11-12-2010 07:54 AM - edited 03-09-2019 11:15 PM
hi,
I am trying to configure NBAR to restrict P2P traffic through a cisco892w wireless router.
I am using this config example,
but it looks like all traffic is being blocked. My config is a littlbe bit different since I want to restrict access to wireless users. So I am applying the
"ip nbar protocol-discovery" and "service-policy output " commands on the wan interface, gigabitethernet 0. Is this the right way to do it?
Why is all traffic being dropped?
class-map match-any p2p
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
match protocol skype
match access-group 102
!
!
policy-map nop2p
class p2p
drop
interface GigabitEthernet0
ip address x.x.x.x 255.255.255.192
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
service-policy output nop2p
access-list 102 permit ip any any
sho policy-map interface gi 0
GigabitEthernet0
Service-policy output: nop2p
Class-map: p2p (match-any)
4255 packets, 363569 bytes
5 minute offered rate 3000 bps, drop rate 3000 bps
Match: protocol edonkey
359 packets, 58471 bytes
5 minute rate 0 bps
Match: protocol fasttrack
3 packets, 186 bytes
5 minute rate 0 bps
Match: protocol gnutella
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol kazaa2
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol winmx
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol skype
38 packets, 3497 bytes
5 minute rate 0 bps
Match: access-group 102
3616 packets, 280672 bytes
5 minute rate 3000 bps
drop
Class-map: class-default (match-any)
8639 packets, 885134 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
thanks in advance!
11-12-2010 01:58 PM
Your "match access-group 102" shoudl not be in the class-map. That is going to drop everything. The rest looks ok.
Keep in mind that an alternative to block P2P is Flexible Packet matching.
I hope it helps.
PK
11-15-2010 03:56 AM
hi PK,
Thanks for replying. So traffic is getting through now. I am testing the NBAR config with emule. The problem is that now emule is able to download files.
It looks like NBAR is recognizing emule but it doesn't fully stop it.
Is NBAR supposed to completely block emule/edonkey?
#show ip nbar protocol-discovery
GigabitEthernet0
Last clearing of "show ip nbar protocol-discovery" counters 01:18:10
Input Output
----- ------
Protocol Packet Count Packet Count
Byte Count Byte Count
5min Bit Rate (bps) 5min Bit Rate (bps)
5min Max Bit Rate (bps) 5min Max Bit Rate (bps)
------------------------ ------------------------ ------------------------
icmp 6987 6998
499255 309110
4000 2000
5000 3000
ssh 133 132
16198 22332
1000 1000
2000 2000
edonkey 10 1615
13614 283580
0 0
1000 3000
secure-http 94 139
27417 14651
0 0
3000 0
#sho policy-map interface
GigabitEthernet0
Service-policy output: nop2p
Class-map: p2p (match-any)
1630 packets, 286265 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol edonkey
1630 packets, 286265 bytes
5 minute rate 0 bps
Match: protocol fasttrack
0 packets, 0 bytes
5 minute rate 0 bps
Service-policy output: nop2p
Class-map: p2p (match-any)
1856 packets, 324964 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol edonkey
1856 packets, 324964 bytes
5 minute rate 0 bps
Match: protocol fasttrack
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol gnutella
11-15-2010 06:36 AM
I am thinking that these file sharing SW keep changing their patterns and ports etc, so depending on IOS version and NBAR you might not catch everything. I am guessing that is what is happening in your case.
I would investigate Flexible Packet Matching to see if that will serve the purpose.
I hope it helps.
PK
11-15-2010 06:58 AM
hi PK,
Thanks for you answer.
Can anyone else weigh in on this? Is NBAR useless for blocking peer to peer file sharing?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide