Using Cisco’s NBAR2 to Rate Limit Streaming Media on Your ISR Router

What do Netflix, Windows Updates, YouTube, Facebook, Instagram, and the Apple App Store have in common? They are all major drains on your business’ internet connection. While the knee-jerk reaction is to simply ban any site that drains your bandwidth, that is sometimes just not feasible depending on your offices corporate culture. Plus, how do you even figure out what is draining your connection in the first place. Fortunately for us Cisco has quietly created something they call Application Visibility and Control (AVC) which allows for the identification 1000+ unique web apps. Additionally, AVC lets us take things a step past identification and allows us to apply QoS to any of the traffic identified. This means we can control those pesky bandwidth drains restrict them down to a faction of the bandwidth they would normally consume.

The Requirements:
Let’s take a look at how we can pull this off some web application shaping via our router. First we will need a few things to get started. I will include the general requirements to implement AVC via NBAR2 but also include the specific items I used to implemented this solution.

Any ASR 1000 or ISR G2 (and newer) Cisco router. I opted for a 2900 series router.

IOS 15.2(4)M2 or newer. I choose 15.5(3)M4a as it supports the latest protocol pack and fixed a bug to specifically remedy an NBAR2 problem.
DataK9 package licensed and activated (more on this later). The latest NBAR2 protocol pack. 27.0.0 in my case.

The Steps:
The whole process is a convoluted and does require at least one router reboot, but is fairly easy to understand.

First you will need to upload a version of IOS that is new enough to handle the most recent NBAR2 protocol pack, 15.5(3)M4a in my case, and the NBAR2 protocol pack, 27.0.0 in this setup.

Once you have the file uploaded clear your old boot command and add the new one in.

boot system flash:c2900-universalk9_npe-mz.SPA.155-3.M4a.bin

Then reload the router.

Next we need to enable the datak9 package in order to leverage NBAR2.

license boot module c2900 technology-package datak9

Once again reload the router. You might be able to set the new IOS version and also enable the datak9 pack in one reload, but I don’t like to tempt the rommon devil like that.

Next up we need to enable the protocol pack that we uploaded earlier. The protocol pack contains the signatures that match the web applications that we can shape. For a full list of applications matched in the .pack file see the NBAR2 Protocol Library site.

ip nbar protocol-pack flash:pp-adv-isrg2-155-3.M2-23-27.0.0.pack

Now we need to create the class-maps that match the applications that we want to shape. Each class-map will get its own specific bandwidth restriction so take that into consideration as you build out each class. Each match protocol statement is named in the NBAR2 protocol library and should be entered verbatim to match exactly.

Our first class-map here will match streaming media services.

class-map match-any streaming-media-class
 match protocol netflix
 match protocol amazon-instant-video
 match protocol youtube
 match protocol internet-video-streaming

Followed up by a class-map for software updates.

class-map match-any software-updates-class
 match windows-update
 match protocol apple-ios-updates

And finally a class-map to match applications with low business relevance.

class-map match-any low-relevance-class
 match protocol itunes
 match protocol apple-services
 match protocol instagram
 match protocol facebook

Now that we have all of our class-maps we can toss them into a policy-map where we tell the router how much bandwidth we want each class to have. In my example I chose to actually police the traffic, but you can also shape the traffic if you wish as well.

policy-map traffic-control-policy
 class streaming-media-class
  police 4000000 conform-action transmit  exceed-action drop
class software-updates-class
 police 5000000 conform-action transmit  exceed-action drop
class low-relevance-class
 police 3000000 conform-action transmit  exceed-action drop

The last configuration step is to apply the service-policy to the router interface (or even a sub-interface!)

interface GigabitEthernet0/1
 service-policy input traffic-control-policy

That’s it, you’re done with your web application shaping. The only thing left to do it to prove out your configuration, which can be easily done with one simple command.

show policy-map int gi0/1

This will show you when traffic in each class is matched and how much is allowed (conformed) and how much exceeds your rules, and is dropped.


  1. William

    Excellent tutorial! It works like a charm on a 1941, having latest IOS – 15.6(3)M2, and version 30.0.0 of protocol pack. Probably the best and simplest way to limit (or even drop) YouTube traffic.
    Great job!

    1. Philip Straatsma (Post author)

      Glad to hear it, this shaping concept was an unexpected pot of gold at the end of what was a long road for me and am happy that someone else could put it to use!

  2. Kristaps

    It doesn’t work with Android Facebook app and iOS Facebook app, same for youtube app. It works only with browser.


Leave a Comment

Your email address will not be published. Required fields are marked *