[c-nsp] Application based rate limiting

Paul Cosgrove paul.cosgrove at heanet.ie
Thu Jan 3 05:15:37 EST 2008 

Dracul wrote:
> Hi all,
>
> Need advice from the QOS experts, is there a way in cisco to rate-limit
> based on applications? let's say for example I just want to limit all P2P
> traffic and let the rest flow normally.
>
> thanks,
> chris
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>   
You need to define a class-map matching the traffic you wish to limit,
and then use a policy-map to set the QoS to be used for that class. 
Match protocol within the class-map utilises NBAR to identify the
traffic. Unmatched traffic matches class-default which you do not need
to create.

class-map match-any P2P
  match protocol napster
  match protocol kazaa2
  match protocol edonkey
  match protocol fasttrack
  match protocol gnutella
  match protocol winmx
  match protocol bittorrent

policy-map P2P-Policy
  class P2P
    police cir 8000 bc 1000 be 1000
       conform-action transmit
       exceed-action drop

interface Fa0/0
  service-policy input P2P-Policy

Keep in mind that NBAR can incorrectly classify legitimate traffic, so
it is worth checking the ports for anything you need to match by using
"show ip nbar port-map <protocol>".  If necessary you can explicitly
permit traffic which is being incorrectly detected by creating another
class for it.  The following example shows an exception created to
prevent valid traffic being classed as napster.

access-list 160 permit tcp any host 192.1.1.1 eq 7777
access-list 160 permit tcp host 192.1.1.1 eq 7777 any

class-map match-all Legitimate-TCP-7777
  match access-group 160
!
!
policy-map P2P-Policy
  class Legitimate-TCP-7777
   police cir 10000000
     conform-action transmit
     exceed-action transmit
  class P2P
   police cir 8000 bc 1000 be 1000
     conform-action transmit
     exceed-action drop


Classification and other QoS capabilities are obviously different
depending on your version of IOS, so you need to check the documention
to see what is supported.  You can find some more information at the
following link:
   
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hqos_c/part05/ch05/hdtnbara.htm#wp1079748

You may need to load individual PDLM update files containing information
on the protocols you wish to match, e.g.
    ip nbar pdlm flash:bittorrent.pdlm

You will also want to test it out to check for any CPU hit
   
http://www.cisco.com/en/US/products/ps6616/products_white_paper0900aecd8031b712.shtml


Paul.

-- 
Paul Cosgrove
HEAnet Limited, Ireland's Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin 1
Registered in Ireland, no 275301  
tel: +353-1-660 9040  fax: +353-1-660 3666
web: http://www.heanet.ie/

More information about the cisco-nsp mailing list