Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Blocking p2p applications from a cisco 3550 switch

Hi every body,

I have a high speed internet connection which is distributed to four users of the IT department, as all of us are from IT department I can't force them to have a connection from ISA, they r connected directly from the 3550 series switch with real ips, some of them are using software’s like kaaza, bit torrent, bear share for their downloads which is consuming more bandwidth which limits the browsing and download speed, I did tried to limit their bandwidth from their respective interfaces with following command

Interface fast Ethernet 0/1

Bandwidth 1

But no use is there any ways to block those software’s and to limit the bandwidth usage for individual user, as I can use any bandwidth limiting software’s. The only option I have to control them from the switch. So please let me know the solution.

Thanks

Yasir

5 REPLIES
Purple

Re: Blocking p2p applications from a cisco 3550 switch

Hi Yasir,

You can use QoS features on your 3550 to limit the outbound traffic to these users. You can use Network Based Application Recognition (NBAR) technology to completely block p2p traffic to these users - however, that is not supported on the 3550s...

Here's an example of how to limit bandwidth to each user;

policy-map PolicyOut

class class-default

police 64000

!

interface fastethernet1/0

service-policy output PolicyOut

Here's what the above policy will do:

- it will limit outbound traffic on interface fastethernet 1/0 to 64k

You can apply that same service-policy to multiple interfaces and tune the bandwidth as per your requirements...

Hope that helps - pls rate the post if it does.

Regards,

Paresh.

New Member

Re: Blocking p2p applications from a cisco 3550 switch

Dear Paresh

Thanks a lot for this already I am limiting the bandwidht from the cisco switch, but my main concern is to block P2P applications from the switch not from the router.

Purple

Re: Blocking p2p applications from a cisco 3550 switch

Hi Yasir,

As I indicated in my last post, your best bet for blocking these apps is to use NBAR, which I don't believe is available on the 3550s. If you have access to your internet-facing router, it can be very easily implemented on that one router...

Regards,

Paresh

VIP Purple

Re: Blocking p2p applications from a cisco 3550 switch

Hello Yasir,

how exactly is the 3550 connected to the Internet ? If you have a routed (Layer 3) port on the switch, that is, a port with an IP address, you could try NBAR to block completely block those applications. The configuration would look like this:

ip cef

!

class-map match-any BLOCK_P2P

match protocol kazaa2

match protocol winmx

match protocol edonkey

match protocol gnutella

match protocol napster

match protocol fasttrack

match protocol bittorrent

!

policy-map DROP_P2P

class BLOCK_P2P

drop

class class-default

!

interface FastEthernet0/12

service-policy output DROP_P2P

FastEthernet0/12 would be the routed port in this case.

If that doesn´t apply to you, you can limit individual port bandwidth with the interface command ´storm-control´, such as in the example below:

interface FastEthernet0/2

storm-control unicast level 2.00

This would limit the user´s bandwidth on that port to 2MB (since this is a 100MB interface)...

Regards,

GP

Re: Blocking p2p applications from a cisco 3550 switch

I am not sure if you think you are already limiting bandwidth, but the command:

interface FastEthernet0/1

bandwidth 1

Has absolutely nothing to do with limiting bandwidth, it is used as a variable when calculating routing protocols and generating statistics.

I agree with the other posters NBAR is the way to go if you have access to the upstream router. Otherwise use QoS on the 3550 to limit the amount of bandwidth they can access. Ingress policers will do the trick.

HTH

Andy

1189
Views
3
Helpful
5
Replies