempt from the IP local pool to the destination of the site to site:

access-list NAT_EXEMPT permit ip 10.0.0.0 255.255.255.0 172.17.0.0 255.255.0.0

NAT (outside) 0 access-list NAT_EXEMPT

Best Answer

Related Solutions

Cisco – How to control WAN Download Bandwith on an ASA

Cisco ASA – Remote Users Cannot Access Site-to-Site Tunnel

Related Topic