Blocking p2p applications from a cisco 3550 switch

yasirirfan · ‎01-22-2006

Hi every body,

I have a high speed internet connection which is distributed to four users of the IT department, as all of us are from IT department I can't force them to have a connection from ISA, they r connected directly from the 3550 series switch with real ips, some of them are using software’s like kaaza, bit torrent, bear share for their downloads which is consuming more bandwidth which limits the browsing and download speed, I did tried to limit their bandwidth from their respective interfaces with following command

Interface fast Ethernet 0/1

Bandwidth 1

But no use is there any ways to block those software’s and to limit the bandwidth usage for individual user, as I can use any bandwidth limiting software’s. The only option I have to control them from the switch. So please let me know the solution.

Thanks

Yasir

pkhatri · ‎01-23-2006

Hi Yasir,

You can use QoS features on your 3550 to limit the outbound traffic to these users. You can use Network Based Application Recognition (NBAR) technology to completely block p2p traffic to these users - however, that is not supported on the 3550s...

Here's an example of how to limit bandwidth to each user;

policy-map PolicyOut

class class-default

police 64000

!

interface fastethernet1/0

service-policy output PolicyOut

Here's what the above policy will do:

- it will limit outbound traffic on interface fastethernet 1/0 to 64k

You can apply that same service-policy to multiple interfaces and tune the bandwidth as per your requirements...

Hope that helps - pls rate the post if it does.

Regards,

Paresh.

yasirirfan · ‎01-23-2006

Dear Paresh

Thanks a lot for this already I am limiting the bandwidht from the cisco switch, but my main concern is to block P2P applications from the switch not from the router.

pkhatri · ‎01-23-2006

Hi Yasir,

As I indicated in my last post, your best bet for blocking these apps is to use NBAR, which I don't believe is available on the 3550s. If you have access to your internet-facing router, it can be very easily implemented on that one router...

Regards,

Paresh

Georg Pauwen · ‎01-23-2006

Hello Yasir,

how exactly is the 3550 connected to the Internet ? If you have a routed (Layer 3) port on the switch, that is, a port with an IP address, you could try NBAR to block completely block those applications. The configuration would look like this:

ip cef

!

class-map match-any BLOCK_P2P

match protocol kazaa2

match protocol winmx

match protocol edonkey

match protocol gnutella

match protocol napster

match protocol fasttrack

match protocol bittorrent

!

policy-map DROP_P2P

class BLOCK_P2P

drop

class class-default

!

interface FastEthernet0/12

service-policy output DROP_P2P

FastEthernet0/12 would be the routed port in this case.

If that doesn´t apply to you, you can limit individual port bandwidth with the interface command ´storm-control´, such as in the example below:

interface FastEthernet0/2

storm-control unicast level 2.00

This would limit the user´s bandwidth on that port to 2MB (since this is a 100MB interface)...

Regards,

GP

andrew.butterworth · ‎01-23-2006

I am not sure if you think you are already limiting bandwidth, but the command:

interface FastEthernet0/1

bandwidth 1

Has absolutely nothing to do with limiting bandwidth, it is used as a variable when calculating routing protocols and generating statistics.

I agree with the other posters NBAR is the way to go if you have access to the upstream router. Otherwise use QoS on the 3550 to limit the amount of bandwidth they can access. Ingress policers will do the trick.

HTH

Andy