07-11-2007 02:32 PM - edited 03-03-2019 05:49 PM
HI,
i have never configured QOS.
currently we have T1 for Internet access for about 200 people.
the second T1 is on the way (it is a 2XT1 bundle , waiting for a WIC to arrive to complete migration).
Now i need to allow good Internet browsing experience for the users.
no downloads(via http or p2p programs) no streaming (like Google video or you tube),
some people are allowed to download or watch streaming (but i want to restrict them to some KB per session)
can i restrict http downloads to , let say , 20kbp per session.?
First i need to know if 3Mbit is good to my situation or i need more bandwidth?
if more then how much?
can you help me with the config?
sorry my stupidity in QOS.
07-11-2007 08:54 PM
HI, [Pls Rate if HELPS]
Block Google Chat & Meebo in your Network:
------------------------------------------
ip inspect alert-off
ip inspect name URL_FILTER http java-list 2 urlfilter
ip urlfilter allow-mode on
ip urlfilter cache 5
ip urlfilter exclusive-domain deny chatenabled.mail.google.com
ip urlfilter exclusive-domain deny .meebo.com
ip audit notify log
ip audit po max-events 100
!
!
interface FastEthernet0/0
ip address x.x.x.x x.x.x.x
ip access-group 101 in
ip inspect URL_FILTER in
speed auto
!
access-list 2 permit any
the above config will block the sites what i have listed & rest all are allowed, because "ip urlfilter allow-mode on" command is mentioned, if this is not mentioned, then it blocks the entire internet traffic. so make sure that you are issuing this command.
Block Traffic using NBAR:
-------------------------
Block specific web sites ?
Block some specific extensions from being downloading ?
Answer:
--------
1st Method:
------------
class-map match-any http
match protocol http url "*www.google.com*"
match protocol http url "*.rar*"
interface fastehternet 0/0
service-policy input drop-http
policy-map drop-http
class http
police 1000000 31250 31250 conform-action drop exceed-action drop violate-action drop
2nd Method:
-----------
class-map match-any http
match protocol http url "*www.google.com*"
match protocol http url "*.rar*"
policy-map mark-http
class http
set dscp 1
interface FastEthernet0/0
service-policy input mark-http
interface Serial1/0.1 point-to-point
ip access-group 101 in
ip access-group 101 out
access-list 103 deny ip any any dscp 1
access-list 103 permit ip any any
Regarding Bandwidth:
--------------------
For the initial period, avail 3 Mbits of Bandwdith & analyse the Usage based on Traffic Pattern, Usage Level during Business Hrs & off-Business Hrs.
Also, Check whether any of your Business involved in the Http Traffic. Then Based on the Study you can go for a Increase of Bandwidth.
Hope i am Informative.
Pls RATE if HELPS
Best Regards,
Guru Prasad R
07-12-2007 04:32 AM
HI,
Thank for your replay.
how do i address my other issius that i posted, is it possible? like limiting sessions per user or per session to X Kbps?
I am using Nbar and Netflow to monitor my traffic. as it seems most of it is HTTP like 70%-80% the rest is other crap that i need to block some of it
Last week usage resolt of trufic comeing in to my NET.
http 9.01 GB 81%
smtp 1.55 GB 14%
https 322.82 MB 3%
ESP_App 81.46 MB 1%
TCP_App 71.73 MB 1%
domain 57.98 MB 1%
pop3 3.52 MB <1%
UDP_App 2.6 MB <1%
ssh 831.62 KB <1%
icmp 367.75 KB <1%
ms-sql-m 209.67 KB <1%
netmeeting 175.24 KB <1%
isakmp 104.64 KB <1%
epmap 28.45 KB <1%
ftp 19.14 KB <1%
netbios-ssn 16.45 KB <1%
netbios-ns 16.06 KB <1%
ms-sql-s 13.1 KB <1%
hosts2-ns 9.0 KB <1%
microsoft-ds 6.52 KB <1%
imap 5.63 KB <1%
cadlock2 4.5 KB <1%
auth 2.83 KB <1%
X11 2.52 KB <1%
tcpmux 1.9 KB <1%
compressnet 1.52 KB <1%
mysql 1.08 KB <1%
this is NBAR resolt :
FastEthernet0/0
Input Output
----- ------
Protocol 30sec Bit Rate (bps) 30sec Bit Rate (bps)
------------------------ ------------------------ ------------------------
http 154000 0
smtp 84000 0
secure-http 8000 0
dns 4000 0
telnet 2000 0
ssh 1000 0
snmp 0 0
ipsec 0 0
h323 0 0
pop3 0 0
unknown 28000 0
Total 281000 0
now i want to:
1. block some trafic that i do not need?
2.i want to give some trafic more priority the other.
3.limit some trafic to let say 10Kbps.
4.limit some of the users sessions to ,lets say , 20 KBPS per session.
4.how can i analyze my http trafic to impliment steps 1-4 on my http Trafic.
thanks.
07-15-2007 03:09 PM
hi
use the same nbar for blocking these protocols
eg
in global mode>>>>>>>
class match http
match protocol http ---- their are other nabar for specifc protocols
policy map limiting
class http
bandwidth 80
in wan interface mode >>>>>>>>>>
bandwidth < ur exact interface B.w>
service police out limiting
:-)
plz rate thsi if u like
regards
07-16-2007 04:43 AM
hi can you give a more detailed example?
"policy map limiting
class http
bandwidth 80
"
is that limit all my http trafic to 80 Kbp or is it limit the http trafic to 80 Kbp per session?
07-19-2007 10:06 AM
that is limiting the whole traffic to 80kbps if their is congesition on the outgoing interface , if their is no congestion on out going interface( serial i suppose) it can take more B.w till ur interface B.w
if u wnat that ur http tarffic should not go above 80 kbp even through u have no congestion us " priority 80 kbps"
that limit the b.w to 80 kbps max
regards
07-19-2007 08:57 PM
If all you have is 2xT1, I would get a Linksys router WRT54g, hack it with OpenWRT and put it between your LAN and your Cisco Router. It does all you want, and cost peanuts. Beware that OpenWRT will have you out of warranty...
07-21-2007 02:33 AM
There is no straight way to limit traffic per session.
You would have to apply QoS on every port of every switch where PCs that access internet connect, and limit it there.
Bandwidth management is PER-CLASS, not PER-FLOW. Whatever falls into the class, will be limited to what you configured.
07-21-2007 02:35 AM
Also, T1 is not that great for internet since it's symmetric.
Internet traffic is very asymmetric, with around 80-90% download and 10-20% upload. So the rest of UP bandwidth is not being used.
With modern websites being really large, your connection of 3Mbps for 200 users is just enough. But it also depends how much their work relies on Internet.
07-23-2007 08:28 AM
In my opinion, if you want to restrict on a per-session basis, and you're worried about bandwidth used, try a proxy server instead, and block TCP port 80 from going out on all your clients that way they HAVE to hook up to your proxy. You can specify proxies to use via either DHCP or GPO without having to do TOO much user interaction.
That would be my suggestion. I'm sure you'll watch your bandwidth usage drop a decent amount, too.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide