cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2592
Views
0
Helpful
4
Replies

Cannot Block p2p Torrent using NBAR in IOS ver 15 Adv IP Services

Paul Kazzi
Level 1
Level 1

Wondering if anyone has any solutions to this issue. Have tried blocking BitTorrent and even Skype to no avail. The actual rate and drops show up in "show policy-map interface" but these apps still can get out to Internet. Cannot seem to block this traffic...

ip cef

class-map match-any p2p
match protocol bittorrent
match protocol gnutella
match protocol fasttrack
match protocol kazaa2
match protocol winmx
match protocol edonkey
match protocol irc
match protocol skype

policy-map InboundFromLAN
class p2p
   drop


!
interface FastEthernet4
description WAN
bandwidth 2048
ip address 1.X.X.X 255.255.255.252
no ip redirects
no ip unreachables
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
load-interval 30
duplex auto
speed auto
!
!
interface Vlan1
description LAN
ip address 10.2.3.1 255.255.0.0
ip access-group 151 in
ip nbar protocol-discovery
ip nat inside
ip inspect IOS-FW in
ip virtual-reassembly
ip tcp adjust-mss 1400
!
service-policy input InboundFromLAN


----------------------------------------------

show ip nbar version

NBAR software version:  7

1   base                 Mv: 2
2   ftp                  Mv: 3
3   http                 Mv: 10
4   static               Mv: 6
5   tftp                 Mv: 1
6   exchange             Mv: 1
7   vdolive              Mv: 1
8   sqlnet               Mv: 1
9   rcmd                 Mv: 1
10  netshow              Mv: 1
11  sunrpc               Mv: 2
12  streamwork           Mv: 1
13  citrix               Mv: 11
14  fasttrack            Mv: 2
15  gnutella             Mv: 4
16  kazaa2               Mv: 7
17  custom-protocols     Mv: 1
18  rtsp                 Mv: 5
19  rtp                  Mv: 5
20  mgcp                 Mv: 2
21  skinny               Mv: 1
22  h323                 Mv: 1
23  sip                  Mv: 1
24  rtcp                 Mv: 2
25  edonkey              Mv: 5
26  winmx                Mv: 3
27  bittorrent           Mv: 4
28  directconnect        Mv: 3
29  hl7                  Mv: 1
30  fix                  Mv: 1
31  skype                Mv: 3
32  sap                  Mv: 1


show ver
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.0(1)M4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Fri 29-Oct-10 00:02 by prod_rel_team

ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)

Rtr uptime is 14 hours, 9 minutes
System returned to ROM by reload at 22:00:00 AEST Tue Aug 16 2011
System restarted at 22:00:38  Tue Aug 16 2011
System image file is "flash:c880data-universalk9-mz.150-1.M4.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command

-----------------------------------------------

show policy-map interface
Vlan1

  Service-policy input: InboundFromLAN

    Class-map: p2p (match-any)
      79058 packets, 7905802 bytes
      5 minute offered rate 1000 bps, drop rate 1000 bps
      Match: protocol bittorrent
        79058 packets, 7905802 bytes
        5 minute rate 1000 bps
      Match: protocol gnutella
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol fasttrack
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol kazaa2
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol winmx
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol edonkey
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol irc
        0 packets, 0 bytes
        5 minute rate 0 bps
      drop

    Class-map: class-default (match-any)
      1429444 packets, 197939417 bytes
      5 minute offered rate 58000 bps, drop rate 0 bps
      Match: any

1 Accepted Solution

Accepted Solutions

lcaruso
Level 6
Level 6

Hi,

I cannot gurantee this will help, but if it's not too much trouble, why not try upgrading IOS to

c880data-universalk9-mz.152-1.T.bin

Any x.0 release will be improved upon soon thereafter in subsequent releases. I avoid x.0 releases or try to move away from them as soon as possible.

If you need an attribution to justify the upgrade effort, try reading the 15.2/15.1 release notes for fixed issues related to your problem.

View solution in original post

4 Replies 4

lcaruso
Level 6
Level 6

Hi,

I cannot gurantee this will help, but if it's not too much trouble, why not try upgrading IOS to

c880data-universalk9-mz.152-1.T.bin

Any x.0 release will be improved upon soon thereafter in subsequent releases. I avoid x.0 releases or try to move away from them as soon as possible.

If you need an attribution to justify the upgrade effort, try reading the 15.2/15.1 release notes for fixed issues related to your problem.

thanks just works now.

I also had a  2800 this service policy also was not working on a late 12.4(24)T which thru me off a bit and had me doubt mconfig was correct. Thanksfully it was

Thanks again

I'm glad to hear that helped. Thanks.

Thanks.

Review Cisco Networking for a $25 gift card