RE: NBAR for Security Filtering

From: Church, Chuck (cchurch@netcogov.com)
Date: Thu Dec 16 2004 - 11:43:30 GMT-3

• Next message: Henk de Tombe: "RE: NBAR for Security Filtering"
• Previous message: michael.gulla@ionetcon.com: "FrankinIDS"
• Maybe in reply to: Lord, Chris: "NBAR for Security Filtering"
• Next in thread: Henk de Tombe: "RE: NBAR for Security Filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

It's being dropped as listed by this section:

police:
          cir 1000000 bps, bc 31250 bytes, be 31250 bytes
        conformed 3124 packets, 1050110 bytes; actions:
          drop
        exceeded 0 packets, 0 bytes; actions:
          drop
        violated 0 packets, 0 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps, violate 0 bps

You might want to put 'ip nbar protocol-discovery' on your busiest
interfaces to see what's actually crossing the interfaces. If you're
seeing a huge amount of 'unknown' traffic, it might be a protocol like
bittorrent or winmx. The PDLMs will help with those.
 

Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch@netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D

-----Original Message-----
From: Martin, David (Contractor) [mailto:David.Martin@eu.dodea.edu]
Sent: Thursday, December 16, 2004 9:37 AM
To: Church, Chuck; Martin, David (Contractor); Group Study
Subject: RE: NBAR for Security Filtering

HI Chuck and Chris,

Thankyou both. How will I know when its being dropped ? I assume the
output
q count will be zero ?

See both below I and O below:

Scott CPU is around 4%, not too bad.

Here is input q:
UK-DSO#sh policy-map interface input
 FastEthernet0/0

  Service-policy input: drop_p2p

    Class-map: p2p (match-any)
      3125 packets, 1050172 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol fasttrack
        312 packets, 20720 bytes
        5 minute rate 0 bps
      Match: protocol gnutella
        1840 packets, 594172 bytes
        5 minute rate 0 bps
      Match: protocol edonkey
        451 packets, 402042 bytes
        5 minute rate 0 bps
      Match: protocol kazaa2
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol napster
        494 packets, 31004 bytes
        5 minute rate 0 bps
      Match: protocol irc
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol cuseeme
        0 packets, 0 bytes
        5 minute rate 0 bps
      police:
          cir 1000000 bps, bc 31250 bytes, be 31250 bytes
        conformed 3124 packets, 1050110 bytes; actions:
          drop
        exceeded 0 packets, 0 bytes; actions:
          drop
        violated 0 packets, 0 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps, violate 0 bps

    Class-map: class-default (match-any)
      55326852 packets, 14325915882 bytes
      5 minute offered rate 207000 bps, drop rate 0 bps
      Match: any

• Next message: Henk de Tombe: "RE: NBAR for Security Filtering"
• Previous message: michael.gulla@ionetcon.com: "FrankinIDS"
• Maybe in reply to: Lord, Chris: "NBAR for Security Filtering"
• Next in thread: Henk de Tombe: "RE: NBAR for Security Filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:27 GMT-3