RE: using nbar to block p2p real world examples ?

From: Church, Chuck (cchurch@netcogov.com)
Date: Tue Nov 23 2004 - 13:57:07 GMT-3

• Next message: Brian McGahan: "RE: using nbar to block p2p real world examples ?"
• Previous message: jhigg: "R&S Beta test taken in September?"
• Maybe in reply to: Kurt Kruegel: "using nbar to block p2p real world examples ?"
• Next in thread: Brian McGahan: "RE: using nbar to block p2p real world examples ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Kurt,

        Give this a shot. This is from a 2600. On the MSFC, you've got
to trick the switch into not letting the PFC ASIC-switch the frames to
the firewall. Putting ip nbar protocol-discovery on the VLAN ints I
think will do it.

Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch@netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D

------------------------------------------------------------------------
------
version 12.3
!
ip nbar pdlm flash:edonkey.pdlm
ip nbar pdlm flash:WinMX.pdlm
ip nbar pdlm flash:bittorrent.pdlm
!
!
class-map match-any fileshare2
  match protocol kazaa2 file-transfer "*"
  match protocol napster non-std
  match protocol fasttrack file-transfer "*"
  match protocol gnutella file-transfer "*"
  match protocol http url "\.hash=*"
  match protocol http url "/.hash=*"
  match protocol edonkey
  match protocol winmx
  match protocol bittorrent
class-map match-any fileshare1
  match protocol fasttrack
  match protocol kazaa2
  match protocol napster
  match protocol gnutella
class-map match-any DOS-MS-Worm
  match protocol netbios
  match protocol exchange
class-map match-any DOS-ICMP
  match protocol icmp
!
!
policy-map mark
  class fileshare1
   set dscp 3
  class fileshare2
   set dscp 3
  class DOS-MS-Worm
   set dscp 5
  class DOS-ICMP
   set dscp 6
!
interface FastEthernet0/0
 ip address xxx.yyy.xxx.33 255.255.255.240
 service-policy input mark
 rate-limit output dscp 3 256000 1500 3000 conform-action transmit
exceed-action drop
 rate-limit output dscp 5 8000 1500 3000 conform-action transmit
exceed-action drop
 rate-limit output dscp 6 24000 1500 3000 conform-action transmit
exceed-action drop
 
!
interface Serial0/0.1 point-to-point
 bandwidth 1536
 ip unnumbered FastEthernet0/0
 service-policy input mark
 rate-limit output dscp 3 128000 1500 3000 conform-action transmit
exceed-action drop
 rate-limit output dscp 6 24000 1500 3000 conform-action transmit
exceed-action drop
 rate-limit output dscp 5 8000 1500 3000 conform-action drop
exceed-action drop

------------------------------------------------------------------------
---------------

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Kurt Kruegel
Sent: Tuesday, November 23, 2004 11:24 AM
To: ccielab@groupstudy.com
Subject: using nbar to block p2p real world examples ?

hi guys,

I'd like to use nbar to block p2p preferably on my msfc interface facing
my
firewall inside interface.
anoyne have any canned configs, suggestions, experience ?

i've seen cisco's examples and i'd like to see what people are currently
using

thanks
kurt

• Next message: Brian McGahan: "RE: using nbar to block p2p real world examples ?"
• Previous message: jhigg: "R&S Beta test taken in September?"
• Maybe in reply to: Kurt Kruegel: "using nbar to block p2p real world examples ?"
• Next in thread: Brian McGahan: "RE: using nbar to block p2p real world examples ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:49 GMT-3