Wednesday, 14 December 2011

Block P2P Traffic on a Cisco IOS Router using NBAR

In the following example, we'll use NBAR to block P2P traffic on our router's Gigabit interface.
  • Create a class-map to match the protocols to be blocked.
  • Create a policy-map to specify what should be done with the traffic.
  • Apply the policy to the user-facing (incoming) interface.
conf t
!--- IP CEF should be enabled at first to block P2P traffic.
!--- P2P traffic cannot be blocked when IPC CEF is disabled.
ip cef
!
!--- Configure the class map named p2p to match the P2P protocols
!--- to be blocked with this class map p2p.
class-map match-any p2p
!--- Mention the P2P protocols to be blocked in order to block the
!--- P2P traffic flow between the required networks. edonkey,
!--- fasttrack, gnutella, kazaa2, skype are some of the P2P
!--- protocols used for P2P traffic flow. This example
!--- blocks these protocols.
!
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
match protocol skype
!
!
!--- Here the policy map named SDM-QoS-Policy is created, and the
!--- configured class map p2p is attached to this policy map.
!--- Drop is the command to block the P2P traffic.
!
policy-map SDM-QoS-Policy
class p2p
drop
!
!--- Use the inferface where you wich to block the P2P traffic
interface GigabitEthernet 0/1
!
!--- The command ip nbar protocol-discovery enables NBAR
!--- protocol discovery on this interface where the QoS
!--- policy configured is being used.
ip nbar protocol-discovery
!
!--- Use the service-policy command to attach a policy map to
!--- an input interface so that the interface uses this policy map.
service-policy input SDM-QoS-Policy
!
end
!
!--- Save the current configuration
wr
And that's it.
You can ensure the policy is working with the command:
show policy-map
However if your version of IOS is older than 12.2(13)T, you will need some extra steps. This process relies on setting the DSCP field in the incoming packets, and then dropping those packets on the outbound interface. In the following example, we'll block P2P using the DSCP field.
  • Create a class-map to match the protocols to be blocked.
  • Create a policy-map to specify what should be done with the traffic.
  • Create an access-list to block packets with the DSCP field set to 1.
  • Apply the policy to the user-facing (incoming) interface.
  • Apply the blocking access-list to the outbound interface.
conf t
!--- IP CEF should be enabled at first to block P2P traffic.
!--- P2P traffic cannot be blocked when IPC CEF is disabled.
ip cef
!
!--- Configure the class map named p2p to match the P2P protocols
!--- to be blocked with this class map p2p.
!
class-map match-any P2P
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
match protocol skype
!
!
policy-map P2P
class P2P
set ip dscp 1
!
!--- Block all traffic with the DSCP field set to 1.
!
access-list 100 deny ip any any dscp 1
access-list 100 permit ip any any
!
interface GigabitEthernet0/1
service-policy input P2P
!
interface POS1/1
ip access-group 100 out


Possibly Related Posts

No comments:

Post a Comment