Monday, June 20, 2016

Disallow SCCM during the day

We kept having issues with Forfront updates being pushed out to clients during the day.  The updates would get pushed immediately to all workstations (before the site distribution points got the update.)  Unfortunately, 10-20 clients taking a modest update at the same time can still crush a T1 or other small WAN circuit.

The solution / workaround for us was to completely block communication to our SCCM system during normal production hours (ex: 7:00 AM - 6:00 PM) at the sites.

The rule looks slightly different depending on the type of hardware / circuit.  For example, a Cisco router with a T1 would look similar to this:

time-range WorkWeek
periodic weekdays 7:00 to 18:00
exit

ip access-list extended DenySCCM
deny   ip host 1.1.1.1 any time-range WorkWeek
permit ip any any
exit

interface serial0/0/0
 ip access-group DenySCCM in    
exit

While a Cisco ASA might look more like this:


time-range WorkWeek
periodic weekdays 7:00 to 18:00
exit
access-list DenySCCM extended deny ip 1.1.1.1 255.255.255.255 any time-range WorkWeek
access-list DenySCCM extended permit ip any any
!
Int VLAN2
access-group DenySCCM in interface inside
!
Posted by at No comments:
Labels:

Network Police

The following examples show how to limit excess traffic to a set of "servers" to 500 Kbps and limit bandwidth to a particular "site" to 2 Mbps.  This is useful for throttling traffic on WAN interfaces.

1) Define a the servers and site
object-group network servers
 host 1.1.1.1
 host 1.1.1.2
 host 1.1.1.3
 host 1.1.1.4
!
object-group network site
 2.2.2.0 255.255.255.0
!

2) Define the class maps (will correllate to the access-lists in step 3)
class-map match-any site_traffic
 match access-group 199
 match  precedence 3
class-map match-any server_traffic
 match access-group 198
 match  precedence 3
!

3) Define an access-list that matches both the "access-group" in step 2 and the "object-group" in step 1.
access-list 198 permit ip any object-group servers
access-list 199 permit ip any object-group site
!
4) Define the limits that you want to apply.
policy-map QoS
 class servers
    police 500000
 class site
   police cir 2000000
!
5) Apply the policy to the interface that you wish to control.
interface FastEthernet0/1
 service-policy output QoS

Without these rules the network traffic could easily exceed the bandwidth available.  For example without the rules, attempted traffic across a 10 Mbps circuit for the site and servers might look like this.

Once the rules are applied, netflow allows us to see the containment of the traffic:


Posted by at 1 comment:
Labels: ,
Subscribe to: Posts (Atom)