11-02-2012 03:48 AM - edited 03-11-2019 05:18 PM
Hello,
I have tried the below configuration to block the P2P traffic.But still the users can download using utorrent client. How do I effectively block all the P2P traffic. Please help.
Class Map
class-map type inspect match-any ALL-P2P-PROTOCOLS
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all P2P-PROTOCOL
match class-map ALL-P2P-PROTOCOLS
match access-group name INTERNET-ACL
class-map type inspect http match-any HTTP-PORT-MISUSE
match request port-misuse im
match request port-misuse p2p
match request port-misuse tunneling
Policy Map
policy-map type inspect http HTTP-PORT-MISUSE-POLICY
class type inspect http HTTP-PORT-MISUSE
reset
log
policy-map type inspect IN-TO-OUT-POLICY
class type inspect P2P-PROTOCOL
drop log
class class-default
drop log
class type inspect HTTP-ACCESS
inspect
service-policy http HTTP-PORT-MISUSE-POLICY
Also I am attaching the logs and 'show policy-map type inspect zone-pair IN-TO-OUT' output.
Please help me out.
Regards,
Tony
11-02-2012 10:25 AM
Hello,
Can you share the ACL INTERNET-ACL
Regards,
Julio
11-02-2012 08:27 PM
Hello Julio,
Please see the ACL INTERNET-ACL
ip access-list extended INTERNET-ACL
permit ip host 172.17.0.81 any
permit ip host 172.17.0.82 any
permit ip host 172.17.0.83 any
permit ip host 172.17.0.84 any
permit ip host 172.17.0.111 any
permit ip host 172.17.1.53 216.239.32.0 0.0.31.255
permit ip host 172.17.1.53 64.233.160.0 0.0.31.255
permit ip host 172.17.1.53 66.249.64.0 0.0.31.255
permit ip host 172.17.1.53 72.14.192.0 0.0.63.255
permit ip host 172.17.1.53 209.85.128.0 0.0.127.255
permit ip host 172.17.1.53 66.102.0.0 0.0.15.255
permit ip host 172.17.1.53 74.125.0.0 0.0.255.255
permit ip host 172.17.1.53 64.18.0.0 0.0.15.255
permit ip host 172.17.1.53 207.126.144.0 0.0.15.255
permit ip host 172.17.1.53 173.194.0.0 0.0.255.255
permit ip host 172.17.1.103 216.239.32.0 0.0.31.255
permit ip host 172.17.1.103 64.233.160.0 0.0.31.255
permit ip host 172.17.1.103 66.249.64.0 0.0.31.255
permit ip host 172.17.1.103 72.14.192.0 0.0.63.255
permit ip host 172.17.1.103 209.85.128.0 0.0.127.255
permit ip host 172.17.1.103 66.102.0.0 0.0.15.255
permit ip host 172.17.1.103 74.125.0.0 0.0.255.255
permit ip host 172.17.1.103 64.18.0.0 0.0.15.255
permit ip host 172.17.1.103 207.126.144.0 0.0.15.255
Regards,
Tony
11-02-2012 09:25 PM
Hello Tony,
Hope you are doing great
What happens if you take out the ACL from the class-map, Does it make a difference?
Regards,
Julio
11-02-2012 10:19 PM
Hello Julio,
I removed 'INTERNET-ACL' from 'class-map type inspect match-all P2P-PROTOCOL' but still P2P traffic is allowed. Could you please tell me what I am doing wrong?
Regards,
Tony
11-02-2012 10:39 PM
Hello Yadhu,
Actually the configuration looks good but block bittorrent traffic and P2P connections now days is not as simple.
There are several ways this connections can try to bypass our security policies but I think we can add more stuff to our configuration.
Please read the following document and add follow the configuration they have applied,
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/white_paper_c27_543585.html
Let me know if there is something you do not understand on that config,
Regards
11-02-2012 11:04 PM
Hello Julio,
Thank you for your reply and link. The configuration seems to be very refined. Let me try it out and inform you of the outcome.
Regards,
Yadhu
11-05-2012 02:51 AM
Hello Julio,
There is an update from my side. I followed the link and modified the configuration. Unfortunately the result is negative. But I found that more packets are being dropped because of the tight policies. Anyway thank you so much for your help and support. Please let me know if there is any better method available so that we can block the entire traffic that kills our bandwidth.
Regards,
Tony
11-05-2012 09:42 AM
Hello Tony,
Okay. I have seen on the last couple of days that because of how this protocols are being tunneled or jumping from one port to another, etc. Its pretty difficult to blok it with ZBFW.
So instead of doing that I would like to check if we can block it with NBAR, can we give it a try ??? If yes, here is how
class-map match-any p2p
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
match protocol skype
match protocol cuseeme
match protocol novadigm
match protocol ssh
match protocol irc
policy-map P2P-DROP
class p2p
drop
Apply the policy to the user-facing (incoming) interface.
int xxxxx
You can verify the status by doing:
sh policy-map int xxx
sh ip nbar protocol-discovery
Let me know the result,
Remembe to rate all of the helpful posts
service-policy input P2P-DROP
11-06-2012 03:23 AM
Hello Julio,
Thanks for your reply. Yeah, NBAR feature is more stronger than ZBFW ! More packets are being dropped after I configure NBAR on my router. But still it is not completely blocked. Please see the 'sh policy-map interface gi0/0 input' output :
ISR#sh policy-map interface gi0/0 input
GigabitEthernet0/0
Service-policy input: P2P-DROP
Class-map: P2P (match-any)
108893 packets, 11349383 bytes
5 minute offered rate 5000 bps, drop rate 5000 bps
Match: protocol edonkey
328 packets, 250522 bytes
5 minute rate 0 bps
Match: protocol fasttrack
98 packets, 6066 bytes
5 minute rate 0 bps
Match: protocol gnutella
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol winmx
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol cuseeme
2 packets, 290 bytes
5 minute rate 0 bps
Match: protocol kazaa2
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol irc
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol bittorrent
108298 packets, 11050790 bytes
5 minute rate 5000 bps
drop
Class-map: class-default (match-any)
3329777 packets, 1295326162 bytes
5 minute offered rate 209000 bps, drop rate 0 bps
Match: any
Regards,
Tony
11-06-2012 11:11 AM
Hello Yadhu,
Then I will suggest you to use an aplication to block this as the ZBFW or NBAR had been able to block this,
At least the ZBFW let you know how is using P2P application so you can go and talk to them but based on the last cases I have seen p2p applications have not been succesfully block ( 100 % talking)
Regards
11-08-2012 01:29 AM
Hello Julio,
Anyway that was a nice experiment with P2P traffic Feel it is better to use an application like Symantec Endpoint Protection.
Regards,
Yadhu
11-08-2012 01:36 PM
Hello Yadhu,
Exactly,
We definetly tried it
Remember to rate all of the helpful posts
Regards
12-15-2012 04:18 AM
I just summarized the discussion and published it on http://yadhutony.blogspot.in/2012/11/how-to-block-p2p-traffic-on-cisco-router.html
It gives me the best result !
Thanks Julio for your support.
Regards,
Tony
12-15-2012 09:52 AM
Hello Yadhu,
Good job with the document, really clear
Yes, I would say an external dedicated server or device will be need it to block this traffic ( maybe with a deeper application inspection)
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide