From: Church, Chuck (cchurch@netcogov.com)
Date: Tue Nov 23 2004 - 15:35:11 GMT-3
Good point Brian. Here's a config from a 1700 that does it that way.
------------------------------------------------------------------------
----------
version 12.2
!
ip nbar pdlm flash:kazaa2.pdlm
ip nbar pdlm flash:edonkey.pdlm
ip nbar pdlm flash:WinMX.pdlm
ip nbar pdlm flash:bittorrent.pdlm
!
ip nbar port-map netbios udp 137 138 445
ip nbar port-map netbios tcp 137 139 445
!
ip cef
!
class-map match-any fileshare2
match protocol kazaa2 file-transfer "*"
match protocol napster non-std
match protocol fasttrack file-transfer "*"
match protocol gnutella file-transfer "*"
match protocol http url "\.hash=*"
match protocol http url "/.hash=*"
class-map match-any fileshare1
match protocol fasttrack
match protocol kazaa2
match protocol napster
match protocol gnutella
match protocol edonkey
match protocol winmx
match protocol bittorrent
class-map match-any DOS-MS-Worm
match protocol netbios
match protocol exchange
class-map match-any DOS-ICMP
match protocol icmp
!
policy-map limit-ether-in
class fileshare1
police cir 16000 bc 1000 be 2000
conform-action transmit
exceed-action drop
class fileshare2
police cir 16000 bc 1000 be 2000
conform-action transmit
exceed-action drop
class DOS-MS-Worm
police cir 8000
conform-action drop
exceed-action drop
class DOS-ICMP
police cir 16000 bc 1000 be 2000
conform-action transmit
exceed-action drop
!
policy-map limit-ether-out
class fileshare1
shape average 42000
class fileshare2
shape average 42000
class DOS-MS-Worm
police cir 8000
conform-action drop
exceed-action drop
class DOS-ICMP
police cir 16000 bc 1000 be 2000
conform-action transmit
exceed-action drop
!
!
interface FastEthernet0
ip address 192.168.0.5 255.255.255.0
service-policy input limit-ether-in
service-policy output limit-ether-out
!
------------------------------------------------------------------------
---------------------
Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch@netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
-----Original Message-----
From: Brian McGahan [mailto:bmcgahan@internetworkexpert.com]
Sent: Tuesday, November 23, 2004 12:21 PM
To: Church, Chuck; Kurt Kruegel; ccielab@groupstudy.com
Subject: RE: using nbar to block p2p real world examples ?
Kurt,
In Chuck's case he is rate-limiting the traffic. If you want to
just drop the traffic completely use the "drop" keyword in the
policy-map if your IOS supports it. This saves the router the step of
having to do a routing table lookup, switch the packet, and then drop it
at the interface level.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_
guide09186a0080110b81.html
HTH,
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/
This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:49 GMT-3