cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
701
Views
4
Helpful
4
Replies

QOS Problems

cmorley
Level 1
Level 1

I have noticed that one of our wan links has a great deal of traffic from winmx and edonkey. I tried to add an entry to the existing policy map to police that type of traffic; however, whenever I do this the office on the other side of the wan link cannot access the internet (all internet access from that office comes through this link to reach the internet). Following is the policy map, etc. that applies to the link. Whenever I put in the hogs statement, the internet is not accessible. I would appreciate someone letting me know what I have done wrong--this is new to me so I will not take any offense on my stupidity!

class-map match-any hogs

match protocol winmx

match protocol edonkey

class-map match-all webapps

match access-group name webapps

class-map match-all rdp

match access-group name rdp

policy-map scum

class hogs

police cir 8000 bc 1500 be 1500

conform-action drop

exceed-action drop

class webapps

bandwidth 256

class rdp

bandwidth 128

class class-default

fair-queue

interface Serial1/0

bandwidth 768

ip address 10.19.100.254 255.255.255.0

ip nbar protocol-discovery

serial restart-delay 0

no dce-terminal-timing-enable

no cdp enable

service-policy output scum

ip access-list extended rdp

permit tcp any any eq 3389

permit tcp any any eq telnet

ip access-list extended webapps

permit ip host 10.0.9.229 any

permit ip host 10.0.1.224 any

permit ip host 10.0.1.79 any

permit ip host 10.0.1.72 any

permit ip host 10.0.1.149 any

permit ip host 10.0.1.239 any

permit ip host 10.0.1.182 any

4 Replies 4

Wilson Samuel
Level 7
Level 7

Hi,

Though its bit difficult to conclude precisely at this time without the sho policy map output, however the most striking point to me is the ACL WebApps.

Infact the ACLs hogs and webapps are contradicting each other, i.e. in Hogs you are trying to classify at the Transport Layer but in the Webapps you are classing at the Network Layer.

Hence the first step towards the trouble shooting must be to bring everyone on either at the L-3 or at the L-4 e.g.

you may specify:

permit tcp host 10.0.9.229 any port eq www

permit tcp host 10.0.9.229 any port eq https

permit tcp host 10.0.9.229 any port eq ftp

permit tcp host 10.0.9.229 any port eq smtp

permit tcp host 10.0.9.229 any port eq pop3

I hope that should bring the issue to a halt.

Kind Regards,

Wilson Samuel

RF_IESFAFE
Level 1
Level 1

Hello,

I see you have configured the policies to drop all "hogs" traffic, which includes the "edonkey" and "winmx" protocols.

I believe those protocols are user defined protocols, so it seems the problem is in the definition of those protocols, probably they are covering other traffic than just the one used by edonkey and winmx.

In my opinion its very difficult or impossible to identify edonkey traffic as it uses random ports unless you have some way to do traffic shaping, but there is already some edonkey clients that use protocol obfuscation that intentionally fool the traffic shaping technics.

But the prblem of droping legitimate traffic is for sure in the definition of those "hogs" protocols.

My solution for dropping all undesired traffic was to permit only traffic for well known and legitimate applications like www, smtp etc. and deny all other traffic, and also impose the use of a internal proxy for web surfing that not only optimises the bandwidth usage but also solves the problem of some unusual ports used by some www sites, then you can also close the outgoing tcp port 80 except from your proxy server as all clients should browse the web using the proxy, because I saw already some edonkey clients that use the tcp port 80 in an attempt to fool the firewall.

Rui

Thanks; I think we just realized that the port Cisco identifies as edonkey may be something entirely different. Probably the same thing for winmx also.

guruprasadr
Level 7
Level 7

HI cmorley, [Pls Rate if Helps]

How to Block Skype / P2P & identify Top 10 Bandwidth Eating Applications:

---------------------------------------------

IOS Support:version 12.4 (4) T

edonkey can be blocked in a similar way as we use to block kazza,limewire and other p2p applications.

Example:- (for skype packets):

NBAR configuration to drop Skype packets

class−map match−any p2p

match protocol skype

policy−map block−p2p

class p2p

drop

int FastEthernet0

description PIX−facing interface

service−policy input block−p2p

If you are unsure about the bandwidth eating applications being used in your organisation. you can access the interface connected to the Internet and configure following command:

ip nbar protocol-discovery.

This will enable nbar discovery on your router.

Use following command:-

show ip nbar protocol-discovery stats bit-rate top-n 10

it will show you top 10 bandwidth eating applications being used by the users. Now you will be able to block/restrict traffic with appropriate QoS policy.

we can also use ip nbar port-map command to look for the protocol or protocol name, using a port number or numbers other than the well-known Internet Assigned Numbers Authority (IANA)-assigned) port numbers.

Usage as per cisco:-

ip nbar port-map protocol-name [tcp | udp] port-number

Up to 16 ports can be specified with this command. Port number values can range from 0 to 65535

PLS RATE IF HELPS ! !

Best Regards,

Guru Prasad R

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: