Blocking P2p using Cisco IOS

mnlatif · ‎03-05-2004

Hi,

We are trying to block p2p (Kaaza, traffic using our perimeter router (as it can't be done through PIX)

Following the below config example

+++++++++++++++++++++

class-map match-any p2p

match protocol fasttrack file-transfer *

policy-map block-p2p

class p2p

drop

++++++++++++++++++++++++++++++++

I can proceed with the initial part, But i cannot find the "drop" command under the "class p2p" section. We are running 12.2(17a) and c2600-i-mz image.

Is this feature not present in the basic IOS ?

Regards,

Naman

gfullage · ‎03-06-2004

I wrote the sample config you're referring to, and my apologies, the "drop" command is not available in all IOS versions. I'll look into updating the sample config with another way to do it.

Basically you can use the procedures outlined in the "Dropping Code Red packets with NBAR" in the sample config here:

http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml

To drop the packets, you would do something like the following (assuming e0 is your inside interface and s0 is your outside):

policy-map block-p2p

class p2p

set ip dscp 1

int e0

service-policy input block-p2p

int s0

ip access-group 100 out

access-list 100 deny ip any any dscp 1

access-list 100 permit ip any any

Basically you set the DSCP bit in the IP header on all packets that match the policy-map as they come in on e0, then use an outbound access-list on s0 to drop all packets with the DSCP bit set. Nothing uses the DSCP bit in normal circumstances.

You can check Method B and C on the above URL as these might suit you better. Method C actually allows the traffic through but applies rate-limiting to it.

frichard · ‎04-06-2004

OK Glenn, but do you know how to evaluate the impact on overall performance that applying NBAR has on the routers ?