Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
578
Views
10
Helpful
7
Replies

Policing Traffic

jasongr33nway
Level 1
Level 1

‎05-12-2017 06:45 AM - edited ‎03-05-2019 08:31 AM

I am trying to find a way to manage the traffic from a CDN. NBAR is not supported on our L3 Switch so I decided to try and police the traffic at our branch locations. I have the policy map configured but it doesn't appear to be working since I have seen this traffic inbound since I applied the policy.

Class-map: WSUS (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http host "*.akamaitechnologies.com"
      Match: protocol http url "*.deploy.static.akamaitechnologies.com"
      police:
          cir 800000 bps, bc 25000 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps

The site I am trying to limit is coming from "a104-94-197-105.deploy.static.akamaitechnologies.com"

Labels:
0 Helpful
7 Replies 7

Spooster IT Services
Level 7
Level 7

‎05-12-2017 12:02 PM

Hi jasongr33nway,

Can you post all the configuration related to this policy.

And try this

Match: protocol http host "*.akamaitechnologies.com$"

Match: protocol http url "*.deploy.static.akamaitechnologies.com$"

This class map is configured as match all so both conditions must be matched. Is this what you want to achieve?

Spooster IT Services Team

jasongr33nway
Level 1
Level 1
In response to Spooster IT Services

‎05-26-2017 06:42 AM

So I am opening this back up because I don't understand why I can't police via http host or url. I have applied this policy to an ingress interface and I am not getting any hits on it.

Here is the policy I have set as an input policy.

GigabitEthernet0/2
Service-policy input: HTTP-POLICE

    Class-map: Test (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http host "*.deploy.static.akamaitechnologies.com"
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol http url "*.deploy.static.akamaitechnologies.com"
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol http host "*.akamaitechnologies.com$"
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol http url "*.deploy.static.akamaitechnologies.com$"
        0 packets, 0 bytes
        5 minute rate 0 bps
      police:
          cir 500000 bps, bc 15625 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 0000 bps, exceeded 0000 bps

    Class-map: class-default (match-any)
      50442397 packets, 44101904476 bytes
      5 minute offered rate 8876000 bps, drop rate 0 bps
      Match: any

Here is the class-map

Class Map match-any Test (id 5)
   Match protocol http host "*.deploy.static.akamaitechnologies.com"
   Match protocol http url "*.deploy.static.akamaitechnologies.com"
   Match protocol http host "*.akamaitechnologies.com$"
   Match protocol http url "*.deploy.static.akamaitechnologies.com$"

Some of the traffic this morning that should have been hit

a184-24-98-239.deploy.static.akamaitechnologies.com (184.24.98.239)

0 Helpful

Georg Pauwen
VIP
VIP
In response to jasongr33nway

‎05-26-2017 11:33 AM

Hello,

what platform is this one ? QoS is different for every switch model.

Can you post the full configuration ? Everything goes to the default class, you might want to try and match an access list specifying your source IP addresses...

0 Helpful

jasongr33nway
Level 1
Level 1
In response to Georg Pauwen

‎05-26-2017 01:08 PM

This is off our 2921. All the others are 2911s. I thought about doing an acl the issue is the traffic is coming from a CDN and the IP is always different.

Here is the Policy Maps on that interface.

Service-policy input: HTTP-POLICE

    Class-map: Test (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http host "*.deploy.static.akamaitechnologies.com"
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol http url "*.deploy.static.akamaitechnologies.com"
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol http host "*.akamaitechnologies.com$"
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol http url "*.deploy.static.akamaitechnologies.com$"
        0 packets, 0 bytes
        5 minute rate 0 bps
      police:
          cir 500000 bps, bc 15625 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 0000 bps, exceeded 0000 bps

    Class-map: class-default (match-any)
      60165644 packets, 52913747462 bytes
      5 minute offered rate 2553000 bps, drop rate 0 bps
      Match: any

  Service-policy output: QOS-OUTBOUND

    queue stats for all priority classes:
      Queueing
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 107421541/31905624158

    Class-map: ATT-QUEUE-1 (match-any)
      107421541 packets, 31897869410 bytes
      5 minute offered rate 209000 bps, drop rate 0 bps
      Match: access-group 2001
        107421539 packets, 31897869410 bytes
        5 minute rate 209000 bps
      Priority: 20% (2000 kbps), burst bytes 50000, b/w exceed drops: 0
      

    Class-map: ATT-QUEUE-2 (match-any)
      42787172 packets, 30776798033 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group 2002
        42787172 packets, 30776798033 bytes
        5 minute rate 0 bps
      Queueing
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 42787172/30776798033
      bandwidth remaining 30%

    Class-map: ATT-QUEUE-3 (match-any)
      284990352 packets, 114698453022 bytes
      5 minute offered rate 3973000 bps, drop rate 0 bps
      Match: access-group 2003
        284990313 packets, 114698455657 bytes
        5 minute rate 3973000 bps
      Queueing
      queue limit 512 packets
      (queue depth/total drops/no-buffer drops/flowdrops) 0/22/0/22
      (pkts output/bytes output) 284990331/114723062095
      bandwidth remaining 60%
      Fair-queue: per-flow queue limit 128 packets
      

    Class-map: class-default (match-any)
      397214 packets, 23943408 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
      
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 2473946/2202532994

0 Helpful

Georg Pauwen
VIP
VIP
In response to jasongr33nway

‎05-26-2017 02:36 PM

Hello,

try and simplify your class map like this:

class-map match-any Test
 match protocol http host *akamaitechnologies*

0 Helpful

Georg Pauwen
VIP
VIP

‎05-12-2017 12:45 PM

Hello,

match-all...try match-any.

What switch/platform (e.g. 3750) do you have ?

jasongr33nway
Level 1
Level 1

‎05-17-2017 05:42 AM

Hey guys, thanks for all your input. I ended up policing all https traffic. I found updates coming from many different sites.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card