Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Blocking P2p using Cisco IOS

Hi,

We are trying to block p2p (Kaaza, traffic using our perimeter router (as it can't be done through PIX)

Following the below config example

+++++++++++++++++++++

class-map match-any p2p

match protocol fasttrack file-transfer *

policy-map block-p2p

class p2p

drop

++++++++++++++++++++++++++++++++

I can proceed with the initial part, But i cannot find the "drop" command under the "class p2p" section. We are running 12.2(17a) and c2600-i-mz image.

Is this feature not present in the basic IOS ?

Regards,

Naman

2 REPLIES
Cisco Employee

Re: Blocking P2p using Cisco IOS

I wrote the sample config you're referring to, and my apologies, the "drop" command is not available in all IOS versions. I'll look into updating the sample config with another way to do it.

Basically you can use the procedures outlined in the "Dropping Code Red packets with NBAR" in the sample config here:

http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml

To drop the packets, you would do something like the following (assuming e0 is your inside interface and s0 is your outside):

policy-map block-p2p

   class p2p

   set ip dscp 1

int e0

   service-policy input block-p2p

int s0

   ip access-group 100 out

access-list 100 deny ip any any dscp 1

access-list 100 permit ip any any

Basically you set the DSCP bit in the IP header on all packets that match the policy-map as they come in on e0, then use an outbound access-list on s0 to drop all packets with the DSCP bit set. Nothing uses the DSCP bit in normal circumstances.

You can check Method B and C on the above URL as these might suit you better. Method C actually allows the traffic through but applies rate-limiting to it.

New Member

Re: Blocking P2p using Cisco IOS

OK Glenn, but do you know how to evaluate the impact on overall performance that applying NBAR has on the routers ?

760
Views
5
Helpful
2
Replies