[c-nsp] Limiting bandwidth from specific source

Antoine Monnier mrantoinemonnier at gmail.com
Thu Oct 22 08:39:12 EDT 2015 

thanks Jeremy for the details

On Wed, Oct 21, 2015 at 2:26 PM, Jeremy Bresley <brez at brezworks.com> wrote:

> Looking back through release notes for the NBAR packs, looks like the
> oldest release they had release notes for was 3.0, and it's in there.  You
> can see which protocol pack you're using by doing show ip nbar
> protocol-pack active.  The latest is 14.0 which was released April 2015,
> and if you're running a compatible code version, I'd go as recent as
> possible, as they've added a LOT of new inspection protocols in the last
> 3-4 versions.
>
> They do "bundle" the newer protocol packs into newer IOS versions, so if
> you're on a recent 15.4S or 15.5S based release you may already have a
> fairly recent pack included.  The one thing to watch out for if you can't
> upgrade to newer code is the engine version.  13.0 and 14.0 are only
> supported by engine version 20 or 21.
>
> Jeremy "TheBrez" Bresley
> brez at brezworks.com
>
>
> On 10/21/2015 1:49 AM, Antoine Monnier wrote:
>
> thanks to all for the feedback.
>
> Jeremy, would you know since which release that NBAR 2 capability of
> matching youtube is available? or at least on which release you have
> implemented that.
>
> thanks
>
> On Tue, Oct 20, 2015 at 3:47 PM, Jeremy Bresley <brez at brezworks.com>
> wrote:
>
>> Since you specificially mentioned an ASR1K, if you have the AVC license
>> ($10K list RTU license), you can enable NBAR2 which does identify Youtube
>> traffic.
>>
>> Router#sh ip nbar protocol-id youtube
>>
>> Protocol Name             id            type
>> ----------------------------------------------
>> youtube                  82            L7 STANDARD
>>
>> Router#sh ip nbar protocol-attribute youtube
>>
>>            Protocol Name : youtube
>>                encrypted : encrypted-yes
>>                   tunnel : tunnel-no
>>                 category : consumer-streaming
>>             sub-category : consumer-video-streaming
>>        application-group : flash-group
>>           p2p-technology : p2p-tech-no
>>            traffic-class : multimedia-streaming
>>       business-relevance : business-irrelevant
>>
>> There are some overhead concerns with doing DPI on all your traffic, make
>> sure you're not turning this on a link or router that is overtaxed, etc,
>> but it can be done.  We do this on our internal MPLS headends running on
>> ASR1004/RP2s and don't normally exceed 10-15% CPU usage at gig speeds.  You
>> can also use the NBAR classifiers in a QoS policy if they want to
>> rate-limit/shape/police that traffic.
>>
>> Jeremy "TheBrez" Bresley
>> brez at brezworks.com
>>
>>
>>
>> On 10/20/2015 1:45 AM, Antoine Monnier wrote:
>>
>>> thanks Vijay.
>>>
>>> so just to clarify the problem is on some customer facing circuits.
>>>
>>> Is there a way to identify "youtube" specific traffic compared to "all of
>>> Google services" traffic? Does Youtube use specific IP ranges?
>>>
>>>
>>>
>>> On Tue, Oct 20, 2015 at 8:42 AM, Vijay S <vijay.hcr at gmail.com> wrote:
>>>
>>> Well Google has ggc program which will give you free Google peering you
>>>> dont need to pay to Google or any service provider except connectivity
>>>> cost.
>>>>
>>>> And to limit traffic from specific source you can use class based qos.
>>>>
>>>
>

More information about the cisco-nsp mailing list