Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

NBAR Problems

Hello all.

I have a simple nbar configuration.

Class Map match-any p2p_match

Match protocol kazaa2

Match protocol winmx

Match protocol edonkey

Match protocol gnutella

Match protocol napster

Match protocol fasttrack

Match protocol bittorrent

!

policy-map p2p_drop

class p2p_match

drop

class class-default

!

interface gi 0/1.1

service-policy output p2p_drop

!

The problem I am having is we have some internal applications that traverse this router that happen to use port's that the NBAR signatures have defined.

Does anyone know how to bypass NBAR using source/destination IP's and or ports and still block P2P file sharing with NBAR?

I have been digging around and I can't seem to find a way to do this.

Daniel

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: NBAR Problems

Hello Daniel,

how about creating another class-map that filters your internal applications via an access-list on source/destination IPs or ports and to put that class in your policy-map before your class p2p_match?

Something like this:

class-map match-all INTERNAL-APPS

match access-group name ALLOW-INTERNAL-APPS

class-map match-any p2p_match

match protocol kazaa2

match protocol winmx

match protocol edonkey

match protocol gnutella

match protocol napster

match protocol fasttrack

match protocol bittorrent

!

policy-map p2p_drop

class ALLOW-INTERNAL-APPS

class p2p_match

drop

class class-default

!

ip access-list extended ALLOW-INTERNAL-APPS

permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

Regards, Dirk.

4 REPLIES
New Member

Re: NBAR Problems

Hello Daniel,

how about creating another class-map that filters your internal applications via an access-list on source/destination IPs or ports and to put that class in your policy-map before your class p2p_match?

Something like this:

class-map match-all INTERNAL-APPS

match access-group name ALLOW-INTERNAL-APPS

class-map match-any p2p_match

match protocol kazaa2

match protocol winmx

match protocol edonkey

match protocol gnutella

match protocol napster

match protocol fasttrack

match protocol bittorrent

!

policy-map p2p_drop

class ALLOW-INTERNAL-APPS

class p2p_match

drop

class class-default

!

ip access-list extended ALLOW-INTERNAL-APPS

permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

Regards, Dirk.

Bronze

Re: NBAR Problems

Actually, I did try that thinking that would be the easiest way. But it didn't work. I didn't even see any hits on the class allowing my internal apps.

I don't know if an action needs to be applied to the class in the policy map for it to take effect?

Daniel

Silver

Re: NBAR Problems

I think you should use nested match classes. This allows you to combine match any and match all. The idea is that the P2P applicaton should be matched, only if the internal ip address are not matched. Consider the following

Class Map match-any p2p_protocol

Match protocol kazaa2

Match protocol winmx

Match protocol edonkey

Match protocol gnutella

Match protocol napster

Match protocol fasttrack

Match protocol bittorrent

!

class-map match-all P2P

Match class-map p2p_protocol

Match not access-group Internal_IP_ACL

policy-map Peer2Peer

class P2P

Bronze

Re: NBAR Problems

Dirk,

I tried it again and it worked. Not for sure why it didn't the first time. Maybe I just miss typed some thing.

Daniel

139
Views
0
Helpful
4
Replies