From: Chuck Church (ccie8776@rochester.rr.com)
Date: Thu Feb 13 2003 - 16:34:13 GMT-3
Check out:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122
t/122t8/dtnbarad.htm
Once you've got a feel for how it works, you'll need a version that supports
the kazaa2.pdlm. I think that means 12.2.8T to 12.2.11Tx. But not
12.2.13T. Once you've got that, download the kazaa2.pdlm file. With that
done, figure out if you want to block it all, or just rate limit it. Here's
a config with important stuff I did for a small business:
ip nbar pdlm flash:kazaa2.pdlm (adds support for kazaa 2
protocol)
!
ip cef (needed for NBAR)
!
class-map match-any fileshare2 (2 class maps are needed
because it won't let you)
match protocol kazaa2 file-transfer "*" (put PROTOCOL and PROTOCOL
file-transfer "*")
match protocol gnutella file-transfer "*" (on same class-map.)
match protocol fasttrack file-transfer "*"
class-map match-any fileshare1
match protocol fasttrack
match protocol kazaa2
match protocol napster
match protocol gnutella
match protocol http url "\.hash=*" (This one is in case Kazaa uses
port 80. This URL matches kazaa2)
!
policy-map mark (These policies set the IP DSCP
field with a 3 for packets matching the)
class fileshare1 (class map above. Once a
packet is flagged, it easy to block it with an)
set ip dscp 3 (ACL or rate limit it)
class fileshare2
set ip dscp 3
!
interface FastEthernet0
ip address 192.168.0.5 255.255.255.0
ip access-group 120 out (blocks DSCP 3 packets from
getting to workstations)
service-policy input mark (applies the policy called 'mark'
to packets coming into the interface)
!
interface Serial1.40 point-to-point
ip address x.x.x.x 255.255.255.248
ip access-group ser-in in
ip access-group eth-in out (blocks DSCP 3 packets from
getting to internet, so local PCs can't share files)
service-policy input mark (applies the policy called 'mark'
to packets coming into the interface)
frame-relay interface-dlci 40 IETF
!
ip access-list extended eth-in
deny ip any any dscp 3
permit ip any any reflect ether
ip access-list extended ser-in
evaluate ether
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 120 deny ip any any dscp 3
access-list 120 permit ip any any
Hope this makes sense.
Chuck Church
CCIE #8776, MCNE, MCSE
----- Original Message -----
From: "george gittins" <g.gittins@edinburg.esc1.net>
To: <ccielab@groupstudy.com>
Sent: Thursday, February 13, 2003 11:34 AM
Subject: FW: NBAR and Fastrack
> How do you add kazaa2.plm , any set of instructions
>
> George Gittins
> Network and Computer Maintenance Supervisor
>
> -----Original Message-----
> From: Chuck Church [mailto:ccie8776@rochester.rr.com]
> Sent: Thursday, February 13, 2003 10:11 AM
> To: george gittins; ccielab@groupstudy.com
> Subject: Re: NBAR and Fastrack
>
> I think you need something newer to do fastrack. If you're trying to
block
> Kazaa, I think you're best bet is to get 12.2.11Tx, and then add the
> kazaa2.pdlm. Seems to catch most of it.
>
> Chuck Church
> CCIE #8776, MCNE, MCSE
>
>
> ----- Original Message -----
> From: "george gittins" <g.gittins@edinburg.esc1.net>
> To: <ccielab@groupstudy.com>
> Sent: Thursday, February 13, 2003 10:15 AM
> Subject: NBAR and Fastrack
>
>
> > I was trying to enable or configure nbar but with fastrack and it
does
> > not show me the protocol fastrack, any reason why?...im using ios
> >
> > 12.2(4)T3,.some thing else im missing?
> >
> >
> >
> > George Gittins
> >
> > Network and Computer Maintenance Supervisor
> > .
> .
.
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:21 GMT-3