NBAR for 3845 router

Unanswered Question
Sep 1st, 2008

hi,

I have 3845 router, i want to block peer 2 peer application. i have downloaded pdlm files for kaaza and bittorrent. i have heard that the pdlm for kaaza2 seems to cause some problem. please help me to configure how to block all peer 2 peer applications

Regards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Danilo Dy Tue, 09/02/2008 - 00:02

Use Cisco IOS Flexible Packet Matching (FPM) to block P2P application. Here's a link for the sample configuration http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6723/prod_white_paper0900aecd80633b0a.html

...it's in the "Example" below item 5

...do take note of the pre-requisites

• A Cisco ISR Router in the following model (87x, 18xx, 28xx, 38xx, and 72xx)

• Console or telnet connectivity to the router

• IOS Release 12.4(4)T or later

• An `Advanced Security' image loaded on the router

Danilo Dy Tue, 09/02/2008 - 00:17

About NBAR http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6612/ps6653/prod_qas09186a00800a3ded_ps6616_Products_Q_and_A_Item.html

This example is posted by

- Mujeeb Ahmed, Sysnet, Karachi, Sindh, Pakistan and can be extracted from http://www.cisco.com/public/news_training/itsnews/200711.html

Cisco IOS version 12.4(4)T introduced the much awaited Skype classification in NBAR. Now, with simple policy you can block Skype in much the same way as you used to block kazza, limewire, and other p2p applications.

Example:

NBAR configuration to drop Skype packets

class "map match" any p2p

match protocol skype

policy "map block" p2p

class p2p

drop

int FastEthernet0

description PIX "facing interface service"

policy "input block" p2p

If you are unsure about the bandwidth-eating applications being used in your organization, you can access the interface connected to the Internet and configure using the following command:

"ip nbar protocol-discovery"

This will enable nbar discovery on your router.

If you use the following command:

"show ip nbar protocol-discovery stats bit-rate top-n 10"

It will show you the top 10 bandwidth-eating applications being used by the users. Now, you will be able to block/restrict traffic with appropriate QoS policy.

You can also use "ip nbar port-map" command to look for the protocol or protocol name using a port number or numbers other than the well-known Internet Assigned Numbers Authority (IANA)-assigned port numbers.

Usage as per Cisco:

"ip nbar port-map protocol-name [tcp | udp] port-number"

Up to 16 ports can be specified with the above command. Port number values can range from 0 to 65535.

- Mujeeb Ahmed, Sysnet, Karachi, Sindh, Pakistan

satish_zanjurne Tue, 09/02/2008 - 00:22

May be below config would be useful...

1.Classify & mark the traffic on LAN interface.

2.Block the marked trffic on WAN interface.

----------------------------------------

class match any peer-to-peer-traffic

match protocol kaaza

policy-map mark-peer-to-peer-traffic

class peer-to-peer-traffic

set ip dscp 1

int fa0/0

description ***LAN Interface*****

service-policy input mark-peer-to-peer traffic

access-list 101 deny ip any any dscp 1

access-list 101 permit ip any any

int se0/0

description****WAn Interface******

ip access-group 101 out

HTH.. rate if useful

Actions

This Discussion