[c-nsp] NBAR on 2800

Church, Charles cchurc05 at harris.com
Thu Jan 10 12:03:18 EST 2008


I maintain a 2821 routing 2 ethernet ISP links (each 10 mbit rate
limited by upstream) with BGP to another physical interface on the
inside.  No NAT, but doing NBAR for P2P policies and VoIP prioritization
on all ints.  Spikes of 30 mbit (total through system) push CPU to 40%
or so.  'sho int stat' shows over 99% of traffic being fast/CEF
switched, so CPU is all interrupt for the most part.  3825/3845 might be
a safer choice for what you're trying to do.  It does a pretty good job
with P2P, but not sure it it's catching the newest encrypted stuff.


Chuck 


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kristofer
Sigurdsson
Sent: Thursday, January 10, 2008 8:18 AM
To: Cisco NSP
Subject: [c-nsp] NBAR on 2800


Hi list,

I'm looking for words of wisdom on NBAR on the 2800s.  The main link is
100
Mbit/s (at present maxing in 60 Mbit/s bursts, average 30 Mbit/s).  We
will
implement a 20 Mbit/s backup link in the next few weeks.  Both links are
delivered as fastethernet links on copper.  We would like to be able to
block P2P, or at least most of the P2P.  We will use a 2821 (currently
in
use for the main link without NBAR) for the backup link, which I believe
is
more than enough, but I'm a bit puzzled about the main one  It will be a
separate router, the bean counters will push for a 2821, but I believe
that
will not be enough.  How about a 2851?

Another thing.  How good is NBAR these days?  I have zero experience
with
it.  Can it effectively block P2P?  Can we mark and even prioritize
VoIP?
In short: does it work?

Thanks in advance,
Kristo
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list