Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ken
New Member

Using NBAR to filter Peer-to-Peer P2P Traffic

I am using a 3925 router running 15.1(1)T software.  The router has four interfaces:

GBE0/0     WAN/Internet

GBE0/1     LAN1

GBE0/2     LAN2

GBE0/3     LAN3

LAN1, LAN2 and LAN3 are seperate networks addressed with public addresses in a single /22 block.  LAN1 is a /23 and LAN2 & LAN3 are /24.

I am attempting to block users on the internal networks from using Peer-to-Peer software to download copyrighted content.  To do so, I followed the instructions in the CLI portion (top half) of http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080ac3082.shtml

The configuration example above details loading PDLM files for each of the protocols NBAR should classify.  But I couldn't locate any PDLM files for the 3925 and it seems to be working without them.  #show ip nbar pdlm returns nothing, but #show policy-map interface GigabitEther0/1 returns:

  Service-policy input: P2P-QoS-Policy

    Class-map: p2p (match-any)
      316994 packets, 39602624 bytes
      5 minute offered rate 41000 bps, drop rate 41000 bps
      Match: protocol fasttrack
        3 packets, 180 bytes
        5 minute rate 0 bps
      Match: protocol gnutella
        71 packets, 9817 bytes
        5 minute rate 0 bps
      Match: protocol kazaa2
        7 packets, 1106 bytes
        5 minute rate 0 bps
      Match: protocol edonkey
        53 packets, 6220 bytes
        5 minute rate 0 bps
      Match: protocol winmx
        32 packets, 3451 bytes
        5 minute rate 0 bps
      Match: protocol bittorrent
        123988 packets, 14638612 bytes
        5 minute rate 41000 bps
      Match: protocol directconnect
        922 packets, 297410 bytes
        5 minute rate 0 bps
      Match: access-group 109
        4 packets, 333 bytes
        5 minute rate 0 bps
      drop

Am I interpretting this correctly?  Does this show that it's classifying the traffic despite no PDLM files being loaded?

Here's the pertinent parts of my actual configuration.  I would appreciate any critique or suggestions for improving it:

!

ip cef

!

policy-map P2P-QoS-Policy

class p2p

   drop

!

interface GigabitEthernet0/0

description WAN_Internet

ip address ###.###.###.### 255.255.255.252

duplex full

speed 100

no cdp enable

!

!

interface GigabitEthernet0/1

description LAN1

ip address XXX.XXX.XXX.XXX 255.255.254.0

ip nbar protocol-discovery

duplex auto

speed auto

no snmp trap link-status

no cdp enable

no mop enabled

service-policy input P2P-QoS-Policy

!

!

interface GigabitEthernet0/2

description LAN2

ip address YYY.YYY.YYY.YYY 255.255.255.0

ip nbar protocol-discovery

duplex auto

speed auto

no snmp trap link-status

no cdp enable

no mop enabled

service-policy input P2P-QoS-Policy

!

!

interface FastEthernet0/0/0

description LAN3

ip address ZZZ.ZZZ.ZZZ.ZZZ 255.255.255.0

ip nbar protocol-discovery

duplex auto

speed auto

service-policy input P2P-QoS-Policy

!
!

class-map match-any p2p
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol edonkey
match protocol winmx
match protocol bittorrent
match protocol directconnect
match access-group 109
!

!        
policy-map P2P-QoS-Policy
class p2p
   drop
!
!

access-list 109 remark P2P-Qos Category=256

access-list 109 remark Outgoing Traffic

access-list 109 permit ip XYZ.XYZ.XYZ.XYZ 0.0.3.255 ###.###.###.### 0.0.0.3

access-list 109 remark Incoming Traffic

access-list 109 permit ip ###.###.###.### 0.0.0.3 XYZ.XYZ.XYZ.XYZ 0.0.3.255

!

Thanks for having a look.  I appreciate any suggestions!

Everyone's tags (6)
1 REPLY

Re: Using NBAR to filter Peer-to-Peer P2P Traffic

Hi !

I tested this and this is what I found.

I believe that pdlms which are bundled in the ios dont show up with command "show ip nbar pdlm". Once you download and install the pdlm with the command "ip nbar pdlm" then you will get output for the specific pdlm only.

Nandan Mathure

1997
Views
0
Helpful
1
Replies