[c-nsp] Application based rate limiting
Paul Cosgrove
paul.cosgrove at heanet.ie
Thu Jan 3 05:15:37 EST 2008
Dracul wrote:
> Hi all,
>
> Need advice from the QOS experts, is there a way in cisco to rate-limit
> based on applications? let's say for example I just want to limit all P2P
> traffic and let the rest flow normally.
>
> thanks,
> chris
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
You need to define a class-map matching the traffic you wish to limit,
and then use a policy-map to set the QoS to be used for that class.
Match protocol within the class-map utilises NBAR to identify the
traffic. Unmatched traffic matches class-default which you do not need
to create.
class-map match-any P2P
match protocol napster
match protocol kazaa2
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol winmx
match protocol bittorrent
policy-map P2P-Policy
class P2P
police cir 8000 bc 1000 be 1000
conform-action transmit
exceed-action drop
interface Fa0/0
service-policy input P2P-Policy
Keep in mind that NBAR can incorrectly classify legitimate traffic, so
it is worth checking the ports for anything you need to match by using
"show ip nbar port-map <protocol>". If necessary you can explicitly
permit traffic which is being incorrectly detected by creating another
class for it. The following example shows an exception created to
prevent valid traffic being classed as napster.
access-list 160 permit tcp any host 192.1.1.1 eq 7777
access-list 160 permit tcp host 192.1.1.1 eq 7777 any
class-map match-all Legitimate-TCP-7777
match access-group 160
!
!
policy-map P2P-Policy
class Legitimate-TCP-7777
police cir 10000000
conform-action transmit
exceed-action transmit
class P2P
police cir 8000 bc 1000 be 1000
conform-action transmit
exceed-action drop
Classification and other QoS capabilities are obviously different
depending on your version of IOS, so you need to check the documention
to see what is supported. You can find some more information at the
following link:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hqos_c/part05/ch05/hdtnbara.htm#wp1079748
You may need to load individual PDLM update files containing information
on the protocols you wish to match, e.g.
ip nbar pdlm flash:bittorrent.pdlm
You will also want to test it out to check for any CPU hit
http://www.cisco.com/en/US/products/ps6616/products_white_paper0900aecd8031b712.shtml
Paul.
--
Paul Cosgrove
HEAnet Limited, Ireland's Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin 1
Registered in Ireland, no 275301
tel: +353-1-660 9040 fax: +353-1-660 3666
web: http://www.heanet.ie/
More information about the cisco-nsp
mailing list