Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

QOS for Internet Access


i have never configured QOS.

currently we have T1 for Internet access for about 200 people.

the second T1 is on the way (it is a 2XT1 bundle , waiting for a WIC to arrive to complete migration).

Now i need to allow good Internet browsing experience for the users.

no downloads(via http or p2p programs) no streaming (like Google video or you tube),

some people are allowed to download or watch streaming (but i want to restrict them to some KB per session)

can i restrict http downloads to , let say , 20kbp per session.?

First i need to know if 3Mbit is good to my situation or i need more bandwidth?

if more then how much?

can you help me with the config?

sorry my stupidity in QOS.


Re: QOS for Internet Access

HI, [Pls Rate if HELPS]

Block Google Chat & Meebo in your Network:


ip inspect alert-off

ip inspect name URL_FILTER http java-list 2 urlfilter

ip urlfilter allow-mode on

ip urlfilter cache 5

ip urlfilter exclusive-domain deny

ip urlfilter exclusive-domain deny

ip audit notify log

ip audit po max-events 100



interface FastEthernet0/0

ip address x.x.x.x x.x.x.x

ip access-group 101 in

ip inspect URL_FILTER in

speed auto


access-list 2 permit any

the above config will block the sites what i have listed & rest all are allowed, because "ip urlfilter allow-mode on" command is mentioned, if this is not mentioned, then it blocks the entire internet traffic. so make sure that you are issuing this command.

Block Traffic using NBAR:


Block specific web sites ?

Block some specific extensions from being downloading ?



1st Method:


class-map match-any http

match protocol http url "**"

match protocol http url "*.rar*"

interface fastehternet 0/0

service-policy input drop-http

policy-map drop-http

class http

police 1000000 31250 31250 conform-action drop exceed-action drop violate-action drop

2nd Method:


class-map match-any http

match protocol http url "**"

match protocol http url "*.rar*"

policy-map mark-http

class http

set dscp 1

interface FastEthernet0/0

service-policy input mark-http

interface Serial1/0.1 point-to-point

ip access-group 101 in

ip access-group 101 out

access-list 103 deny ip any any dscp 1

access-list 103 permit ip any any

Regarding Bandwidth:


For the initial period, avail 3 Mbits of Bandwdith & analyse the Usage based on Traffic Pattern, Usage Level during Business Hrs & off-Business Hrs.

Also, Check whether any of your Business involved in the Http Traffic. Then Based on the Study you can go for a Increase of Bandwidth.

Hope i am Informative.


Best Regards,

Guru Prasad R

Community Member

Re: QOS for Internet Access


Thank for your replay.

how do i address my other issius that i posted, is it possible? like limiting sessions per user or per session to X Kbps?

I am using Nbar and Netflow to monitor my traffic. as it seems most of it is HTTP like 70%-80% the rest is other crap that i need to block some of it

Last week usage resolt of trufic comeing in to my NET.

http 9.01 GB 81%

smtp 1.55 GB 14%

https 322.82 MB 3%

ESP_App 81.46 MB 1%

TCP_App 71.73 MB 1%

domain 57.98 MB 1%

pop3 3.52 MB <1%

UDP_App 2.6 MB <1%

ssh 831.62 KB <1%

icmp 367.75 KB <1%

ms-sql-m 209.67 KB <1%

netmeeting 175.24 KB <1%

isakmp 104.64 KB <1%

epmap 28.45 KB <1%

ftp 19.14 KB <1%

netbios-ssn 16.45 KB <1%

netbios-ns 16.06 KB <1%

ms-sql-s 13.1 KB <1%

hosts2-ns 9.0 KB <1%

microsoft-ds 6.52 KB <1%

imap 5.63 KB <1%

cadlock2 4.5 KB <1%

auth 2.83 KB <1%

X11 2.52 KB <1%

tcpmux 1.9 KB <1%

compressnet 1.52 KB <1%

mysql 1.08 KB <1%

this is NBAR resolt :


Input Output

----- ------

Protocol 30sec Bit Rate (bps) 30sec Bit Rate (bps)

------------------------ ------------------------ ------------------------

http 154000 0

smtp 84000 0

secure-http 8000 0

dns 4000 0

telnet 2000 0

ssh 1000 0

snmp 0 0

ipsec 0 0

h323 0 0

pop3 0 0

unknown 28000 0

Total 281000 0

now i want to:

1. block some trafic that i do not need?

2.i want to give some trafic more priority the other.

3.limit some trafic to let say 10Kbps.

4.limit some of the users sessions to ,lets say , 20 KBPS per session. can i analyze my http trafic to impliment steps 1-4 on my http Trafic.


Community Member

Re: QOS for Internet Access


use the same nbar for blocking these protocols


in global mode>>>>>>>

class match http

match protocol http ---- their are other nabar for specifc protocols

policy map limiting

class http

bandwidth 80

in wan interface mode >>>>>>>>>>

bandwidth < ur exact interface B.w>

service police out limiting


plz rate thsi if u like


Community Member

Re: QOS for Internet Access

hi can you give a more detailed example?

"policy map limiting

class http

bandwidth 80


is that limit all my http trafic to 80 Kbp or is it limit the http trafic to 80 Kbp per session?

Community Member

Re: QOS for Internet Access

that is limiting the whole traffic to 80kbps if their is congesition on the outgoing interface , if their is no congestion on out going interface( serial i suppose) it can take more B.w till ur interface B.w

if u wnat that ur http tarffic should not go above 80 kbp even through u have no congestion us " priority 80 kbps"

that limit the b.w to 80 kbps max


Community Member

Re: QOS for Internet Access

If all you have is 2xT1, I would get a Linksys router WRT54g, hack it with OpenWRT and put it between your LAN and your Cisco Router. It does all you want, and cost peanuts. Beware that OpenWRT will have you out of warranty...


Re: QOS for Internet Access

There is no straight way to limit traffic per session.

You would have to apply QoS on every port of every switch where PCs that access internet connect, and limit it there.

Bandwidth management is PER-CLASS, not PER-FLOW. Whatever falls into the class, will be limited to what you configured.


Re: QOS for Internet Access

Also, T1 is not that great for internet since it's symmetric.

Internet traffic is very asymmetric, with around 80-90% download and 10-20% upload. So the rest of UP bandwidth is not being used.

With modern websites being really large, your connection of 3Mbps for 200 users is just enough. But it also depends how much their work relies on Internet.


Re: QOS for Internet Access

In my opinion, if you want to restrict on a per-session basis, and you're worried about bandwidth used, try a proxy server instead, and block TCP port 80 from going out on all your clients that way they HAVE to hook up to your proxy. You can specify proxies to use via either DHCP or GPO without having to do TOO much user interaction.

That would be my suggestion. I'm sure you'll watch your bandwidth usage drop a decent amount, too.

CreatePlease to create content