If you strictly want the traffic dropped, NBAR probably would not be the
solution (although you could). I was just mentioning that in case you
really just wanted to keep the traffic from disrupting normal network
operation. In which case, you would use NBAR to recognize the traffic and
classify it into a profile that only gets .001% of your bandwidth, thus
making the program virtually useless for file sharing. See below:
class-map match-any p2p
match protocol napster
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol http url "\.hash=*"
policy-map limit-p2p class p2p police cir XXXX bc XXXX be XXXX
conform-action transmit exceed-action drop violate-action
dropinterface Serial0/0 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx ip nat
outside ip nbar protocol-discovery service-policy input limit-p2p
service-policy output limit-p2p load-interval 30Hope this helps,Aaron-----
Original Message -----
From: "john parker"
To:
Sent: Monday, June 26, 2006 4:03 PM
Subject: Re: Block P2P and other traffic at edge [7:111237]
>
> How would you go about configuring NBAR? I strictly want to drop the
> traffic.
>
> Thanks
>
>
>>From: "Aaron Rohyans"
>>To: "john parker" ,
>>Subject: Re: Block P2P and other traffic at edge [7:111237]
>>Date: Mon, 26 Jun 2006 15:39:59 -0400
>>
>>What IOS is running on the edge routers? With Firewall IOS (IP/FW), you
>>can put a very restrictive (ie...block everything) ACL on the outside
>>interface for inbound traffic, then use CBAC to open pinholes through it
>>for legitimate traffic. As long as you aren't using CBAC to inspect P2P
>>traffic, ....that traffic won't make it back through the
>>firewall......basically, it will go out, but won't make it back in due to
>>its dynamic port usage.
>>
>>Another option would be to configure NBAR on the router and give P2P
>>traffic an unusable low amount of bw.
>>
>>My two cents,
>>Aaron
>>
>>
>>----- Original Message ----- From: "john parker"
>>To:
>>Sent: Monday, June 26, 2006 3:26 PM
>>Subject: Block P2P and other traffic at edge [7:111237]
>>
>>
>>>What is the best way to block traffic on an edge router? I have five
>>>remote
>>>sites that I want to deny napster and edonkey traffic on the lan
>>>interface.
>>>Would just an extended ACL work? What about for bittorrent traffic?
>>>
>>>Thanks
>>>______________________________________________________________________
>>>This email has been scanned by the MessageLabs Email Security System.
>>>For more information please visit http://www.messagelabs.com/email
>>>______________________________________________________________________
>>>
>>
>
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=111253&t=111237
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
