Hour 157: Leveraging QoS DPI features with PBR

One of the most powerful features that the MQC (Modular QoS CLI) offers is NBAR (Network Based Application Recognition) or also called DPI (Deep Packet Inspection). Today, I will be showing you how to manipulate routing based on upper layer levels of data packet.

What’s so powerful with MQC is that by using NBAR, you can inspect any part of a L4+ data packet and do whatever you like with it. In this example, I will be using the MQC to classify and mark web traffic such as youtube.com or facebook.com and then routing it to null0 (the bit bucket). This will result in black-holing traffic for anyone trying to reach those webpages.

  1. Lets start by identifying our traffic using the class-map feature of the MQC:
class-map match-any http-bad-traffic
match protocol http host “*youtube.com*”
match protocol http host “*myspace*”
match protocol http host “*facebook*”



This will put any http packet that has the string *youtube.com* OR “*myspace*” OR “*facebook*” in our first logical queue.

2.Let’s mark this class by creating a policy-map and set the DSCP value to 1.

policy-map mark-denied-traffic
class http-bad-traffic
set ip dscp 1



3. Now that we used the packet inspection feature of NBAR and marked our traffic with a DSCP value, we can map it to an access-list.

ip access-list extended drop-traffic
permit ip any any dscp 1



This creates a named access-list called “drop-traffic” and maps the DSCP value of 1 to it.  Using the formula if a=b and b=c then a =c, we mapped the packet inspection (a) to the DSCP value (b) to the access-list (c).

4. Lets apply this policy to the inbound interface of our web traffic:

Interface gigabitethernet0/0
Service-policy input mark-denied-traffic



5. Now that we have an access-list mapped to a class, we can do whatever we want with this traffic using PBR. In this case, we drop the traffic by setting the next hop to null0 (the bit bucket).

route-map nulltraffic 10
match ip add drop-traffic
set interface null0



6. Let’s not forget to apply PBR to the interface:

Interface gigabitethernet0/0
ip policy route-map nulltraffic



Since we have a QoS and PBR applied to that interface, you might be wondering which one will be applied first. Lets have a look:


We can see that QoS Markings is before Policy Routing and this is what we want. We need the packets entering to be marked first for the route-map to affect it.

There it is, 6 easy steps to route any traffic you choose. In this example my next hop was null0, but you could use any of the set commands for PBR.

Hope this was helpful.


  1. Hello,

    If it works really with match http « youtube.com » ? I think that’s https protocol for youtube etc … so how it works if i would route this traffic in other path instead of drop ? Can y use policy map and do set ip next hop ?

    Thanks in advance for response


    1. I believe youtube only served as an example for an HTTP enable’d websites. If you would like to inspect HTTPS you can setup an SSL decryption gateway, mark DSCP for specific traffic flows (like youtube) and do PBR based on that. Yes, you could apply different routing policies instead of dropping or you could even rate-limit/police/shape traffic to a certain threshold. Hope this helped 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s