[nsp] QoS and NBAR

Hassan, Shehzad shehzad.hassan@bell.ca
Fri, 15 Nov 2002 15:22:22 -0500 

Well you can have an extended ACL with wild-cards match for nothing and the
TCP/UDP port of that application, that should halp with part of your
problem,
but
Do check which P2P applications you are trying to rate-limit, some run on
random ports, if not then they are smart enough to figure out that you are
blocking them.

SH


-----Original Message-----
From: francisv@dagupan.com [mailto:francisv@dagupan.com] 
Sent: Friday, November 15, 2002 4:52 AM
To: cisco-nsp@puck.nether.net
Subject: [nsp] QoS and NBAR


Hi,

I'm trying to limit clients running P2P apps, belonging to a certain IP
block, from saturating a 2Mbps leased line. I'm using NBAR and PDLM files to
do this.

I'm thinking that this would require multiple class-maps like:

class-map match-all napster
  match protocol napster
  match access-group <ACL containing IP>

And repeating the process for each P2P application. Is there a better way of
doing this? I'm thinking of:

class-map match-any entertainment-apps
  match protocol napster
  match protocol gnutella
  match protocol fasttrack

policy-map POLICE-TRAFFIC
  class entertainment-apps
     police 64000 2000 2000 conform-action transmit exceed-action drop

interface Serial1/4
 description E1 (2Mbps) to client
 bandwidth 2048
 service-policy input POLICE-TRAFFIC
 service-policy output POLICE-TRAFFIC

But where do I match the IP address? Will this work?

class-map match-any entertainment-apps
  match protocol napster
  match protocol gnutella
  match protocol fasttrack

class-map match-all clients-running-p2p
  match class-map entertainment-apps
  match <ACL containing IP>

And then using the class-map clients-running-p2p for the policy map.

---
 francis a. vidal [bitstop network services] | http://www.bitstop.ph
 streaming media + web hosting               | http://www.keystone.ph
 v(02)330-2871,(02)330-2872; f(02)330-2873   | http://www.kuro.ph 
_______________________________________________
cisco-nsp mailing list  real_name)s@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/