Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
609
Views
0
Helpful
4
Replies

nbar on 892w

dhalevi
Level 1
Level 1

‎11-12-2010 07:54 AM - edited ‎03-09-2019 11:15 PM

hi,

I am trying to configure NBAR to restrict P2P traffic through a cisco892w wireless router.

I am using this config example,

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080ac3082.shtml?referring_site=smartnav

but it looks like all traffic is being blocked.  My config is a littlbe bit different since I want to restrict access to wireless users.  So I am applying the

"ip nbar protocol-discovery" and "service-policy output " commands on the wan interface, gigabitethernet 0.  Is this the right way to do it?

Why is all traffic being dropped?


class-map match-any p2p
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
match protocol skype
match access-group 102
!
!
policy-map nop2p
class p2p
   drop

interface GigabitEthernet0
ip address x.x.x.x 255.255.255.192
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
service-policy output nop2p

access-list 102 permit ip any any

sho policy-map interface gi 0
GigabitEthernet0

  Service-policy output: nop2p

    Class-map: p2p (match-any)
      4255 packets, 363569 bytes
      5 minute offered rate 3000 bps, drop rate 3000 bps
      Match: protocol edonkey
        359 packets, 58471 bytes
        5 minute rate 0 bps
      Match: protocol fasttrack
        3 packets, 186 bytes
        5 minute rate 0 bps
      Match: protocol gnutella
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol kazaa2
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol winmx
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol skype
        38 packets, 3497 bytes
        5 minute rate 0 bps
      Match: access-group 102
        3616 packets, 280672 bytes
        5 minute rate 3000 bps
      drop

    Class-map: class-default (match-any)
      8639 packets, 885134 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

thanks in advance!

Labels:
0 Helpful
4 Replies 4

Panos Kampanakis
Cisco Employee
Cisco Employee

‎11-12-2010 01:58 PM

Your "match access-group 102" shoudl not be in the class-map. That is going to drop everything. The rest looks ok.

Keep in mind that an alternative to block P2P is Flexible Packet matching.

I hope it helps.

PK

0 Helpful

dhalevi
Level 1
Level 1
In response to Panos Kampanakis

‎11-15-2010 03:56 AM

hi PK,

Thanks for replying.  So traffic is getting through now.  I am testing the NBAR config with emule.  The problem is that now emule is able to download files.

It looks like NBAR is recognizing emule but it doesn't fully stop it.

Is NBAR supposed to completely block emule/edonkey?

#show ip nbar protocol-discovery

GigabitEthernet0

Last clearing of "show ip nbar protocol-discovery" counters 01:18:10


                            Input                    Output
                            -----                    ------
   Protocol                 Packet Count             Packet Count
                            Byte Count               Byte Count
                            5min Bit Rate (bps)      5min Bit Rate (bps)
                            5min Max Bit Rate (bps)  5min Max Bit Rate (bps)
   ------------------------ ------------------------ ------------------------
   icmp                     6987                     6998
                            499255                   309110
                            4000                     2000
                            5000                     3000
   ssh                      133                      132
                            16198                    22332
                            1000                     1000
                            2000                     2000
   edonkey                  10                       1615
                            13614                    283580
                            0                        0
                            1000                     3000
   secure-http              94                       139
                            27417                    14651
                            0                        0
                            3000                     0

#sho policy-map  interface
GigabitEthernet0

  Service-policy output: nop2p

    Class-map: p2p (match-any)
      1630 packets, 286265 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol edonkey
        1630 packets, 286265 bytes
        5 minute rate 0 bps
      Match: protocol fasttrack
        0 packets, 0 bytes
        5 minute rate 0 bps

Service-policy output: nop2p

    Class-map: p2p (match-any)
      1856 packets, 324964 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol edonkey
        1856 packets, 324964 bytes
        5 minute rate 0 bps
      Match: protocol fasttrack
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol gnutella

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to dhalevi

‎11-15-2010 06:36 AM

I am thinking that these file sharing SW keep changing their patterns and ports etc, so depending on IOS version and NBAR you might not catch everything. I am guessing that is what is happening in your case.

I would investigate Flexible Packet Matching to see if that will serve the purpose.

I hope it helps.

PK

0 Helpful

dhalevi
Level 1
Level 1
In response to Panos Kampanakis

‎11-15-2010 06:58 AM

hi PK,

Thanks for you answer.

Can anyone else weigh in on this?  Is NBAR useless for blocking peer to peer file sharing?

0 Helpful
Customers Also Viewed These Support Documents