I'd like to know if NBAR can detect the bittorent trafic if a client like uTorrent enables protocol encryption. (http://www.utorrent.com/faq.php#Does_.C2B5Torrent_support_Protocol_Encryption.3F)
If it can't, is there any way to still be able to shape this p2p taffic to a limitted rate?
If you know the source/destination port that is using, sure. You can either create an ACL matching those values or a custom NBAR.
If i knew the port numbers i would use ACLs and wouldn't need NBAR in the first place.
Unfortunately now days trackers use random port numbers, obviously to make filtering harder. I can't track down every tracker my local users use, and even if i do, they just search for an other one.
So, basically you saying that NBAR only classifies p2p traffic based on "known" port numbers? if so, then it's useless.
Well, good to know, but with this we are back to square one.
I still don't know if the bittorrent NBAR can match encrypted torrent packets (like the ones uTorrent, the MOST POPULAR client, generates) or not?
HI, [PLS RATE if HELPS]
Cisco IOS version 12.4(4)T introduced the much awaited Skype classification in NBAR. Now, with simple policy you can block Skype in much the same way as you used to block kazza, limewire, and other p2p applications.
NBAR configuration to drop Skype packets
class "map match" any p2p
match protocol skype
policy "map block" p2p
description PIX "facing interface service"
policy "input block" p2p
If you are unsure about the bandwidth-eating applications being used in your organization, you can access the interface connected to the Internet and configure using the following command:
"ip nbar protocol-discovery"
This will enable nbar discovery on your router.
If you use the following command:
"show ip nbar protocol-discovery stats bit-rate top-n 10"
It will show you the top 10 bandwidth-eating applications being used by the users. Now, you will be able to block/restrict traffic with appropriate QoS policy.
You can also use "ip nbar port-map" command to look for the protocol or protocol name using a port number or numbers other than the well-known Internet Assigned Numbers Authority (IANA)-assigned port numbers.
Usage as per Cisco:
"ip nbar port-map protocol-name [tcp | udp] port-number"
Up to 16 ports can be specified with the above command. Port number values can range from 0 to 65535.
Here is the another way to go:
Download the PDLM from Cisco to your flash then configure.
ip nbar pdlm flash:bittorrent.pdlm
ip nbar pdlm flash:eDonkey.pdlm
ip nbar pdlm flash:gnutella.pdlm
ip nbar pdlm flash:kazaa2.pdlm
ip nbar pdlm flash:WinMX.pdlm
ip nbar pdlm flashrinter.pdlm
class-map match-any nbar-discovery
match protocol gnutella
match protocol kazaa2
match protocol napster
match protocol printer
match protocol http url "*cmd.exe*"
match protocol fasttrack
match protocol novadigm
match protocol edonkey
match protocol bittorrent
ip nbar protocol-discovery
service-policy input ip-prec-marked
HOPE I am Informative.
PLS RATE if HELPS !!!!
Guru Prasad R
I have the same problem, however although I have every other command to block protocols I have no skype.
Using the latest IOS on advanced security on a 2851, can you offer any thoughts ?
notes 12.4(4)T "supports only Skype version 1. Version 2 is not yet supported. "
Yes I`m aware of that one.
Answered my own question incidently, in that the NBAR Skype blocking is only in very specific versions of the IOS.
Feature Navigator seems to list these so going to try one of those next week
The latest NBAR PDLM for BitTorrent is version 3.0, datestamped 8/22/2007. The release notes don't mention encryption, so that might be a problem, but they do note (for non-encypted?) "The BitTorrent PDL module identifies and classifies most BitTorrent traffic regardless of port." Try it and see if it helps.
Some NBAR protocol matching is just a pretty face on port matching, other NBAR protocol matching does deeper and/or stateful analysis. See http://www.cisco.com/en/US/customer/prod/collateral/iosswrel/ps6537/ps6558/ps6612/ps6653/prod_qas09186a00800a3ded.html for more information.
I'm sure this is a case of too little too late, but I can tell you from personal experience that NBAR does not detect encrypted Bittorrent trafic.
Yes I can confirm that it does not detect encrypted traffic. With encryption off my policy works and the client gets no download. As soon as the client turns on encryption the download will start.
I have heard people have had some success blocking access to the info_hash file from the tracker using http url filtering with a regex. This effectively starves the client of peers.