[nsp] NBAR unclassified traffic up as rate limiting is put in place?

Mon Apr 7 20:32:23 EDT 2003

I'm playing around with NBAR on a 2620 running 12.2(13)T.  I'm 
looking to bandwidth limit the use of those pesky P2P apps across 
that T1.  I think I've got it implemented correctly as "sho ip nbar 
protocol-discovery" clearly shows the kazaa2 and fasttrack (the two 
targets of my class map) 5 minute bit rate fitting down into my 
policy limits.  However, at the same time the 5 minute bit rate of 
all of the "unknown" traffic has grown to fill all of the bandwidth 
made available by policy limits.  The line is as saturated as ever. 
Am I doing something wrong or are these programs getting around the 
limits by being more clever than the PDLMs and NBAR?  Here's the 
config (only the IP addresses have been changed to protect the 
guilty):

class-map match-any p2p-class
   match protocol kazaa2
   match protocol fasttrack
!
policy-map p2p-map
   class piggies
    police cir 256000 bc 64000 be 128000
      conform-action transmit
      exceed-action drop
!
interface FastEthernet0/0
  ip address 192.168.1.1 255.255.255.0
  ip nbar protocol-discovery
  speed 100
  full-duplex
  service-policy input operation-packet-freedom
!
interface Serial0/0
  ip address 10.1.1.1 255.255.255.0
  ip nbar protocol-discovery
  no ip mroute-cache
  service-policy input operation-packet-freedom

Here's the current nbar info:

  FastEthernet0/0
                             Input                    Output
    Protocol                 Packet Count             Packet Count
                             Byte Count               Byte Count
                             5 minute bit rate (bps)  5 minute bit rate (bps)
    ------------------------ ------------------------ ------------------------
    kazaa2                   176182858                86919702
                             146964916583             28358892324
                             245000                   67000
    fasttrack                37788209                 31714535
                             33414399197              20906754867
                             88000                    189000
[...]
    unknown                  92213883                 164490587
                             54345142378              167135533630
                             1221000                  624000
    Total                    353962553                343978552
                             246496757983             274991876201
                             1667000                  999000

  Serial0/0
                             Input                    Output
    Protocol                 Packet Count             Packet Count
                             Byte Count               Byte Count
                             5 minute bit rate (bps)  5 minute bit rate (bps)
    ------------------------ ------------------------ ------------------------
    fasttrack                246486                   206601
                             253777388                106718162
                             207000                   65000
    kazaa2                   170480                   383364
                             42349405                 230400940
                             66000                    185000
[...]
    unknown                  852688                   748976
                             516781526                692594208
                             612000                   1206000
    Total                    1391021                  1463846
                             879547644                1092559828
                             997000                   1561000

Anyone have any experience with this they can share?

Regards,

Jim Dueltgen
LMi.net