GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: Block P2P and other traffic at edge [7:111237] posted 06/27/2006
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


If you strictly want the traffic dropped, NBAR probably would not be the 
solution (although you could).  I was just mentioning that in case you 
really just wanted to keep the traffic from disrupting normal network 
operation.  In which case, you would use NBAR to recognize the traffic and 
classify it into a profile that only gets .001% of your bandwidth, thus 
making the program virtually useless for file sharing.  See below:

class-map match-any p2p
  match protocol napster
  match protocol fasttrack
  match protocol gnutella
  match protocol kazaa2
  match protocol http url "\.hash=*"

policy-map limit-p2p  class p2p   police cir XXXX bc XXXX be XXXX 
conform-action transmit     exceed-action drop     violate-action 
dropinterface Serial0/0 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx ip nat 
outside ip nbar protocol-discovery service-policy input limit-p2p 
service-policy output limit-p2p load-interval 30Hope this helps,Aaron-----  
Original Message ----- 
From: "john parker" 
To: 
Sent: Monday, June 26, 2006 4:03 PM
Subject: Re: Block P2P and other traffic at edge [7:111237]


>
> How would you go about configuring NBAR?  I strictly want to drop the 
> traffic.
>
> Thanks
>
>
>>From: "Aaron Rohyans" 
>>To: "john parker" ,
>>Subject: Re: Block P2P and other traffic at edge [7:111237]
>>Date: Mon, 26 Jun 2006 15:39:59 -0400
>>
>>What IOS is running on the edge routers?  With Firewall IOS (IP/FW), you 
>>can put a very restrictive (ie...block everything) ACL on the outside 
>>interface for inbound traffic, then use CBAC to open pinholes through it 
>>for legitimate traffic.  As long as you aren't using CBAC to inspect P2P 
>>traffic, ....that traffic won't make it back through the 
>>firewall......basically, it will go out, but won't make it back in due to 
>>its dynamic port usage.
>>
>>Another option would be to configure NBAR on the router and give P2P 
>>traffic an unusable low amount of bw.
>>
>>My two cents,
>>Aaron
>>
>>
>>----- Original Message ----- From: "john parker" 
>>To: 
>>Sent: Monday, June 26, 2006 3:26 PM
>>Subject: Block P2P and other traffic at edge [7:111237]
>>
>>
>>>What is the best way to block traffic on an edge router?  I have five 
>>>remote
>>>sites that I want to deny napster and edonkey traffic on the lan 
>>>interface.
>>>Would just an extended ACL work?   What about for bittorrent traffic?
>>>
>>>Thanks
>>>______________________________________________________________________
>>>This email has been scanned by the MessageLabs Email Security System.
>>>For more information please visit http://www.messagelabs.com/email
>>>______________________________________________________________________
>>>
>>
>
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> ______________________________________________________________________




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=111253&t=111237
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html