From: Church, Chuck (cchurch@netcogov.com)
Date: Tue Nov 23 2004 - 16:30:24 GMT-3
You nailed that right on the head. These examples were from businesses
that didn't want to go through the hassle of changing their corporate
internet policy. If all the sudden the P2P apps stopped working
totally, IT gets blamed. But slow downloads are just an internet issue
;)
Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch@netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
-----Original Message-----
From: Brian McGahan [mailto:bmcgahan@internetworkexpert.com]
Sent: Tuesday, November 23, 2004 2:24 PM
To: Church, Chuck; Kurt Kruegel; ccielab@groupstudy.com
Subject: RE: using nbar to block p2p real world examples ?
Chuck,
Like this:
class-map match-any fileshare1
match protocol fasttrack
match protocol kazaa2
match protocol napster
match protocol gnutella
match protocol edonkey
match protocol winmx
match protocol bittorrent
!
policy-map drop-fileshare
class fileshare1
drop
It null routes the traffic without having to use policing to do
so. This of course is assuming you want none of the above traffic
transiting the router.
It may actually be more fun to police them all to 8Kbps and
frustrate the users into stopping using the apps ;)
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Church, Chuck
> Sent: Tuesday, November 23, 2004 12:35 PM
> To: Brian McGahan; Kurt Kruegel; ccielab@groupstudy.com
> Subject: RE: using nbar to block p2p real world examples ?
>
> Good point Brian. Here's a config from a 1700 that does it that way.
>
>
------------------------------------------------------------------------
> ----------
> version 12.2
> !
> ip nbar pdlm flash:kazaa2.pdlm
> ip nbar pdlm flash:edonkey.pdlm
> ip nbar pdlm flash:WinMX.pdlm
> ip nbar pdlm flash:bittorrent.pdlm
> !
> ip nbar port-map netbios udp 137 138 445
> ip nbar port-map netbios tcp 137 139 445
> !
> ip cef
> !
> class-map match-any fileshare2
> match protocol kazaa2 file-transfer "*"
> match protocol napster non-std
> match protocol fasttrack file-transfer "*"
> match protocol gnutella file-transfer "*"
> match protocol http url "\.hash=*"
> match protocol http url "/.hash=*"
> class-map match-any fileshare1
> match protocol fasttrack
> match protocol kazaa2
> match protocol napster
> match protocol gnutella
> match protocol edonkey
> match protocol winmx
> match protocol bittorrent
> class-map match-any DOS-MS-Worm
> match protocol netbios
> match protocol exchange
> class-map match-any DOS-ICMP
> match protocol icmp
> !
> policy-map limit-ether-in
> class fileshare1
> police cir 16000 bc 1000 be 2000
> conform-action transmit
> exceed-action drop
> class fileshare2
> police cir 16000 bc 1000 be 2000
> conform-action transmit
> exceed-action drop
> class DOS-MS-Worm
> police cir 8000
> conform-action drop
> exceed-action drop
> class DOS-ICMP
> police cir 16000 bc 1000 be 2000
> conform-action transmit
> exceed-action drop
> !
> policy-map limit-ether-out
> class fileshare1
> shape average 42000
> class fileshare2
> shape average 42000
> class DOS-MS-Worm
> police cir 8000
> conform-action drop
> exceed-action drop
> class DOS-ICMP
> police cir 16000 bc 1000 be 2000
> conform-action transmit
> exceed-action drop
> !
> !
> interface FastEthernet0
> ip address 192.168.0.5 255.255.255.0
> service-policy input limit-ether-in
> service-policy output limit-ether-out
> !
>
>
------------------------------------------------------------------------
> ---------------------
>
> Chuck Church
> Lead Design Engineer
> CCIE #8776, MCNE, MCSE
> Netco Government Services - Design & Implementation
> 1210 N. Parker Rd.
> Greenville, SC 29609
> Home office: 864-335-9473
> Cell: 703-819-3495
> cchurch@netcogov.com
> PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
>
>
> -----Original Message-----
> From: Brian McGahan [mailto:bmcgahan@internetworkexpert.com]
> Sent: Tuesday, November 23, 2004 12:21 PM
> To: Church, Chuck; Kurt Kruegel; ccielab@groupstudy.com
> Subject: RE: using nbar to block p2p real world examples ?
>
> Kurt,
>
> In Chuck's case he is rate-limiting the traffic. If you want to
> just drop the traffic completely use the "drop" keyword in the
> policy-map if your IOS supports it. This saves the router the step of
> having to do a routing table lookup, switch the packet, and then drop
it
> at the interface level.
>
>
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_
> guide09186a0080110b81.html
>
>
> HTH,
>
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987 x 705
> Outside US: 775-826-4344 x 705
> 24/7 Support: http://forum.internetworkexpert.com
> Live Chat: http://www.internetworkexpert.com/chat/
>
>
This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:49 GMT-3