05-24-2007 07:43 AM - edited 03-03-2019 05:07 PM
I have noticed that one of our wan links has a great deal of traffic from winmx and edonkey. I tried to add an entry to the existing policy map to police that type of traffic; however, whenever I do this the office on the other side of the wan link cannot access the internet (all internet access from that office comes through this link to reach the internet). Following is the policy map, etc. that applies to the link. Whenever I put in the hogs statement, the internet is not accessible. I would appreciate someone letting me know what I have done wrong--this is new to me so I will not take any offense on my stupidity!
class-map match-any hogs
match protocol winmx
match protocol edonkey
class-map match-all webapps
match access-group name webapps
class-map match-all rdp
match access-group name rdp
policy-map scum
class hogs
police cir 8000 bc 1500 be 1500
conform-action drop
exceed-action drop
class webapps
bandwidth 256
class rdp
bandwidth 128
class class-default
fair-queue
interface Serial1/0
bandwidth 768
ip address 10.19.100.254 255.255.255.0
ip nbar protocol-discovery
serial restart-delay 0
no dce-terminal-timing-enable
no cdp enable
service-policy output scum
ip access-list extended rdp
permit tcp any any eq 3389
permit tcp any any eq telnet
ip access-list extended webapps
permit ip host 10.0.9.229 any
permit ip host 10.0.1.224 any
permit ip host 10.0.1.79 any
permit ip host 10.0.1.72 any
permit ip host 10.0.1.149 any
permit ip host 10.0.1.239 any
permit ip host 10.0.1.182 any
05-24-2007 09:04 AM
Hi,
Though its bit difficult to conclude precisely at this time without the sho policy map output, however the most striking point to me is the ACL WebApps.
Infact the ACLs hogs and webapps are contradicting each other, i.e. in Hogs you are trying to classify at the Transport Layer but in the Webapps you are classing at the Network Layer.
Hence the first step towards the trouble shooting must be to bring everyone on either at the L-3 or at the L-4 e.g.
you may specify:
permit tcp host 10.0.9.229 any port eq www
permit tcp host 10.0.9.229 any port eq https
permit tcp host 10.0.9.229 any port eq ftp
permit tcp host 10.0.9.229 any port eq smtp
permit tcp host 10.0.9.229 any port eq pop3
I hope that should bring the issue to a halt.
Kind Regards,
Wilson Samuel
05-24-2007 09:14 AM
Hello,
I see you have configured the policies to drop all "hogs" traffic, which includes the "edonkey" and "winmx" protocols.
I believe those protocols are user defined protocols, so it seems the problem is in the definition of those protocols, probably they are covering other traffic than just the one used by edonkey and winmx.
In my opinion its very difficult or impossible to identify edonkey traffic as it uses random ports unless you have some way to do traffic shaping, but there is already some edonkey clients that use protocol obfuscation that intentionally fool the traffic shaping technics.
But the prblem of droping legitimate traffic is for sure in the definition of those "hogs" protocols.
My solution for dropping all undesired traffic was to permit only traffic for well known and legitimate applications like www, smtp etc. and deny all other traffic, and also impose the use of a internal proxy for web surfing that not only optimises the bandwidth usage but also solves the problem of some unusual ports used by some www sites, then you can also close the outgoing tcp port 80 except from your proxy server as all clients should browse the web using the proxy, because I saw already some edonkey clients that use the tcp port 80 in an attempt to fool the firewall.
Rui
05-24-2007 01:52 PM
Thanks; I think we just realized that the port Cisco identifies as edonkey may be something entirely different. Probably the same thing for winmx also.
05-25-2007 05:14 AM
HI cmorley, [Pls Rate if Helps]
How to Block Skype / P2P & identify Top 10 Bandwidth Eating Applications:
---------------------------------------------
IOS Support:version 12.4 (4) T
edonkey can be blocked in a similar way as we use to block kazza,limewire and other p2p applications.
Example:- (for skype packets):
NBAR configuration to drop Skype packets
class−map match−any p2p
match protocol skype
policy−map block−p2p
class p2p
drop
int FastEthernet0
description PIX−facing interface
service−policy input block−p2p
If you are unsure about the bandwidth eating applications being used in your organisation. you can access the interface connected to the Internet and configure following command:
ip nbar protocol-discovery.
This will enable nbar discovery on your router.
Use following command:-
show ip nbar protocol-discovery stats bit-rate top-n 10
it will show you top 10 bandwidth eating applications being used by the users. Now you will be able to block/restrict traffic with appropriate QoS policy.
we can also use ip nbar port-map command to look for the protocol or protocol name, using a port number or numbers other than the well-known Internet Assigned Numbers Authority (IANA)-assigned) port numbers.
Usage as per cisco:-
ip nbar port-map protocol-name [tcp | udp] port-number
Up to 16 ports can be specified with this command. Port number values can range from 0 to 65535
PLS RATE IF HELPS ! !
Best Regards,
Guru Prasad R
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide