Issues with Netflix, Hulu, YouTube and other streaming during high usage times

ynyng · ‎11-07-2015

I'm having an issue where end users are having difficulty with Netflix, Hulu, YouTube during peak usage times despite the availability of bandwith. My network is NAT'd for the most part due to a limited number of public IPs. Is there something that I should tweak in my config?

orb-asr1002-rtr0#sh run
Building configuration...

Current configuration : 8315 bytes
!
! Last configuration change at 13:07:57 Chicago Wed Oct 21 2015
!
version 15.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no platform punt-keepalive disable-kernel-core
!
hostname orb-asr1002-rtr0
!
boot-start-marker
boot system flash bootflash:asr1000rp1-ipbasek9.03.12.00.S.154-2.S-std.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
--More-- !
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
--More-- aaa session-id common
clock timezone Chicago -6 0
clock summer-time Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
no ip bootp server
ip domain name
ip name-server 8.8.8.8
ip name-server 8.8.4.4

!
!
!
login block-for 100 attempts 3 within 30
!
!
!
!
--More--         !
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
!
redundancy
mode none
!
!
!
ip tftp source-interface GigabitEthernet0
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
!
interface GigabitEthernet0/0/0
--More--         description WAN_PUBLIC_CENTURYL
ip address 69.69.205.34 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
description LAN_PRIVATE_CUST
ip address 172.16.1.1 255.240.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/2
description LAN_PUBLIC_CUST
ip address 184.0.192.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
--More--         negotiation auto
!
interface GigabitEthernet0/0/3
description LAN_PRIVATE_CACHE
ip address 192.168.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
description LAN_PUBLIC_SERVERS
ip address 67.77.62.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
!
interface GigabitEthernet0/1/1
description LAN
ip address 67.77.63.1 255.255.255.224
--More--         no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
!
interface GigabitEthernet0/1/2
description WRRB_PUBLIC_WIFI
ip address 192.168.200.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
negotiation auto
!
interface GigabitEthernet0/1/3
description LAN_WRRB
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
negotiation auto
!
--More--         interface GigabitEthernet0/1/4
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
negotiation auto
!
interface GigabitEthernet0/1/5
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
negotiation auto
!
interface GigabitEthernet0/1/6
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
negotiation auto
--More--         !
interface GigabitEthernet0/1/7
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
negotiation auto
!
interface GigabitEthernet0
description LAN_PRIVATE_MGMT
vrf forwarding Mgmt-intf
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
negotiation auto
!
ip nat translation timeout 7200
ip nat translation tcp-timeout 7200
ip nat translation pptp-timeout 7200
ip nat translation udp-timeout 300
--More--         ip nat translation finrst-timeout 4
ip nat translation syn-timeout 4
ip nat translation dns-timeout 60
ip nat translation icmp-timeout 60
ip nat translation max-entries 400000
ip nat pool PRIVATE_NAT_POOL 64.45.254.125 64.45.254.199 prefix-length 24
ip nat inside source list 1 pool PRIVATE_NAT_POOL overload
ip nat inside source static 172.16.16.199 64.45.254.201
ip nat inside source static 172.16.24.83 64.45.254.202
ip nat inside source static 172.16.96.23 64.45.254.203
ip nat inside source static 172.16.12.220 64.45.254.204
ip nat inside source static 172.16.12.62 64.45.254.205
ip nat inside source static 172.16.20.210 64.45.254.206
ip nat inside source static 172.16.96.79 64.45.254.207
ip nat inside source static 172.16.28.47 64.45.254.208
ip nat inside source static 172.16.12.98 64.45.254.209
ip nat inside source static 172.16.8.224 64.45.254.210
ip nat inside source static 172.16.97.11 64.45.254.211
ip nat inside source static 172.16.37.21 64.45.254.212
ip nat inside source static 172.16.8.39 64.45.254.213
ip nat inside source static 172.16.2.121 64.45.254.214
ip nat inside source static 172.16.80.44 64.45.254.215
ip nat inside source static 172.16.80.15 64.45.254.216
--More--         ip nat inside source static 172.16.104.55 64.45.254.217
ip nat inside source static 172.16.72.39 64.45.254.218
ip nat inside source static 172.16.52.29 64.45.254.219
ip nat inside source static 172.16.57.3 64.45.254.220
ip nat inside source static 172.16.12.148 64.45.254.221
ip nat inside source static 172.16.12.215 64.45.254.222
ip nat inside source static 172.16.12.26 64.45.254.223
ip nat inside source static 172.16.112.51 64.45.254.224
ip nat inside source static 172.16.68.136 64.45.254.225
ip nat inside source static 172.16.152.9 64.45.254.226
ip nat inside source static 172.16.152.15 64.45.254.227
ip nat inside source static 172.16.12.228 64.45.254.228
ip nat inside source static 172.16.72.52 64.45.254.229
ip nat inside source static 172.16.136.24 64.45.254.230
ip nat inside source static 172.16.137.5 64.45.254.231
ip nat inside source static 172.16.12.149 64.45.254.232
ip nat inside source static 172.16.68.125 64.45.254.233
ip nat inside source static 172.16.4.124 64.45.254.234
ip nat inside source static 172.16.116.52 64.45.254.235
ip nat inside source static 172.16.156.3 64.45.254.236
ip nat inside source static 172.16.28.122 64.45.254.240
ip nat inside source static 172.16.24.104 64.45.254.241
ip nat inside source static 172.16.80.14 64.45.254.242
--More--         ip nat inside source static 172.16.68.128 64.45.254.243
ip nat inside source static 172.16.109.41 64.45.254.244
ip nat inside source static 172.16.1.138 64.45.254.245
ip nat inside source static 172.16.28.82 64.45.254.246
ip nat inside source static 172.16.40.97 64.45.254.247
ip nat inside source static 172.16.77.107 64.45.254.248
ip nat inside source static 172.16.92.12 64.45.254.249
ip nat inside source static 172.16.96.84 64.45.254.250
ip nat inside source static 172.16.57.4 64.45.254.251
ip nat inside source static 172.16.136.31 64.45.254.252
ip nat inside source static 172.16.104.94 64.45.254.253
ip nat inside source static 192.168.100.2 67.77.63.2
ip nat inside source static 10.10.10.2 67.77.63.29
ip nat inside source static 192.168.200.2 184.0.192.18
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 69.69.205.33 permanent
ip route 67.77.63.32 255.255.255.240 GigabitEthernet0/1/1 67.77.63.31
!
ip access-list standard MGMT_ACCESS
permit 184.0.192.0 0.0.0.255
--More--         permit 172.16.0.0 0.15.255.255
permit 67.77.62.0 0.0.1.255
deny   any
!
!
logging trap debugging
logging facility local2
access-list 1 permit 172.16.0.0 0.15.255.255
access-list 100 permit udp any any eq bootpc
access-list 111 permit udp 172.16.0.0 0.15.255.255 any
access-list 111 permit tcp 172.16.0.0 0.15.255.255 any
access-list 111 permit icmp 172.16.0.0 0.15.255.255 any
dialer-list 1 protocol ip permit
!
!
!
!
!
control-plane
!
banner motd ^CCCAUTHORIZED ACCESS ONLY!
All login attempts monitored and logged.
Disconnect now if you are not authorized.^C
--More--         !
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
stopbits 1
line aux 0
login authentication local_auth
transport output telnet
stopbits 1
line vty 0 4
access-class MGMT_ACCESS in
login authentication local_auth
transport input telnet ssh
line vty 5 15
access-class MGMT_ACCESS in
!
!
end

orb-asr1002-rtr0#ex

orb-asr1002-rtr0#sh mem stat
                Head    Total(b)     Used(b)     Free(b)   Lowest(b) Largest(b)
Processor   300B9008   1774932880   203044384   1571888496   1571286360   157129
4480
lsmpi_io   99E781D0     6295088     6294120         968         968         968

orb-asr1002-rtr0#sh proc cpu sort
CPU utilization for five seconds: 4%/1%; one minute: 3%; five minutes: 3%

orb-asr1002-rtr0#sh ip nat stat
Total active translations: 165049 (54 static, 164995 dynamic; 164961 extended)
Outside interfaces:
GigabitEthernet0/0/0
Inside interfaces:
GigabitEthernet0/0/1, GigabitEthernet0/0/3, GigabitEthernet0/1/2
GigabitEthernet0/1/3
Hits: 7593182543 Misses: 53876281
Expired translations: 54151159
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 pool PRIVATE_NAT_POOL refcount 158533
pool PRIVATE_NAT_POOL: id 1, netmask 255.255.255.0
start 64.45.254.125 end 64.45.254.199
type generic, total addresses 75, allocated 42 (56%), misses 0
nat-limit statistics:
max entry: max allowed 400000, used 164995, missed 0
In-to-out drops: 69858 Out-to-in drops: 39105
Pool stats drop: 0 Mapping stats drop: 0
Port block alloc fail: 0
IP alias add fail: 0
Limit entry add fail: 0

Leo Laohoo · ‎11-07-2015

ASR support NBAR. I believe NBAR2.

So using AVC you can rate limit or drop unwanted traffic.