Cisco – How to Block Torrents Using NBAR

bandwidthciscocisco-commandscisco-ios

I have a Cisco 1900 Series router running and I have issued whereby clients running torrents take all the bandwidth for their own use while business users suffer the damage.

I tried setting up nbar using the config as stated below;

  ip cef
  class-map match-any LIMIT-TOR
  match protocol bittorrent
  exit
  policy-map QOS-LIMIT-TOR-POLICY
  class LIMIT-TOR
  police cir 2000000
  confirm-action drop
  exceed-action drop
  exit
  exit
  exit
  int gig 0/1
  ip nbar protocol-discovery
  service-policy input QOS-LIMIT-TOR-POLICY

Where the Interface Gigabit 0/1 is the LAN Interface on the Router.

I noticed nothing changed as I was still able to use Utorrent and I changed the policy map from what i have up there to this;
policy-map QOS-LIMIT-TOR-POLICY
class LIMIT-TOR
exit
And I an still having same issue…. I could still use Utorrent.

I did a show state on the recent configuration and got this
RouterName#show policy-map int gig0/1
GigabitEthernet0/1

    Service-policy input: QOS-LIMIT-TOR-POLICY

      Class-map: LIMIT-TOR (match-any)
        9245 packets, 1103711 bytes
        5 minute offered rate 5000 bps, drop rate 5000 bps
        Match: protocol bittorrent
          9245 packets, 1103711 bytes
          5 minute rate 5000 bps
        Match: protocol gnutella
          0 packets, 0 bytes
          5 minute rate 0 bps
        drop

Class-map: class-default (match-any)
  771180 packets, 134837021 bytes
  5 minute offered rate 875000 bps, drop rate 0 bps
  Match: any

What am I doing wrong please?

Best Answer

Thanks all. It has been rectified.

I changed the code from

  int gig 0/1
  ip nbar protocol-discovery
  service-policy input QOS-LIMIT-TOR-POLICY

to (by adding the additional line of code)

  int gig 0/1
  ip nbar protocol-discovery
  service-policy input QOS-LIMIT-TOR-POLICY
  service-policy output QOS-LIMIT-TOR-POLICY

Related Solutions

Cisco – Output Drops on Serial interface: Better queueing or Output queue size

You're right, you wouldn't really see the burstiness easily on SNMP. 1GE can send 1.48Mpps, so it takes very very little time to congest the the 45Mbps, which can handle less than 75kpps.

If your ingress is 1GE and egress is 45Mbps, then obviously the congestion point of 45Mbps will need to drop packets. This is normal and expected. If you increase buffers you'll introduce more delay.
1GE takes 0.45ms to send 40 1500B IP frames, which is right now the amount of burst you can handle. However dequeueing them on the 45Mbps already takes 10ms.

If you don't have any acute problem, I would probably not do anything about it. But if some traffic is more eligible for dropping than other, then you should replace FIFO with class-based queueing. Say maybe you want to prioritize so that more ftp is dropped and less voip.
Then it'll also make more sense to add more buffering on the ftp traffic, as it's not really sensitive to delay.

If you want to try your luck with deeper buffers, something like this should suffice:

policy-map WAN-OUT
 class class-default
    fair-queue
    queue-limit 200 packets
!
interface Serial1/0
  service-policy output WAN-OUT

This would cause 50ms buffers on the Serial1 and would allow you to handle up-to 2.25ms burst from single Gige interface.

Cisco – How to reasonably verify the QoS configuration is working

Your question's pretty broad. There's a lot of different commands you can use to troubleshoot and monitor QoS, so I'll focus on the primary question you have, which is how to reasonably verify your QoS configuration is working and how to read the policy-map interface output.

The only true way to verify that QoS is working is to hook up a traffic generator and monitor your drop rate in various queues. Since that isn't typically feasible, particularly in a production environment, all you can really do is verify that the traffic is being marked and classified properly.

What you're really looking for, when it comes to verifying if your QoS configuration is working, is for the counters in the policy-map interface command to increment.

So, for example, in the output your provided:

Class-map: VOICE (match-any)
  3860628 packets, 1070196895 bytes
  5 minute offered rate 0 bps, drop rate 0 bps
  Match: protocol sip
    97348 packets, 49867304 bytes
    5 minute rate 0 bps
  Match: protocol rtp
    3763280 packets, 1020329591 bytes
    5 minute rate 0 bps
  Match: access-group name NEC-PBX
    0 packets, 0 bytes
    5 minute rate 0 bps
  Priority: 40% (340 kbps), burst bytes 8500, b/w exceed drops: 5

You can see that you're seeing packets under SIP and RTP, but not NEC-PBX. If you know you're getting SIP and RTP traffic across a link, you should see the packet counts increment and that's a reasonable way to know that your configuration is basically working.

Best Answer

Related Solutions

Cisco – Output Drops on Serial interface: Better queueing or Output queue size

Cisco – How to reasonably verify the QoS configuration is working

Related Topic