03-05-2004 09:50 AM - edited 03-09-2019 06:39 AM
Hi,
We are trying to block p2p (Kaaza, traffic using our perimeter router (as it can't be done through PIX)
Following the below config example
+++++++++++++++++++++
class-map match-any p2p
match protocol fasttrack file-transfer *
policy-map block-p2p
class p2p
drop
++++++++++++++++++++++++++++++++
I can proceed with the initial part, But i cannot find the "drop" command under the "class p2p" section. We are running 12.2(17a) and c2600-i-mz image.
Is this feature not present in the basic IOS ?
Regards,
Naman
03-06-2004 04:03 PM
I wrote the sample config you're referring to, and my apologies, the "drop" command is not available in all IOS versions. I'll look into updating the sample config with another way to do it.
Basically you can use the procedures outlined in the "Dropping Code Red packets with NBAR" in the sample config here:
http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml
To drop the packets, you would do something like the following (assuming e0 is your inside interface and s0 is your outside):
policy-map block-p2p
class p2p
set ip dscp 1
int e0
service-policy input block-p2p
int s0
ip access-group 100 out
access-list 100 deny ip any any dscp 1
access-list 100 permit ip any any
Basically you set the DSCP bit in the IP header on all packets that match the policy-map as they come in on e0, then use an outbound access-list on s0 to drop all packets with the DSCP bit set. Nothing uses the DSCP bit in normal circumstances.
You can check Method B and C on the above URL as these might suit you better. Method C actually allows the traffic through but applies rate-limiting to it.
04-06-2004 06:03 AM
OK Glenn, but do you know how to evaluate the impact on overall performance that applying NBAR has on the routers ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide