From: Héctor Fernández (gnakh@telefonica.net)
Date: Mon Oct 24 2005 - 16:03:56 GMT-3
Hi all,
if you want to monitor traffic of given protocols on non standard ports you
have to tell the router:
ip nbar port-map <protocol> <port>
http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800c75d0.html
AFAIK, if you want to monitor/identify p2p traffic, like kazaa or emule you
have to add the PDLM for each protocol:
http://www.cisco.com/cgi-bin/tablebuild.pl/pdlm
Regards
Hictor
----- Original Message -----
From: "The Great Ryan" <pv.ryan@gmail.com>
To: "JP" <jenseike@start.no>
Cc: "Tim" <ccie2be@nyc.rr.com>; "Niche" <jackyliu419@gmail.com>;
<ccielab@groupstudy.com>
Sent: Monday, October 24, 2005 2:27 PM
Subject: Re: Question about NBAR.. not really related to CCIE lab
> Yes. I encounter the same problem when I tried to monitor HTTP
> protocol under 12.2T version.
>
> When I use router as web server and its default port 80, everything
> can be monitored. It doesn't work when I can the web server port to
> 1025. Never get hits.
> I have checked that NBAR support stateful inspection on HTTP.
> Anyone get work in my case ?
>
> Link:
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t5/dtnbar.htm#xtocid259510
>
>
>
> Ryan
>
> 2005/10/24, JP <jenseike@start.no>:
> > Hi all,
> >
> > NBAR for matching on filsharing protocols works very well from 12.3 and
up.
> > With 12.2 NBAR has problem matching on those dynamic ports that are
used.
> > F.ex I tested kazaa 2 and 3 with 12.2T(15), and I did not have any hits
on
> > the policy. Then I upgraded to 12.3, and it worked very well.
> >
> > So you should try to use this on a newer IOS, and I think you will be
happy.
> >
> > Jens P
> >
> > -----Opprinnelig melding-----
> > Fra: nobody@groupstudy.com [mailto:nobody@groupstudy.com] Pe vegne av
Tim
> > Sendt: 24. oktober 2005 11:58
> > Til: 'Niche'; ccielab@groupstudy.com
> > Emne: RE: Question about NBAR.. not really related to CCIE lab
> >
> > Hi Jacky,
> >
> > NBAR does more than match static protocol and port assignments. For
> > example, when nbar is used to match ftp traffic, it can determine which
port
> > is used for the dynamic data channel.
> >
> > I haven't used nbar to classify p2p file sharing programs so I can't
comment
> > on how well it works for that but I would expect it to work pretty well.
> >
> > Tim
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Niche
> > Sent: Monday, October 24, 2005 3:40 AM
> > To: ccielab@groupstudy.com
> > Subject: Question about NBAR.. not really related to CCIE lab
> >
> > Hi guys,
> >
> > Is NBAR truely using layer-7 application pattern to classify traffic for
> > bandwidth control, security blocking, etc?
> > Or it just use protocl type (tcp, udp) with port number still?
> >
> > We may need to consider to use it for controlling bandwidth usage to p2p
> > file sharing traffic. So I am concerning about the effectiveness of NBAR
to
> > this issue (e.g. users can modify the usual port number to a new one of
the
> > application in order to avoid traditional port-number tracking method).
> >
> > Cheers~
> > Jacky
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:52 GMT-3