[c-nsp] Policing P2P return traffic to save B.W.

[Kim Onnel]

Hi,

I have 3 OC3s, 2 of them are majorly
residential-bandwidth-abusers-ADSL, which i have to rate-limit
somehow, i've thought of policing p2p traffic, what i did is, a class
map to match an ACL of p2p ports(src/dst) that i know off, for now i
have the conform-action to transmit and the exceed-action to transmit,
and i've kept looking at it all day, but it has only given
(42346192 bps offered and 0 exceeded) please look below,

I'd like to know how does this scale, i am sure p2p is far more than
the number below, is my approach correct, any suggestions ?




            3 x OC3 (uplink)
             ____|  |____
            |                  |
            |  Internet     |
            | Gateway    |
            |___7609___|
                  |      |
          Gigbit 5/1 (downlink)    


se7ya-7600#sh run int gigabitEthernet 5/1
Building configuration...

Current configuration : 429 bytes
!
interface GigabitEthernet5/1
 description *****Network Downlink*****
 ip address x.c.d.e 255.255.255.248 secondary
 ip address d.E.e.e 255.255.255.192
 ip access-group block-worms in
 ip access-group block-worms out
 no ip redirects
 ip accounting output-packets
 ip rip authentication key-chain xxxxxx
 ip route-cache flow
 ip policy route-map axxxx
 load-interval 30
 no cdp enable
 service-policy output p2p
end                           



se7ya-7600#sh run | b class

class-map match-all p2p
  match access-group name p2p
!
policy-map p2p
  class p2p
     police 40000000 1250000 1250000 conform-action transmit
exceed-action transmit
       

se7ya-7600#sh run | b access-list extended p2p
ip access-list extended p2p
 permit tcp any range 4661 4672 any
 permit udp any range 4661 4672 any
 permit tcp any eq 1214 any
 permit udp any eq 1214 any
 permit tcp any range 6881 6889 any
 permit udp any range 6881 6889 any
 permit tcp any eq 7778 any
 permit tcp any eq 32840 any
 permit tcp any eq 6257 any
 permit udp any eq 6257 any
 permit tcp any eq 6699 any
 permit udp any eq 6699 any
 permit udp any eq 6346 any
 permit tcp any eq 6346 any
 permit tcp any eq 5555 any
 permit tcp any eq 4242 any
 permit tcp any eq 2323 any
 permit tcp any eq 4501 any
 permit tcp any eq 4500 any
 permit tcp any any range 4661 4672
 permit udp any range 467 4661 any
 permit udp any any range 4661 4672 
permit udp any any range 4661 4672
 permit tcp any any eq 1214
 permit udp any any eq 1214
 permit tcp any any range 6881 6889
 permit udp any any range 6881 6889
 permit tcp any any eq 7778
 permit tcp any any eq 32840
 permit tcp any any eq 6257
 permit udp any any eq 6257
 permit tcp any any eq 6699
 permit udp any any eq 6699
 permit udp any any eq 6346
 permit tcp any any eq 6346
 permit tcp any any eq 5555
 permit tcp any any eq 4242
 permit tcp any any eq 2323
 permit tcp any any eq 4501
 permit tcp any any eq 4500  




se7ya-7600#sh policy-map interface gigabitEthernet 5/1
 GigabitEthernet5/1

  Service-policy output: p2p

    class-map: p2p (match-all)
      Match: access-group name p2p
      police :
        40000000 bps 1250000 limit 1250000 extended limit
      Earl in slot 5 :
        137280741183 bytes
        30 second offered rate 42346192 bps
        aggregate-forwarded 137280741183 bytes action: transmit
        exceeded 0 bytes action: transmit
        aggregate-forward 41982304 bps exceed 0 bps