From: Chuck Church (cchurch@optonline.net)
Date: Tue Nov 26 2002 - 15:58:22 GMT-3
I'm really beginning to think that NBAR is a total crock. I was under the
impression that it would look at the layer 4 data for a signature match, but
that doesn't appear to be the case. As a test, I assigned HTTP to just TCP
port 100 (to get it out of the way), and then assigned TCP 80 to Citrix.
Opened up a browser and hit a couple web sites. NBAR is claiming that was
Citrix traffic, when it was plain HTTP. Clearly doesn't look at the
payload. If there's something it can do that I can't with an extended
access list, I'd like to know what it is. Network Computing tested some
dedicated traffic shapers:
http://www.nwc.com/1324/1324f3.html
Packeteer looks pretty nice, but not for that much. I'm thinking Cisco
needs to look at the payload, even if there's a performance hit. They
should leave it up to us whether or not the router can handle it.
Chuck Church
CCIE #8776, MCNE, MCSE
----- Original Message -----
From: "Jay Greenberg" <groupstudylist@execulink.com>
To: "McClure, Allen" <Allen.McClure@Tricon-Yum.Com>
Cc: <ccielab@groupstudy.com>
Sent: Tuesday, November 26, 2002 11:56 AM
Subject: Re: OT: Morpheus, Kazaa, Fasttrack
> I am experimenting with CBWFQ with the following definintions (inbound &
> outbound), but it's not working very well. I would like to know what
> others are doing. Keep in mind that on big routers, NBAR is not an
> option. Any constructive criticism would be helpful.
>
> Extended IP access list p2p
> permit tcp any eq 1214 any (5 matches)
> permit tcp any any eq 1214
> permit tcp any eq 6346 any
> permit tcp any any eq 6346
> permit tcp any eq 4662 any (1 match)
> permit tcp any any eq 4662 (1 match)
> permit tcp any eq 6257 any
> permit tcp any any eq 6257
> permit tcp any eq 6699 any
> permit tcp any any eq 6699
>
> Policy Map p2p
> Description: Provide only 5Mbps for Peer-to-Peer Applications
> Class p2p
> police 5000000 156250 156250 conform-action transmit exceed-action
> drop
>
> Class Map match-any class-default (id 0)
> Match any
>
> Class Map match-any p2p (id 2)
> Description: Peer to Peer
> Match access-group name p2p
>
>
> On Tue, 2002-11-26 at 10:34, McClure, Allen wrote:
> > Has anyone figured out how to successfully block or police this junk
> > yet? I've been messing with NBAR quite a bit and have even gotten a new
> > kazaa2.pdlm from Cisco TAC. VERY limited success.
> >
> > This is killing me. Can anyone shed light on a Cisco way of doing this?
> > I'm not concerned with old versions of the software or the 1214 port
> > (doesn't work).
> >
> > Thanks in advance for any help!
> >
> > Allen McClure
> > MCSE, CCNP, CCDP
> >
> >
> >
> > This communication is confidential and may be legally privileged. If
you are
> > not the intended recipient, (i) please do not read or disclose to
others, (ii)
> > please notify the sender by reply mail, and (iii) please delete this
> > communication from your system. Failure to follow this process may be
> > unlawful. Thank you for your cooperation.
> --
> Jay Greenberg <groupstudylist@execulink.com>
This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:23:11 GMT-3