From: Sarfaraz Munir (sarfaraz.munir@gmail.com)
Date: Tue Feb 26 2008 - 16:44:39 ARST
Dear Joseph,
It would great if you can share your NBAR configuration with comments and
the complex policy map through which you are allowing people to bypass it.
Because I am was also thinking to deploy it keeping in mind the financial
reason for most of my clients.
With regards,
Sarfaraz Muneer
On Tue, Feb 26, 2008 at 8:40 PM, Joseph Brunner <joe@affirmedsystems.com>
wrote:
> Sure let me know if I can help you with the config.
>
> I have lots of clients who wont pony up any more money than the 2800
> router,
> so it HAS to do all this.
>
> In particular I even made a complex policy map that allowed several people
> to bypass the filters, etc.
>
> -Joe
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Rik
> Guyler
> Sent: Tuesday, February 26, 2008 11:38 AM
> To: 'Joseph Brunner'; 'Cisco certification'
> Subject: RE: NBAR
>
> Thanks Joe. I thought this was likely the case. In my case it may come
> down to a financial decision but at least now I know it works reasonably
> well.
>
> Rik
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Joseph Brunner
> Sent: Tuesday, February 26, 2008 11:16 AM
> To: 'Rik Guyler'; 'Cisco certification'
> Subject: RE: NBAR
>
> Nbar is a poor substitute for real good devices like packeteer and
> bluecoat
> proxy.
>
> Nbar will detect the obvious things an can block them (gnutella, bear
> share,
> morpheus, kazaa, edonkey etc).
>
> Most users nowadays though are smart enough to download programs that use
> tcp 80 for file sharing, etc. or just go to youtube/facebook.
>
> I haven't had some time to try the latest mpf filters in the asa, but
> other
> than the Instant messenger filters, nothing so far looks that promising.
>
> Here is a real sh ip nbar protocol-discovery
>
> From a live router at a client site right now...
>
> As you can see its detecting fasttrack, bittorrent, edonkey and others. So
> its obviously able to recognize and detect some basic file sharing P2p
> apps...
>
> SRrouter#sh ip nbar protocol-discovery int f0/0
>
> FastEthernet0/0
> Input Output
> ----- ------
> Protocol Packet Count Packet Count
> Byte Count Byte Count
> 30sec Bit Rate (bps) 30sec Bit Rate (bps)
> 30sec Max Bit Rate (bps) 30sec Max Bit Rate
> (bps)
> ------------------------ ------------------------
> ------------------------
> ftp 23355352 10244065
> 14161581292 1205691124
> 0 0
> 16886000 585000
> netbios 409458540 505148940
> 48569461812 478814532535
> 135000 1359000
> 1366000 12600000
> http 65119549 56399622
> 22139281720 63477008815
> 23000 136000
> 10398000 945000
> smtp 7644343 8091576
> 5394775554 2888383117
> 0 0
> 1517000 777000
> h323 995898 924739
> 588102019 615130918
> 0 0
> 1387000 749000
> tsrvrdp 26349301 17997409
> 5727943240 1378155745
> 5000 2000
> 1320000 719000
> gnutella 14443247 10265507
> 14400366909 4181962675
> 0 15000
> 1348000 458000
> skinny 346703 173793
> 127191851 70396011
> 0 0
> 991000 742000
> secure-http 21943241 20155211
> 4681916013 9496238851
> 9000 1000
> 960000 741000
> pop3 180882 229431
> 22341825 126467337
> 0 0
> 570000 722000
> nutellaudp 3332776 2845122
> 1831437279 217027572
> 0 0
> 815000 268000
> rtp 1150580 1203771
> 310974614 1326492967
> 0 0
> 231000 802000
> novadigm 387893 218619
> 213317089 116877218
> 0 0
> 324000 690000
> pptp 99920 30127
> 47082277 30688423
> 0 0
> 433000 573000
> nfs 101829 50509
> 90246095 33102067
> 0 0
> 438000 513000
> mgcp 210683 105913
> 110163332 83810979
> 0 0
> 331000 588000
> notes 68236 33995
> 32425427 35201121
> 0 0
> 454000 359000
> netshow 87316 76064
> 34186209 62262956
> 0 0
> 513000 241000
> msnmessenger 307557 225245
> 63599676 61364497
> 0 0
> 122000 589000
> fasttrack 91728 51227
> 49635500 50854658
> 0 0
> 83000 533000
> edonkey 1162870 240950
> 508758540 14159006
> 0 0
> 567000 23000
> socks 87804 40865
> 32490054 24443258
> 0 0
> 80000 463000
> sqlserver 1839080 2341859
> 158292984 232534620
> 0 0
> 183000 322000
> rtsp 79153 53596
> 10256756 68207016
> 0 0
> 20000 443000
> sqlnet 65074 28020
> 30158192 20963473
> 0 0
> 54000 325000
> rtcp 20684 51209
> 2684508 13776242
> 0 0
> 14000 265000
> ldap 194699092 209600175
> 106836308294 48885130573
> 100000 44000
> 174000 83000
> printer 571 560
> 34266 802630
> 0 0
> 8000 167000
> exchange 663063 767842
> 311073646 133922293
> 0 0
> 56000 100000
> vdolive 41110 13386
> 50601006 986168
> 0 0
> 90000 3000
> dns 2426291 1178180
> 192480030 158160902
> 1000 1000
> 46000 45000
> kerberos 508295 506775
> 657065906 696357765
> 0 0
> 26000 29000
> xwindows 2152 838
> 402144 111336
> 0 0
> 43000 5000
> bitttorrent 406 749
> 26340 833329
> 0 0
> 1000 41000
> icmp 608591 642688
> 73946719 48299756
> 0 0
> 16000 4000
> aim 2122 1326
> 311552 312027
> 0 0
> 1000 10000
> winmx 232896 28916
> 15106868 12210093
> 0 0
> 6000 3000
> sip 106 104
> 14686 44854
> 0 0
> 3000 5000
> gre 0 17558
> 0 25036360
> 0 0
> 0 6000
> yahoomessenger 76640 52880
> 7829428 5004672
> 0 0
> 2000 4000
> dhcp 68268 0
> 22705618 0
> 0 0
> 5000 0
> snmp 394149 42733
> 47458028 5393608
> 0 0
> 2000 2000
> cuseeme 435 385
> 72512 147865
> 0 0
> 1000 3000
> pcanywhere 104 98
> 11266 18304
> 0 0
> 0 3000
> rsvp 289 19
> 352297 2635
> 0 0
> 1000 0
> citrix 242 18
> 184053 2236
> 0 0
> 1000 0
> telnet 72 73
> 6178 5285
> 0 0
> 1000 0
> eigrp 0 1514928
> 0 112104672
> 0 0
> 0 0
> ntp 3662 2964
> 359670 296852
> 0 0
> 0 0
> l2tp 143 6
> 181500 724
> 0 0
> 0 0
> streamwork 128 8
> 161749 1067
> 0 0
> 0 0
> ssh 217 230
> 13020 15880
> 0 0
> 0 0
> imap 22 9
> 1776 606
> 0 0
> 0 0
> secure-pop3 15 20
> 910 1120
> 0 0
> 0 0
> nntp 3 3
> 408 1353
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Rik
> Guyler
> Sent: Tuesday, February 26, 2008 11:07 AM
> To: 'Cisco certification'
> Subject: NBAR
>
> Does anybody have any real-world experience with NBAR detecting
> peer-to-peer
> traffic? I'm considering using this in place of something like a
> Packeteer
> box but don't know how the two would compare for this. The only real feel
> I
> have for NBAR is from a lab environment.
>
> Thanks,
>
> Rik
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2008 - 16:54:50 ARST