RE: NBAR for Security Filtering

From: Henk de Tombe (henk.de.tombe@qi.nl)
Date: Thu Dec 16 2004 - 11:59:01 GMT-3

Hi,

Class-map: p2p (match-any)
      3125 packets, 1050172 bytes
      5 minute offered rate 0 bps, drop rate 0 bps

The load-interval is at 300 sec. You could change this to 30 seconds so that
the policy engine gets more accurate interface stats.

Regards,
Henk

-----Oorspronkelijk bericht-----
Van: nobody@groupstudy.com [mailto:nobody@groupstudy.com] Namens Church,
Chuck
Verzonden: donderdag 16 december 2004 15:44
Aan: Martin, David (Contractor); Group Study
Onderwerp: RE: NBAR for Security Filtering

It's being dropped as listed by this section:

police:
          cir 1000000 bps, bc 31250 bytes, be 31250 bytes
        conformed 3124 packets, 1050110 bytes; actions:
          drop
        exceeded 0 packets, 0 bytes; actions:
          drop
        violated 0 packets, 0 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps, violate 0 bps

You might want to put 'ip nbar protocol-discovery' on your busiest
interfaces to see what's actually crossing the interfaces. If you're seeing
a huge amount of 'unknown' traffic, it might be a protocol like bittorrent
or winmx. The PDLMs will help with those.
 

Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation 1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch@netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D

-----Original Message-----
From: Martin, David (Contractor) [mailto:David.Martin@eu.dodea.edu]
Sent: Thursday, December 16, 2004 9:37 AM
To: Church, Chuck; Martin, David (Contractor); Group Study
Subject: RE: NBAR for Security Filtering

HI Chuck and Chris,

Thankyou both. How will I know when its being dropped ? I assume the output
q count will be zero ?

See both below I and O below:

Scott CPU is around 4%, not too bad.

Here is input q:
UK-DSO#sh policy-map interface input
 FastEthernet0/0

  Service-policy input: drop_p2p

    Class-map: p2p (match-any)
      3125 packets, 1050172 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol fasttrack
        312 packets, 20720 bytes
        5 minute rate 0 bps
      Match: protocol gnutella
        1840 packets, 594172 bytes
        5 minute rate 0 bps
      Match: protocol edonkey
        451 packets, 402042 bytes
        5 minute rate 0 bps
      Match: protocol kazaa2
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol napster
        494 packets, 31004 bytes
        5 minute rate 0 bps
      Match: protocol irc
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol cuseeme
        0 packets, 0 bytes
        5 minute rate 0 bps
      police:
          cir 1000000 bps, bc 31250 bytes, be 31250 bytes
        conformed 3124 packets, 1050110 bytes; actions:
          drop
        exceeded 0 packets, 0 bytes; actions:
          drop
        violated 0 packets, 0 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps, violate 0 bps

    Class-map: class-default (match-any)
      55326852 packets, 14325915882 bytes
      5 minute offered rate 207000 bps, drop rate 0 bps
      Match: any

This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:27 GMT-3