Interface Technical Training Blogs - Mike Storm - Save Our Internet Bandwidth!!

Save Our Internet Bandwidth!!

For the sake of all that is sacred....save us from the bandwidth theives! YouTube, Google Video, MySpace....and others. All of them are to thank for our latest level of Internet bandwidth saturation. If it bothers you like it does me, why not do something about it. Save the Internet bandwidth for your business!!

On a Cisco router, it is easy to recognize and limit this type of traffic by using Cisco Quality of Service, specifically NBAR and traffic policing components. In my scenario I will be reserving and policing the standard web traffic to 11Mbps of our DS3 and the Offending Traffic (mentioned above) to just 64Kbps. Offending traffic will still flow, (to save you from a freedom of speech lawsuit...yep, you heard me right), but it WILL be SLOOOOW...

Here is a sample config:

Start by creating your traffic classes -

!
class-map match-any web-traffic
   match protocol http
   match protocol secure-http
   match protocol ipsec
   match protocol dns
   match protocol .... (match any other non-offending traffic here)

class-map match-any scum
   match protocol http url "*youtube*"
   match protocol http url "*video.google*"
   match protocol http url "*myspace*"

Next, create your class maps to define the traffic parameters. (note the embedded policy may for the scum traffic)

policy-map inbound-internet
   class web-traffic
   bandwidth 10000 (in Kbps)
   police cir 10000000 pir 11000000 conform-action transmit exceed-action set-prec-transmit 0 violate-action drop
   service-policy die-scum

policy-map die-scum
class scum
police cir 56000 pir 64000 conform-action set-prec-transmit 0 exceed-action drop

Finally, assign the service policy to your coporate facing interface interface and enable NBAR for application recognition

interface GigabitEthernet0/1
service-policy output inbound-internet
ip nbar protocol-discovery

See my other blog on using NBAR to block peer-to-peer traffic with NBAR to complete the scenario

Save the Bandwidth! =)

Storm - Out

Posted on Thursday, November 16, 2006 at 04:18PM by

Mike Storm |

6 Comments

View Printer Friendly Version

Email Article to Friend

Reader Comments (6)

Thank you very much to the info

February 8, 2007 |

Jason Kack

Congratulations for you interesting blog.

Just a question : the returning HTTP Headers do not contain the URL (as opposed to the request) : neither the first response packet nor the following ones.
So how can the inbound flow be matched by the policy map/class which specify a regexp on the URL ? (you apply nbar only to the external interface).

February 27, 2007 |

It is applied to the corporate facing interface. NBAR catches the request on the way out. This would not address any redirection URLs for video content in response, but could be controlled with CBAC and a route map depending upon your security policy. A potential topic of another blog. =)

May 1, 2007 |

Mike Storm

Mike,

The above doesnt work:
CBWFQ : Can be enabled as an output feature only

Turns out that if any policy map contains bandwidht the "inbound" is not allowed.
Can you plase test the stuff you suggest before posting and if you have it working copy it exactly? That would save us from headaches, thanks!

May 11, 2007 |

Jerry

In Response to Jerry. Here is the output of my working config. The NBAR portion is inbound and the Web Stuff is output for the policing. The sum of the configuration is a result of two of my posted blogs....NBAR and Internet Bandwidth Control. Sorry if that confused anyone, but it does work and the configs came directly from my production router. Here is the Output of the Show Ver:

uptime is 10 weeks, 5 days, 23 hours, 9 minutes
System returned to ROM by power-on
System restarted at 15:57:49 MST Sat Apr 28 2007
System image file is "flash:c2600-ik9o3s3-mz.123-21.bin"

Here is the output of the show policy-map command:

#sh policy-map interface
FastEthernet0/0

Service-policy output: internet-traffic

Class-map: web-traffic (match-any)
110050881 packets, 15415750904 bytes
5 minute offered rate 33000 bps, drop rate 0 bps
Match: protocol http
76428230 packets, 10920582287 bytes
5 minute rate 27000 bps
Match: protocol secure-http
32189249 packets, 4172423911 bytes
5 minute rate 4000 bps
Match: protocol ipsec
1433107 packets, 322725746 bytes
5 minute rate 0 bps
Match: protocol dns
277 packets, 19969 bytes
5 minute rate 0 bps
Queueing
Output Queue: Conversation 265
Bandwidth 10000 (kbps) Max Threshold 64 (packets)
(pkts matched/bytes matched) 128244/20748487
(depth/total drops/no-buffer drops) 0/0/0
police:
cir 10000000 bps, bc 312500 bytes
pir 11000000 bps, be 343750 bytes
conformed 110047700 packets, 15410831321 bytes; actions:
transmit
exceeded 1363 packets, 2055774 bytes; actions:
set-prec-transmit 0
violated 1900 packets, 2867839 bytes; actions:
drop
conformed 33000 bps, exceed 0 bps, violate 0 bps

Service-policy : die-scum

Class-map: nbar-discovery (match-any)
245723 packets, 34592884 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol gnutella
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol napster
396 packets, 55440 bytes
5 minute rate 0 bps
Match: protocol printer
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url "*cmd.exe*"
23 packets, 3818 bytes
5 minute rate 0 bps
Match: protocol fasttrack
14732 packets, 0 bytes
5 minute rate 0 bps
Match: protocol novadigm
206248 packets, 28874720 bytes
5 minute rate 0 bps
Match: protocol edonkey
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol bittorrent
3179 packets, 445060 bytes
5 minute rate 0 bps
Match: protocol citrix
211145 packets, 2960300 bytes
5 minute rate 0 bps
drop

Class-map: scum (match-any)
1988911 packets, 355019049 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http url "*youtube*"
36321 packets, 4508056 bytes
5 minute rate 0 bps
Match: protocol http url "*video.google*"
5441 packets, 655975 bytes
5 minute rate 0 bps
Match: protocol http url "*myspace*"
1157129 packets, 415409311 bytes
5 minute rate 0 bps
police:
cir 1800000 bps, bc 56250 bytes
pir 2000000 bps, be 62500 bytes
conformed 174891 packets, 62785869 bytes; actions:
set-prec-transmit 0
transmit
exceeded 1814020 packets, 651233180 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop conformed 11842 bps,
exceed 28741 bps, violate 0 bps

Class-map: class-default (match-any)
109852043 packets, 15344298657 bytes
5 minute offered rate 33000 bps, drop rate 0 bps
Match: any

Class-map: class-default (match-any)
63482126 packets, 20399531261 bytes
5 minute offered rate 34000 bps, drop rate 0 bps
Match: any
FastEthernet0/1

Service-policy input: ip-prec-marked

Class-map: nbar-discovery (match-any)
254621 packets, 25714794 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol gnutella
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol napster
466 packets, 29252 bytes
5 minute rate 0 bps
Match: protocol printer
50 packets, 3022 bytes
5 minute rate 0 bps
Match: protocol http url "*cmd.exe*"
79 packets, 14678 bytes
5 minute rate 0 bps
Match: protocol fasttrack
147 packets, 9048 bytes
5 minute rate 0 bps
Match: protocol novadigm
246 packets, 15507 bytes
5 minute rate 0 bps
Match: protocol edonkey
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol bittorrent
253395 packets, 25624492 bytes
5 minute rate 0 bps
Match: protocol citrix
238 packets, 18795 bytes
5 minute rate 0 bps
drop

Class-map: class-default (match-any)
2174959950 packets, 36470313162 bytes
5 minute offered rate 70000 bps, drop rate 0 bps
Match: any

Storm -out

July 13, 2007 |

Storm

Thank you for clearing this up. I had it working myself, so I was a little confused by Jerry's comment. I wish ALL Youtube packets had the URL in them though. Then it could catch everything. Thanks again for a quality blog.

August 3, 2007 |

JamesB

Interface Blogs

Save Our Internet Bandwidth!!

Reader Comments (6)