From: Chuck Church (cchurch@MAGNACOM.com)
Date: Wed Oct 30 2002 - 17:33:48 GMT-3
Philip,
I was under the impression that NBAR didn't care about ports, and
actually looked at the payload to see what kind of packet it was. If what
you're saying is NBAR only looks at a certain port for a certain kind of
traffic, doesn't that make it only about as useful as an extended ACL? Or
is NBAR really intended as a safety net, where it looks at traffic using say
TCP port 1214 (one of Kazaa's ports) and verifying it's really Fasttrack,
and not something else that randomly chose that high port?
Thanks,
Chuck Church
CCIE #8776, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000
-----Original Message-----
From: Philip Neeson [mailto:Philip.Neeson@uk.didata.com]
Sent: Wednesday, October 30, 2002 11:46 AM
To: Chuck Church; Kurt Kruegel
Cc: Groupstudy ccielab list
Subject: RE: dealing with fastrack (Kazaa et.al.)
I did a lot of work with this and NBAR on both a 7200 and MSFC. Works very
well, we currently filter out fasttrack, guntella and napster on a 7200
attached to the Internet via 10MB. It works a treat, no performance hit,
fantastic.
Watch-out there are new variants of fasttrack out there that use random
source and destination ports.. In this case NBAR woun't work..
Cisco are working on this but woun't say any more..
Philip.
-----Original Message-----
From: Chuck Church [mailto:cchurch@MAGNACOM.com]
Sent: Wed 30/10/2002 15:05
To: 'Kurt Kruegel'
Cc: 'Groupstudy ccielab list'
Subject: RE: dealing with fastrack (Kazaa et.al.)
Kurt,
Interesting you should mention that. The customer did ask about using
that, as many of the other SUNY schools us it for just that purpose. But
since they've got some heavy duty equipment (6509 with dual MSFC2 serving
2000 workstations), I figure I'd try the Cisco way first. How are the
routers working out for you?
Chuck Church
CCIE #8776, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000
-----Original Message-----
From: Kurt Kruegel [mailto:kurt@cybernex.net]
Sent: Tuesday, October 29, 2002 11:16 PM
To: Chuck Church
Cc: 'Groupstudy ccielab list'
Subject: Re: dealing with fastrack (Kazaa et.al.)
look up packeteer it's not a cisco product, but i've heard good things about
it
from
somone who manages a division 1 school's network.
Chuck Church wrote:
> All,
>
> Just as a followup, I've been messing around with this a bunch the
> last week or so as I've got a customer (a community college) looking to
> block this stuff. The mainline 12.2 versions seem to be able to do this,
> and even some newer 12.1 versions. They've modularized it, so you can add
a
> protocol definition file (search CCO for PDLM files) to cover new apps
> without a fullblown IOS upgrade or even a reload of the router. It seems
> that Cisco is really going nuts with the QOS options available these days.
> Cool stuff to learn...
>
> Chuck Church
> CCIE #8776, MCNE, MCSE
> Sr. Network Engineer
> Magnacom Technologies
> 140 N. Rt. 303
> Valley Cottage, NY 10989
> 845-267-4000
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Frank Jimenez
> Sent: Thursday, September 26, 2002 4:16 AM
> To: Chuck Church; 'McClure, Allen'; 'Carlos G Mendioroz'; 'Groupstudy
> ccielab list'
> Subject: RE: dealing with fastrack (Kazaa et.al.)
>
> IIRC, You need to use a fairly new IOS load to make that work. 12.2(8)T
>
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft
> /122t/122t8/dtnbarad.htm
>
> Frank Jimenez, CCIE #5738
> franjime@cisco.com
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Chuck Church
> Sent: Wednesday, September 25, 2002 5:42 PM
> To: 'McClure, Allen'; 'Carlos G Mendioroz'; 'Groupstudy ccielab list'
> Subject: RE: dealing with fastrack (Kazaa et.al.)
>
> I tried to get NBAR to work against streaming radio stations using media
> player. I looked at the packet headers with Sniffer, and set the DSCP
> to that. But it never seemed to work correctly. If anyone got it to
> work, I'd like to see how it's done.
>
> Thanks,
>
> Chuck Church
> CCIE #8776, MCNE, MCSE
> Sr. Network Engineer
> Magnacom Technologies
> 140 N. Rt. 303
> Valley Cottage, NY 10989
> 845-267-4000
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> McClure, Allen
> Sent: Wednesday, September 25, 2002 4:56 PM
> To: Carlos G Mendioroz; Groupstudy ccielab list
> Subject: RE: dealing with fastrack (Kazaa et.al.)
>
> You may wish to look into NBAR. We're thinking about using it for the
> peer-to-peer junk.
>
> Allen McClure
> MCSE, CCNP, CCDP
> YUM! Brands, Inc.
> Sr. Network Analyst
> NEW E-Mail - mailto:allen.mcclure@yum.com
> 972-338-7494
>
> -----Original Message-----
> From: Carlos G Mendioroz [mailto:tron@huapi.ba.ar]
> Sent: Wednesday, September 25, 2002 3:32 PM
> To: Groupstudy ccielab list
> Subject: OT: dealing with fastrack (Kazaa et.al.)
>
> Hi,
> after a long time of chasing local servers on different ports and using
> CAR to make it a pain to use those pesty peer to peer programs, I'm
> trying to automatize the thing.
>
> Basically I want to find who has fasttrack (snort or the like triggering
> on port 1214 activity) and make a list, then dynamically build an ACL to
> CAR all traffic from/to those stations into a small pipe. End result
> would be "if you use it, your network access rate will be poor".
>
> Question: has anybody got a way to program ACLs from a unix box (via a
> script)
> in a secure way ? Is there a way to use SNMP to do this ?
>
> Advise on any solution to the fastrack net hogging problem is
> appreciated.
> Note: My network policy does not allow me to kill port 1214 :-(
>
> TIA
> --
> Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
>
> This communication is confidential and may be legally privileged. If
> you are not the intended recipient, (i) please do not read or disclose
> to others, (ii) please notify the sender by reply mail, and (iii) please
> delete this communication from your system. Failure to follow this
> process may be unlawful. Thank you for your cooperation.
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
Dimension Data mail system for the presence of computer viruses.
www.uk.didata.com
**********************************************************************
This archive was generated by hypermail 2.1.4 : Tue Nov 05 2002 - 08:36:00 GMT-3