From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Tue Nov 23 2004 - 14:20:54 GMT-3
Kurt,
In Chuck's case he is rate-limiting the traffic. If you want to
just drop the traffic completely use the "drop" keyword in the
policy-map if your IOS supports it. This saves the router the step of
having to do a routing table lookup, switch the packet, and then drop it
at the interface level.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_
guide09186a0080110b81.html
HTH,
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Church, Chuck
> Sent: Tuesday, November 23, 2004 10:57 AM
> To: Kurt Kruegel; ccielab@groupstudy.com
> Subject: RE: using nbar to block p2p real world examples ?
>
> Kurt,
>
> Give this a shot. This is from a 2600. On the MSFC, you've got
> to trick the switch into not letting the PFC ASIC-switch the frames to
> the firewall. Putting ip nbar protocol-discovery on the VLAN ints I
> think will do it.
>
>
> Chuck Church
> Lead Design Engineer
> CCIE #8776, MCNE, MCSE
> Netco Government Services - Design & Implementation
> 1210 N. Parker Rd.
> Greenville, SC 29609
> Home office: 864-335-9473
> Cell: 703-819-3495
> cchurch@netcogov.com
> PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
>
>
------------------------------------------------------------------------
> ------
> version 12.3
> !
> ip nbar pdlm flash:edonkey.pdlm
> ip nbar pdlm flash:WinMX.pdlm
> ip nbar pdlm flash:bittorrent.pdlm
> !
> !
> class-map match-any fileshare2
> match protocol kazaa2 file-transfer "*"
> match protocol napster non-std
> match protocol fasttrack file-transfer "*"
> match protocol gnutella file-transfer "*"
> match protocol http url "\.hash=*"
> match protocol http url "/.hash=*"
> match protocol edonkey
> match protocol winmx
> match protocol bittorrent
> class-map match-any fileshare1
> match protocol fasttrack
> match protocol kazaa2
> match protocol napster
> match protocol gnutella
> class-map match-any DOS-MS-Worm
> match protocol netbios
> match protocol exchange
> class-map match-any DOS-ICMP
> match protocol icmp
> !
> !
> policy-map mark
> class fileshare1
> set dscp 3
> class fileshare2
> set dscp 3
> class DOS-MS-Worm
> set dscp 5
> class DOS-ICMP
> set dscp 6
> !
> interface FastEthernet0/0
> ip address xxx.yyy.xxx.33 255.255.255.240
> service-policy input mark
> rate-limit output dscp 3 256000 1500 3000 conform-action transmit
> exceed-action drop
> rate-limit output dscp 5 8000 1500 3000 conform-action transmit
> exceed-action drop
> rate-limit output dscp 6 24000 1500 3000 conform-action transmit
> exceed-action drop
>
> !
> interface Serial0/0.1 point-to-point
> bandwidth 1536
> ip unnumbered FastEthernet0/0
> service-policy input mark
> rate-limit output dscp 3 128000 1500 3000 conform-action transmit
> exceed-action drop
> rate-limit output dscp 6 24000 1500 3000 conform-action transmit
> exceed-action drop
> rate-limit output dscp 5 8000 1500 3000 conform-action drop
> exceed-action drop
>
>
------------------------------------------------------------------------
> ---------------
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Kurt Kruegel
> Sent: Tuesday, November 23, 2004 11:24 AM
> To: ccielab@groupstudy.com
> Subject: using nbar to block p2p real world examples ?
>
> hi guys,
>
> I'd like to use nbar to block p2p preferably on my msfc interface
facing
> my
> firewall inside interface.
> anoyne have any canned configs, suggestions, experience ?
>
> i've seen cisco's examples and i'd like to see what people are
currently
> using
>
> thanks
> kurt
>
>
This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:49 GMT-3