Cisco Support Community
Community Member

Allow Only Normal Traffic

I have one site where the speed of internet is very slow considering the high number of users that ned to access it.

Morever, some people make the problem even worse by using programs like utorrent.

Now in such situation, best option would be to permit the traffic that is allowed as apposed to denying the traffic that's not allowed.

Can anyone let me know what services are normally accessed in general internet connectivity. Examples would be:

http (TCP 80)

https (TCP 443)

FTP (TCP 21)


POP (TCP 110)

There is one thing that comes to my mind:

Can I deny all destination ports except those which are well known TCP and UDP [0-1023] ? Please provide me the extended acl working in out direction on internet facing interface.

Everyone's tags (2)

Re: Allow Only Normal Traffic

You can do this with acls, zbfw, etc. I wouldn't recommend trying to figure out what ports you want to allow out because there are a lot of non-standard valid ports that you could be blocking. For example, there could be redirects from a site to another site on a different port (think 80 vs 8080).

You could use qos to throttle back all of the non-standard traffic, but also allow all of your other traffic. For example, create an acl that matches everything to port 1024 and put that in a queue, and then anything that doesn't match this put in the class default. That way, nothing will be blocked, but you'll still allow your higher priority traffic out. If this is connected to the internet directly, you wouldn't be able to control the inbound traffic unless you created a policy map that matched on your public address and policed traffic inbound, but that would affect all legitimate traffic as well. (I can clarify this in a minute.)

So, I would recommend a class map to not deny all traffic. An example would be something like:

access-list 100 permit tcp any any range 1 1024

access-list 100 permit udp any any range 1 1024

class-map match-any AllowTraffic

match access-group 100

policy-map AllowTraffic

class AllowTraffic

bandwidth percent 90

class class-default

bandwidth percent 2

You'll need to modify the policy to reflect your bandwidth. It depends on the os version that you have if you specify the bandwidth under the policy or on the interface. On the WAN interface, put "max-reserved-bandwidth 100" and you should be able to use this policy as is. It will guarantee 90% of the bandwidth of the interface speed and whatever doesn't match the acl in your class will hit the class-default, but would only be guaranteed 2 percent.


max-reserved-bandwidth 100

service-policy output AllowTraffic

Otherwise, if you're deadset on blocking the traffic, you can do this with an acl and apply the acl to the interface directly.


I also wanted to add that you can use nbar to match on bittorrent traffic and drop that if you're needing that as well. I guess there are quite a few ways to do what you're wanting to do.


*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
CreatePlease to create content