Hello Julio,

Please see the ACL INTERNET-ACL

ip access-list extended INTERNET-ACL

permit ip host 172.17.0.81 any

permit ip host 172.17.0.82 any

permit ip host 172.17.0.83 any

permit ip host 172.17.0.84 any

permit ip host 172.17.0.111 any

permit ip host 172.17.1.53 216.239.32.0 0.0.31.255

permit ip host 172.17.1.53 64.233.160.0 0.0.31.255

permit ip host 172.17.1.53 66.249.64.0 0.0.31.255

permit ip host 172.17.1.53 72.14.192.0 0.0.63.255

permit ip host 172.17.1.53 209.85.128.0 0.0.127.255

permit ip host 172.17.1.53 66.102.0.0 0.0.15.255

permit ip host 172.17.1.53 74.125.0.0 0.0.255.255

permit ip host 172.17.1.53 64.18.0.0 0.0.15.255

permit ip host 172.17.1.53 207.126.144.0 0.0.15.255

permit ip host 172.17.1.53 173.194.0.0 0.0.255.255

permit ip host 172.17.1.103 216.239.32.0 0.0.31.255

permit ip host 172.17.1.103 64.233.160.0 0.0.31.255

permit ip host 172.17.1.103 66.249.64.0 0.0.31.255

permit ip host 172.17.1.103 72.14.192.0 0.0.63.255

permit ip host 172.17.1.103 209.85.128.0 0.0.127.255

permit ip host 172.17.1.103 66.102.0.0 0.0.15.255

permit ip host 172.17.1.103 74.125.0.0 0.0.255.255

permit ip host 172.17.1.103 64.18.0.0 0.0.15.255

permit ip host 172.17.1.103 207.126.144.0 0.0.15.255

Regards,

Tony

Hello Tony,

Hope you are doing great

What happens if you take out the ACL from the class-map, Does it make a difference?

Regards,

Julio

Hello Julio,

I removed 'INTERNET-ACL' from  'class-map type inspect match-all P2P-PROTOCOL' but still P2P traffic is allowed. Could you please tell me what I am doing wrong?

Regards,

Tony

Hello Yadhu,

Actually the configuration looks good but block bittorrent traffic and P2P connections now days is not as simple.

There are several ways this connections can try to bypass our security policies but I think we can add more stuff to our configuration.

Please read the following document and add follow the configuration they have applied,

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/white_paper_c27_543585.html

Let me know if there is something you do not understand on that config,

Regards

Hello Julio,

Thank you for your reply and link. The configuration seems to be very refined. Let me try it out and inform you of the outcome.

Regards,

Yadhu

Hello Julio,

There is an update from my side. I followed the link and modified the configuration. Unfortunately the result is negative. But I found that more packets are being dropped because of the tight policies. Anyway thank you so much for your help and support. Please let me know if there is any better method available so that we can block the entire traffic that kills our bandwidth.

Regards,

Tony

Hello Tony,

Okay. I have seen on the last couple of days that because of how this protocols are being tunneled or jumping from one port to another, etc. Its pretty difficult to blok it with ZBFW.

So instead of doing that I would like to check if we can block it with NBAR, can we give it a try ??? If yes, here is how

class-map match-any p2p
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
match protocol skype
match protocol cuseeme
match protocol novadigm
match protocol ssh
match protocol irc

policy-map P2P-DROP
class p2p
drop

Apply the policy to the user-facing (incoming) interface.

int xxxxx

You can verify the status by doing:

sh policy-map int xxx

sh ip nbar protocol-discovery

Let me know the result,

Remembe to rate all of the helpful posts

service-policy input P2P-DROP

Hello Julio,

Thanks for your reply. Yeah, NBAR feature is more stronger than ZBFW ! More packets are being dropped after I configure NBAR on my router. But still it is not completely blocked. Please see the 'sh policy-map interface gi0/0 input' output :

ISR#sh policy-map interface gi0/0 input
GigabitEthernet0/0

  Service-policy input: P2P-DROP

    Class-map: P2P (match-any)
      108893 packets, 11349383 bytes
      5 minute offered rate 5000 bps, drop rate 5000 bps
      Match: protocol edonkey
        328 packets, 250522 bytes
        5 minute rate 0 bps
      Match: protocol fasttrack
        98 packets, 6066 bytes
        5 minute rate 0 bps
      Match: protocol gnutella
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol winmx
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol cuseeme
        2 packets, 290 bytes
        5 minute rate 0 bps
      Match: protocol kazaa2
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol irc
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol bittorrent
        108298 packets, 11050790 bytes
        5 minute rate 5000 bps
      drop

    Class-map: class-default (match-any)
      3329777 packets, 1295326162 bytes
      5 minute offered rate 209000 bps, drop rate 0 bps
      Match: any

Regards,

Tony

Hello Yadhu,

Then I will suggest you to use an aplication to block this as the ZBFW or NBAR had  been able to block this,

At least the ZBFW let you know how is using P2P application so you can go and talk to them but based on the last cases I have seen p2p applications have not been succesfully block ( 100 %  talking)

Regards

Hello Julio,

Anyway that was a nice experiment with P2P traffic   Feel it is better to use an application like Symantec Endpoint Protection.

Regards,

Yadhu

Hello Yadhu,

Exactly,

We definetly tried it

Remember to rate all of the helpful posts

Regards

Hello Yadhu,

Good job with the document, really clear

Yes, I would say an external dedicated server or device will be need it to block this traffic ( maybe with a deeper application inspection)

Regards,

Julio