Suggested prerequisite reading
»Cisco Forum FAQ »How do I configure QoS for VoIP?
»Cisco Forum FAQ »Improving Performance of Cable/DSL Internet using QoS

The biggest challenge running Bittorrent application is that it is very hungry bandwidth application. If your Internet router is doing NAT/PAT, you can also see how extensive Bittorrent applications in using NAT/PAT process and fill up the NAT/PAT table very quickly. In the end, your router might not be able to keep up and then fail to work.

Since the Bittorrent application is very hungry bandwidth one, then the key to have manageable network connection is to apply Quality of Service (QoS). This QoS application is very significant especially when you run high-priority applications such as Voice over IP (VoIP) and some public servers to provide (as example) web and mail services.

Following is sample configuration using CBWFQ (Class-Based Weighted Fair Queueing) QoS of how to have manageable network connection when the network run Bittorrent, VoIP, and other applications such as Online Gaming. The sample configuration should work on any Cisco router platform with following pre-requisites. This configuration has been applied to cheapo 827 router and works fine.

Pre-requisites:
* The router runs IOS image supporting CBWFQ QoS
* The router supports named ACLs
* The router has a 12.4 IOS (not sure about other versions, feel free to try and let me know)

The configuration supposes you assign IP range 192.168.254.0/24 to the LAN
192.168.254.129 to 192.168.254.191 are assigned by DHCP to non static IP machines
192.168.254.11 is assigned to the VoIP ATA (in the exemple below, a Wengo ATA called Wenbox)
192.168.254.1 is my Server for DNS, WINS, NTP and TFTP. Replace by the correct IPs (Local LAN or your ISP addresses)

Notes on Outbound Policy Shaping Implementation:
* Ethernet0 is the physical interface LAN side that receive the traffic
* ATM0 is the physical interface WAN side that send the traffic out to the ISP
* Dialer1 is the logical interface WAN side that controls the Layer-2/3 (PPP and IP) management of the ATM0 interface
* You need to implement outbound policy shaping on the physical to actually execute the queueing/shaping/policing functions. In this sample configuration, outbound policy shaping in on ATM0 interface
* Since the physical interface has specific PVC setting, the outbound policy shaping configuration is available under the PVC configuration
* Should your router has the PVC configuration under sub-interface, then you have to configure the outbound policy shaping on such sub-interface
* In some IOS version, you need to specify the cbr value to have the outbound policy shaping configuration visible as noted in this sample configuration
* Implement outbound policy shaping on Dialer1 interface (or any the logical WAN interface) won't make differences. The issue is that once the data has been encapsulated into PPPoX (PPPoA or PPPoE) there is no proper identification as the traffic goes out the Dialer interface. By tagging the packets as they come into the inside interface with a unique precedence or DSCP value prior encapsulation, it should provide the ability for proper decision making as the packets exit the outside interface.

Sample Configuration

service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname XXXXXXX
!
logging buffered 64000 debugging
 
no logging console
enable secret ENABLESECRET
enable password ENABLEPASSWORD
!
clock timezone CET 1
clock summer-time CEDT recurring 1 Sun Apr 3:00 last Sun Oct 3:00
!
no ip source-route
no ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.254.1 192.168.254.128
ip dhcp excluded-address 192.168.254.192 192.168.254.254
!
ip dhcp pool Local-LAN
network 192.168.254.0 255.255.255.0
! Assign 192.168.254.1 as DNS Server
dns-server 192.168.254.1
! Assign 192.168.254.1 as WINS Server
netbios-name-server 192.168.254.1
default-router 192.168.254.254
domain-name chezmoi.com
netbios-node-type h-node
! Assign 192.168.254.1 as NTP Server
option 42 ip 192.168.254.1
! Assign 192.168.254.1 as Boot/TFTP Server
option 66 ascii "192.168.254.1"
!
ip dhcp pool Wengo-ATA
host 192.168.254.11 255.255.255.0
! Replace by Wengo 01+ATA Mac Address
client-identifier 0100.0cc3.3221.17
! WARNING SOME ATAs request the DHCP address with their MAC directly.
! In that case use line below and replace by your ATA MAC address
hardware-address 000c.c332.2117
! Replace second and 3rd by your ISP DNS server address
dns-server 192.168.254.1 212.94.174.85 212.94.174.86
!
ip cef
!
ip domain name chezmoi.com
ip name-server 192.168.254.1
no ip bootp server
ip ftp source-interface Ethernet0
!
ip ddns update method DynDNS-Eric
HTTP
 
add http://dyndnslogin:dyndnspassword@<s>/nic/updatesystem=dyndns&hostname=<h>&myip=<a>
 
interval maximum 28 0 0 0
!
vpdn enable
!
ip access-list extended BitTorrent
remark --- BitTorrent defaul ports
permit tcp any range 6881 6889 any
permit udp any range 6881 6889 any
permit tcp any any range 6881 6889
permit udp any any range 6881 6889
!
ip access-list extended CityOfHeroes
permit ip 192.168.254.0 0.0.0.255 216.107.254.0 0.0.0.255
permit ip 192.168.254.0 0.0.0.255 216.107.240.0 0.0.15.255
!
ip access-list extended FTP
remark --- FTP traffic from LAN to FTP servers
permit tcp 192.168.254.0 0.0.0.255 any range ftp-data ftp
!
ip access-list extended ICMP
remark --- ICMP from LAN
permit icmp 192.168.254.0 0.0.0.255 any
!
ip access-list extended LAN-IPsec
remark --- IPSec traffic from LAN
permit udp 192.168.254.0 0.0.0.255 any eq 10001
permit udp 192.168.254.0 0.0.0.255 any eq isakmp
!
ip access-list extended Local-LANs
remark --- permit DHCP
permit udp any eq bootpc any
permit udp any any eq bootps
remark --- permit local LAN
permit ip 192.168.254.0 0.0.0.255 any
remark --- deny the rest and log
deny ip any any log
!
ip access-list extended Outbound-DNS
remark --- outbound DNS queries
permit udp 192.168.254.0 0.0.0.255 any eq domain
!
ip access-list extended Skype
remark --- Skype traffic
permit udp any eq 44330 any
!
ip access-list extended Telnet-Traffic
remark --- any telnet traffic
permit tcp any any eq telnet
permit tcp any eq telnet any
!
ip access-list extended WWW-and-SSL
remark --- deny eMule traffic
deny udp any eq 4672 any
deny tcp any eq 4662 any
remark --- deny BitTorrent traffic
deny tcp any range 6881 6889 any
deny udp any range 6881 6889 any
remark --- permit http and https traffic
permit tcp any any eq www
permit tcp any any eq 443
!
ip access-list extended Wengo-ATA
remark --- traffic from Wengo's ATA box
permit ip host 192.168.254.11 any
!
ip access-list extended eMule
remark --- eMule default ports
permit udp any eq 4672 any
permit tcp any eq 4662 any
permit udp any any eq 4672
permit tcp any any eq 4662
!
ip access-list extended to-SIP-servers
remark --- traffic to any SIP server
permit udp 192.168.254.0 0.0.0.255 any eq 5060
!
class-map match-any VoIP-Class-Inbound
match access-group name Wengo-ATA
match access-group name Skype
match access-group name to-SIP-servers
!
class-map match-any Hi-Class-Inbound
match access-group name Outbound-DNS
match access-group name Telnet-Traffic
match access-group name CityOfHeroes
!
class-map match-any Med-Class-Inbound
match access-group name WWW-and-SSL
match access-group name ICMP
match access-group name FTP
!
class-map match-any Lo-Class-Inbound
match access-group name eMule
match access-group name BitTorrent
!
policy-map Packet-Tagging
class VoIP-Class-Inbound
set precedence 5
class Hi-Class-Inbound
set precedence 4
class Med-Class-Inbound
set precedence 3
class Lo-Class-Inbound
police 10000 2000 2000 conform-action set-prec-transmit 2 exceed-action set-prec-transmit 1
class class-default
set ip precedence 1
!
interface Ethernet0
description --- Internal LAN
ip address 192.168.254.254 255.255.255.0
ip access-group Local-LANs in
no ip redirects
ip nat inside
ip virtual-reassembly
load-interval 30
fair-queue
service-policy input Packet-Tagging
hold-queue 100 out
!
class-map match-any VoIP-Class-Outbound
match ip precedence 5
!
class-map match-any Hi-Class-Outbound
match ip precedence 4
!
class-map match-any Med-Class-Outbound
match ip precedence 3
!
class-map match-any Lo-Class-Outbound
match ip precedence 2
match ip precedence 1
!
policy-map Packet-Queueing
class VoIP-Class-Outbound
priority 64
class Hi-Class-Outbound
bandwidth remaining percent 50
random-detect
random-detect exponential-weighting-constant 8
random-detect precedence 4 20 60 20
class Med-Class-Outbound
bandwidth remaining percent 25
random-detect
random-detect exponential-weighting-constant 8
random-detect precedence 3 15 30 15
class Lo-Class-Outbound
bandwidth remaining percent 25
random-detect
random-detect exponential-weighting-constant 3
random-detect precedence 1 1 15 3
random-detect precedence 2 10 20 10
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc Cegetel 8/35
cbr 160
encapsulation aal5mux ppp dialer
dialer pool-member 1
service-policy output Packet-Queueing
!
!
interface Dialer1
bandwidth 160
ip ddns update hostname YouDynDNSHostName
ip ddns update DynDNS-Eric host members.dyndns.org
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname YourPPPoA_Username
ppp chap password YourPPPoA_password
max-reserved-bandwidth 100
!
ip local policy route-map Local-Tagging
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
ip nat translation port-timeout udp 40080 60
ip nat translation port-timeout udp 4672 180
ip nat translation port-timeout tcp 4662 180
ip nat inside source list Networks_2B_NATed interface Dialer1 overload
ip nat inside source static udp 192.168.254.11 5070 interface Dialer1 5070
ip nat inside source static udp 192.168.254.11 10000 interface Dialer1 10000
ip nat inside source static udp 192.168.254.11 10001 interface Dialer1 10001
!
ip access-list standard Allowed-Telnet-Clients
permit 192.168.254.0 0.0.0.255
deny any log
ip access-list standard DenyAll
deny any log
ip access-list standard Networks_2B_NATed
permit 192.168.254.0 0.0.0.255
!
snmp-server community public RO DenyAll
snmp-server enable traps tty
!
route-map Local-Tagging permit 20
description --- Telnet traffic goes in High Class
match ip address Telnet-Traffic
set ip precedence 4
!
route-map Local-Tagging permit 40
description --- The rest goes in Medium class
set ip precedence 3
!
alias exec voipnat sh ip nat tra | inc 192.168.254.11
!
line con 0
access-class DenyAll in
access-class DenyAll out
password LinePassword
login
transport output none
stopbits 1
speed 115200
line vty 0 4
access-class Allowed-Telnet-Clients in
access-class DenyAll out
password LinePassword
login
transport input telnet
transport output none
!
sntp server 192.168.254.1
 

Following is relavant sample configuration for routers with WAN sub-interfaces, where the rest of configurations is the same as previous.

interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
!
interface ATM0.35 point-to-point
pvc Cegetel 8/35
cbr 384
dialer pool-member 1
service-policy output Packet-Queueing
 

Note:
Peer-to-Peer (P2P) protocols such as Bittorrent and eMule/eDonkey could use any TCP/UDP port numbers and not specifically from port 6881 to 6889 for Bittorrent or port 4662/4672 for eMule/eDonkey. Therefore you might need to implement NBAR (Network Based Application Recognition) for better approach of controlling P2P traffic. Check out the following FAQ for more info.

»Cisco Forum FAQ »Restrict Traffic Flow including P2P (Peer to Peer) using NBAR: An Overview

More sample configurations and discussions

»[Config] Question about Cisco 1812 optimization
»[HELP] Cisco 877 VOIP QoS & ASA5505
»[Config] Question about QoS Priority and Policing
»Priority Queue - Threshold other traffic denied service..
»[Config] Setting up QOS/prioritisation on an 877
»[Config] QoS+VoIP on a Cisco - sample config
»VoIP issues with my Cisco 831. (torrents & pulsing voice)
»Can you configure LLQ on 871 with Web Interface
»Getting an Internet 10Meg Ethernet from ATT
»[PBX] Finally!!! (Good Incoming/Outgoing Calls w/o Dropouts)

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by LilYoda edited by aryoba
last modified: 2012-04-04 12:37:08