cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
259
Views
0
Helpful
3
Replies

Need some QoS help!!!

danielnigrinis
Level 1
Level 1

Hello All,

Im new with all the QoS settings and I need some help. I the following simple topology:

LAN (int Vlan4 10.0.0.0/24)--------------- Router c861W-------------WAN (public IP by dhcp 200.75.56.X/24)

In the LAN I have 4 users with Manual DHCP assing ips (10.0.0.101, 10.0.0.102, 10.0.0.103 and 10.0.0.104), I configured a QoS policy to limit to 1Mbps the bandwidth to some aplications like Dropbox, Netflix, etc... but now this 4 users are running bittorrent and p2p aplications on the network. I want also to limit this traffic to 1Mbps. I dont want to block them completely, I just want to force them to use only 1 Mbps bandwidth. 

The way I applied my policy so far is the following:

I created my access-list (blocking dropbox, netflix and other things):

ip access-list extended BANNED-TRAFFIC
permit ip 108.175.32.0 0.0.15.255 10.0.0.96 0.0.0.15  ------> 10.0.0.96 0.0.0.15 includes the 4 users ip addresses 10.0.0.101-104
permit ip 185.2.220.0 0.0.3.255 10.0.0.96 0.0.0.15
permit ip 185.9.188.0 0.0.0.255 10.0.0.96 0.0.0.15
permit ip 185.9.190.0 0.0.1.255 10.0.0.96 0.0.0.15
permit ip 192.173.112.0 0.0.15.255 10.0.0.96 0.0.0.15
permit ip 192.173.64.0 0.0.15.255 10.0.0.96 0.0.0.15
permit ip 192.173.80.0 0.0.15.255 10.0.0.96 0.0.0.15
permit ip 192.173.96.0 0.0.15.255 10.0.0.96 0.0.0.15
permit ip 198.38.96.0 0.0.31.255 10.0.0.96 0.0.0.15
permit ip 198.45.48.0 0.0.15.255 10.0.0.96 0.0.0.15
permit ip 208.75.77.0 0.0.0.255 10.0.0.96 0.0.0.15
permit ip 23.246.0.0 0.0.63.255 10.0.0.96 0.0.0.15
permit ip 37.77.184.0 0.0.7.255 10.0.0.96 0.0.0.15
permit ip 45.57.0.0 0.0.127.255 10.0.0.96 0.0.0.15
permit ip 64.120.128.0 0.0.127.255 10.0.0.96 0.0.0.15
permit ip 66.197.128.0 0.0.127.255 10.0.0.96 0.0.0.15
permit ip 69.53.224.0 0.0.31.255 10.0.0.96 0.0.0.15
permit ip 108.160.160.0 0.0.15.255 10.0.0.96 0.0.0.15
permit ip 45.58.64.0 0.0.15.255 10.0.0.96 0.0.0.15
permit ip 190.22.128.0 0.0.127.255 10.0.0.96 0.0.0.15
permit ip 190.232.70.0 0.0.0.255 10.0.0.96 0.0.0.15
permit ip 200.37.0.0 0.0.255.255 10.0.0.96 0.0.0.15
permit ip 190.234.0.0 0.0.127.255 10.0.0.96 0.0.0.15
permit ip 177.140.0.0 0.3.255.255 10.0.0.96 0.0.0.15
permit ip 201.245.0.0 0.0.255.255 10.0.0.96 0.0.0.15

Then after, I create my class-map matching the Access-list that I just created:

class-map match-all BANNED-CLASS
match access-group name BANNED-TRAFFIC

After, I created the policy-map to limit the bandwidth with a policer and dropping the exceed traffic:

policy-map BANNED-LIMIT
 class BANNED-CLASS
  police cir 1000000
   exceed-action drop

The last step was to applied the service policy on the interface LAN (vlan4):

interface Vlan4
 service-policy output BANNED-LIMIT

Everything works well and the users are limit to 1Mbps but I dont know how to include now that I want the users (10.0.0.101, 10.0.0.102, 10.0.0.103 and 10.0.0.104), to limit the bandwidth going to p2p aplications like: bittorrent, skype, edonkey, etc... 

If you could help me I would appreciate it... have a great day,

Daniel.

3 Replies 3

Joseph W. Doherty
Hall of Fame
Hall of Fame

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

If your 861 supports NBAR, it can match some p2p application traffic by protocol.  If it does, you would just add those protocols to your class-map.

e.g.

class-map match-any BANNED-CLASS
match access-group name BANNED-TRAFFIC

match protocol ???

Hello Joseph,

Thank you for the quick response... I edited the class-map as you suggested:

class-map match-any BANNED-CLASS
 match access-group name BANNED-TRAFFIC 
 match protocol bittorrent
 match protocol skype
 match protocol edonkey

Also, on the Vlan4 interface I configured:

interface Vlan4
 ip nbar protocol-discovery
 service-policy output BANNED-LIMIT

But the traffic from utorrent its not been limited to 1Mbps, when I run the bittorrent I can see my download traffic goes up to 15Mbps...

I know my router runs NBAR, because when I applied the command on the interfaces (ip nbar protocol-discovery) with the "show ip nbar protocol-discovery" I can see the top protocols that are using the bandwidth on the LAN. 

I know know if Im doing something wrong on the configuration. thank you again for your help...

Daniel.

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

I don't believe you need to enable interface NBAR discovery to use NBAR protocol matching.

If you do a show policy interface, it should show match stats against your class map match statements.  Are matches showing for bittorrent?

Bittorrent is a protocol that NBAR might not recognize all variations.  What sometimes can help is insuring you're using the latest NBAR versions.  Latest NBAR versions can be found in newest code, but some NBAR protocols can be updated without upgrading the IOS.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco