Cisco Blog

Another killer post, Jeremy! I'll be trying this next week, when I travel to one of my sites. The hardest part of QoS on an internet line, is that you can only control one side of the circuit.

This should really help in my internet utilization. Thanks for sharing!!!

I haven't put a sniffer on my internet line yet, to find the offending sites, but if it makes a difference, I'll post my utilization graphs of before and after. I didn't know you could build pattern-based url matches.

Thanks again!

Aaron

Nice one! I've implemented similar configs for different reasons and they work a treat. Just a point to note that NBAR, if used, is very processor heavy (Cisco admit it but don't shout about it). I've seen some heavily utilised routers grind to a halt when applied, cheers.

What IOS would I need to use this?

Well this seems really cool, but I you have a cisco adsl line, you can't use it...

cisco-2611(config)#int dialer0
cisco-2611(config-if)#service-policy input inbound-internet
CBWFQ : Can be enabled as an output feature only
CBWFQ : Can be enabled as an output feature only
cisco-2611(config-if)#int atm0/0
cisco-2611(config-if)#service-policy input inbound-internet
CBWFQ : Can be enabled as an output feature only

Actually, it will work on the ADSL line. The reason you're getting that error message is because I have the "bandwidth" command in the syntax. This is actually an error on my part - that enables a queuing mechanism that we don't really need here.

You can do one of two things to fix this:

1. Remove the "bandwidth" command from the policy-map inbound-internet
2. Apply the service-policy outbound on your internal interface (most likely a FastEthernet interface).

Hope this helps - thanks for the head's up!

Jeremy,
I have a question concerning regular expressions.
When you do a
router#show ip accounting
can I use a regular expression to grab say just the top 10 out of the bunch? The output I get is about 3 pages long but would like to copy and paste those 10 into editor without digging through page after page.
Thanks

great article, although when I tried it out myself, it didn't seem to catch *youtube* context in the http url as part of the video always. doing a netstat -a when downloading the video says it's coming from multiple IP's of youtube and others from google and level3. it made it harder to throttle the video content eventhough I matched it using an access-list. since the other IP's to be matched aren't Youtube owned too, I am risking throttling other traffic within that blocks too.

any ideas guys why it isn't working as expected? any other viable approach?

Jeremy,

I removed the bandwidth command and now I can apply the service-policy to the interface as you said, but it doesn't seem to work, downloading http://speedtest.bbned.nl/download/file100mb.bin still is at full speed. Am I doing something wrong? Thx in advance.

class-map match-any scum
  match protocol http url "*.bbned.nl*"
class-map match-any web-traffic
  match protocol http
  match protocol dns
  match protocol secure-http
!
!
policy-map die-scum
  class scum
   police cir 56000 pir 64000
     conform-action set-prec-transmit 0
     exceed-action drop 
policy-map inbound-internet
  class web-traffic
   police cir 10000000 pir 11000000
     conform-action transmit 
     exceed-action set-prec-transmit 0
     violate-action drop 
   service-policy die-scum

interface ATM0/0

 no ip address

 no atm ilmi-keepalive

 dsl operating-mode auto

 service-policy input inbound-internet

 pvc 0 8/48 

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

Joris - Hmmm; try simplifying the configuration slightly. Instead of attaching the "inbound-internet" policy directly to the interface, attach the "die-scum" policy to the interface. Likewise, to make sure we've got the direction correct, apply it inbound AND outbound to the interface. Once you see that it's limiting correctly, go ahead and remove one of the directions.

Is there a way to just decrease the bandwidth for IP ports for the idea of limiting P2P traffic to lets say 1Kbps?

The following config works for me :

class-map match-any scum
match access-group 102
class-map match-any web-traffic
match protocol http
match protocol dns
match protocol secure-http

policy-map die-scum
class scum
police cir 56000 pir 64000
conform-action set-prec-transmit 0
exceed-action drop
policy-map inbound-internet
class web-traffic
police cir 10000000 pir 11000000
conform-action transmit
exceed-action set-prec-transmit 0
violate-action drop
service-policy die-scum

interface Dialer0
service-policy input inbound-internet

access-list 102 permit ip 62.177.0.0 0.0.255.255 any

I like to knowned about this blog

"For the sake of all that is sacred....save us from the bandwidth thieves! YouTube, Google Video, MySpace....and others. All of them are to thank for our latest level of Internet bandwidth saturation. If it bothers you like it does me, why not do something about it. "

That the hell kind of elitist idiot are you! Nobody is stealing anything - people want to use these sites! They have a right to use these sites! And then there are fucking morons like you who try to block it! You are nothing but an internet terrorist when you try and sabotage that! I hope they pass laws that makes what you do illegal.
(and this board is programmed by a moron, by clicking on preview and then post the idiot software thinks you have just posted something before)

Hey dower guggi!

Why don't you post something creative instead of whining... oh, wait you are watching youtube... - never mind.

And yes, you do steal my bandwidth by doing that!

The main logic of the examples above is good, but you cant classify incoming traffic based on URLs, since the URLs are part of the outgoing traffic not the incoming, change the classification to something else.

I tried setting up the config on my router, got it all to work (well at least enter ok) but I am at a loss to see if its actually working. I do not notice any decrease in speed when surfing to those sites nor do I see anything showing that there is a service-policy applied to my interfaces. Any clues?

Hi there,

in a similar vein, I would like to prioritize incoming traffic instead of simply limiting it, i.e., web traffic would be garanteed for instance 80% of the incoming bandwidth. Then in time of congestion, incoming scum packets would get queued while web trafic would come in fast.

This would typically be done using CBWFQ, however a queueing policy cannot be applied to an incoming interface. So I thought about applying the policy to the internal FastEth interface, but this is not straightforward since the speed of the FastEth interface (100 Mb/s) is much higher than that of the ADSL interface (20 Mb/s at most).

Still this should be possible to indicate to the router: always give at least 60% of 20 Mb/s to the web traffic if any, the rest being treated as best effort.

Anybody has an idea about how to do that ?

Thanks a lot !

Happy (??th) Birthday, Jeremy!

BTW, I ran a sh cdp ne command on 3 interconnected switches, two of which gave me illogical result.

They showed 1 interface coming from 2 ports of the neighboring switches. Physically, there's only one cable connected to 1 port. I checked the versions of the switches, the one with version 12.0 showed correct result, the 2 switches with incorrect results had version 11.3 of IOS running on the them. Could this be the reason?

Hi,
I am pretty new to NBAR. I tried to configure my Cisco 1721 router (IOS v 12.4),according to steps given, i didnt get option "ip nbar protocol-discovery".
Only options with "IP NABR " are:
custom
pdlm
port-map
resources

Please help!!!