Re: [c-nsp] NBAR + QoS - policing kills class-default traffic

2009-09-23 Thread Jon Simola 
On Tue, Sep 22, 2009 at 2:07 PM, Matthew White ma...@vestas.com wrote:

 The policy polices HULU and PANDORA, counters don't increment for YOUTUBE 
 (and doesn't get policed) and after 3 or 4 minutes ALL web traffic is 
 policed. Has anyone seen this behavior before?

Counters not incrementing for Youtube might be easy, browsers are
redirected to a different site and end up streaming from s.ytimg.com
as an example.

As for the rest, Petr Lapukhov posted a brief article at
http://blog.internetworkexpert.com/2008/11/04/using-nbar-for-http-url-filtering/
and one of the last things he mentions is NBAR engine is buggy :)
Sometimes you may found your class matches much more traffic than you
wanted and drops really important packets. Ooops! This happens all the
times.

-- 
Jon
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] NBAR + QoS - policing kills class-default traffic

2009-09-22 Thread Matthew White 
Greetings,

I've got the following kit:

  Cisco 7204VXR (NPE-G1) processor
  Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 
12.4(24)T1

and the following NBAR + QoS config:

class-map match-any HULU
 match protocol http host t2.hulu.com
 match protocol http host t.hulu.com
 match protocol http host hulu.com
class-map match-any YOUTUBE
 match protocol http host youtube.com
class-map match-all PANDORA
 match access-group name PANDORA_SERVERS
class-map match-any WEB_ENTERTAINMENT
 match class-map PANDORA
 match class-map HULU
 match class-map YOUTUBE

policy-map LIMIT_INTERNET_TRAFFIC
 class WEB_ENTERTAINMENT
police 8000 conform-action transmit  exceed-action drop

interface GigabitEthernet0/1
 ip address x.x.x.x 255.255.255.192
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 no ip mroute-cache
 duplex full
 speed 100
 media-type rj45
 no negotiation auto
 service-policy output LIMIT_INTERNET_TRAFFIC

The policy polices HULU and PANDORA, counters don't increment for YOUTUBE (and 
doesn't get policed) and after 3 or 4 minutes ALL web traffic is policed. Has 
anyone seen this behavior before?

Yours Sincerely,

Matthew White
Sr. Network Engineer
Group IT, Operations, Network

Vestas Wind Systems A/S
T: +1 503 327 2320
M: +1 503 927 5728
ma...@vestas.com

Company reg. name: Vestas Wind Systems A/S
This e-mail is subject  to our e-mail disclaimer statement.
Please refer to www.vestas.com/legal/notice
If you have received this e-mail in error please contact the sender.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/