How to block torrent traffic using WLC AVC?

tsakoulias · ‎01-06-2014

Hi,

We are trying to investigate ways of blocking torrent traffic on our WLANs and currently testing the AVC feature on a pair of 5500 WLCs running 7.4.100.

WLAN traffic is anchored from a "Campus" WLC to a "DMZ" WLC. An AVC profile was created on each WLC to Drop "bittorrent" and "encrypted bittorent" traffic and was applied on the WLANs.

A laptop was configured with 2 torrent clients (utorrent and bittorrent).

Following extensive testing we came up with the following results:

- The foreign WLC is not able to identify the applications running over the wireless traffic. AVC is properly running on the anchor WLC.

- When using the utorrent application, the anchor WLC was able to categorize the traffic as bittorrent traffic. On the other hand torrent traffic was not blocked and after downloading a 70MB file on the laptop, AVC reported only 500Kb of bit torrent traffic

- When using the bittorrent application, traffic was blocked successfully.

Has anybody been able to successfully block torrent traffic using this feature on a production network?

Are there any commands to identify the amount of packets denied by the AVC policy?

Thanks,

Theo

Leo Laohoo · ‎01-06-2014

First of, try using 7.4.121.0 firmware and test again.

Saravanan Lakshmanan · ‎01-06-2014

#AVC on guest anchor works, You'll only see the AVC info on the anchor. Foreign WLC AVC stats will show blank.

#open TAC case for troubleshooting in detail.

Rasika Nayanajith · ‎01-06-2014

Hi

Here is the protocol list supported in NBAR2

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html

I can see "bittorrent", "encrypted-bittorrent", "bittorrent-networking" as recognised protocol in the list, but nothing for utorrent.

From WLC code 7.5 onwards you can update these protocol packs on your controller (see below for more detail)

http://www.cisco.com/en/US/docs/wireless/controller/technotes/7.5/AVC_dg7point5.html

Protocol pack 4.1.1 is the latest for 7.5 code. Here is the more information about it.

http://www.cisco.com/en/US/docs/wireless/controller/nbar2_prot_pack/4.1.1/b_nbar2_prot_pack_411.html

Latest protocol pack (pp-AIR-7.6-13-6.3.0.pack) is available for 7.6 code version if you would like to test it out.

HTH

Rasika

**** Pls rate all useful responses ****

tsakoulias · ‎01-07-2014

Hi,

Is bittorrent the only protocol that is used for p2p torrent file sharing?

Do you believe it is worth blocking traffic upstream using another device (FW, IPS etc) in order to offload the WLC?

Unfortunately for the time being we can only use 7.4.100

Thanks,

Theo

Rasika Nayanajith · ‎01-07-2014

Hi Theo,

Yes, if you have a mechanism to block these sort of thing using another device, I would go for it. Then you can do this to both your wired & wireless traffic at one place.

If you want to do something, only for wireless traffic then AVC is a good choice.

HTH

Rasika

**** Pls rate all useful responses ****

aleopoldie · ‎08-12-2015

Hello Manannalage,

What's the difference between bittorrent, encrypted-bittorrent et bittorrent-networking ?

I often see bittorrent on the top 10 of the applications on 1 of our WLC, but i'm always wondering if that means utorrent, or something else which could slow the network...

Regards,

AL

Michael Burk · ‎01-08-2014

Hi Tsak,

I would personally block Bittorrent using a Firewall upstream. The main reason for this is that BT is a little trickier to block than regular data (https://supportforums.cisco.com/thread/2163045)

For this reason it makes sense to me to move the task of blocking it up to the Firewall.

Other advantages are that I find that firewalls are generally easier to configure and it offloads that cpu work from your WLC.

The main disadvantage is that any security expert or best practice would tell you to block unwanted traffic as close to the source as possible.

Anil Jacob · ‎02-25-2014

Hi All,

I am facing a similar situation with Anchor Controller Wireless Network for Guest Access. We want to block application similar to one listed.

Issues

1 - Unfortunately, a single WLAN can only accomodate 32 rules. Is there any possible solution to deal more application rules.

2. I have configured the AVC profile on the Controller in DMZ and applied to the Guest wLAN. But configuring AVC profile and enablng on the Foreign controller Guest wLAN did not drop the applications. Any comments on what is the best practices for this scenario.

Thanks

AJ

gohussai · ‎08-12-2015

As you are using 5500 controller so better use firmware >=7.5 and use NBAR2 OR you can also use AVC.

BUT the best practice is to offload the workload from controller and use FW. As torrrent blocking need deep packet inspection and controller is not the best in blocking such traffic efficiently.