SBSIAdmin
asked on
Block P2P on a Cisco router
Greetings,
I've put ip nbar protocol-discovery on the FastEthernet interfaces of my Cisco 2800 (ver 12.4(4)). I created a class-map to match the protocols of some known p2p apps, created a policy-map to drop the matched traffic and added the service policy to the interface. The problem is, when I run "show ip nbar protocol-discovery" eDonkey is not being blocked. Below is the relavent config:
class-map match-any p2p
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
match protocol novadigm
policy-map block-p2p
class p2p
drop
interface FastEthernet0/0
no ip address
ip access-group 150 in
no ip redirects
no ip unreachables
ip nbar protocol-discovery
ip flow ingress
ip flow egress
duplex auto
speed auto
no cdp enable
service-policy input block-p2p
service-policy output Voice
!
interface FastEthernet0/0.11
description Local LAN
encapsulation dot1Q 11
ip address 10.1.X.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
no cdp enable
service-policy input block-p2p
!
interface FastEthernet0/0.200
description Local WAN
encapsulation dot1Q 200
ip address 10.1.YYY.5 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip ospf priority 0
service-policy input block-p2p
Results of show policy-map int fa0/0.11
FastEthernet0/0.11
Service-policy input: block-p2p
Class-map: p2p (match-any)
6155 packets, 395222 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol edonkey
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol fasttrack
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol gnutella
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol kazaa2
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol winmx
6128 packets, 392940 bytes
5 minute rate 0 bps
Match: protocol novadigm
27 packets, 2282 bytes
5 minute rate 0 bps
drop
Results of show ip nbar pro int fa0/0.11
FastEthernet0/0.11
Input Output
----- ------
Protocol acket Count Packet Count
Byte Count Byte Count
5min Bit Rate (bps) 5min Bit Rate (bps)
5min Max Bit Rate (bps) 5min Max Bit Rate (bps)
------------------------ ------------------------ ------------------------
edonkey 1842915 1859275
1475234220 1874109161
0 0
9654000 14592000
http 1096487 2265466
276457930 1728864847
33000 81000
218000 8664000
What am I missing?
Thanks
Paul
I've put ip nbar protocol-discovery on the FastEthernet interfaces of my Cisco 2800 (ver 12.4(4)). I created a class-map to match the protocols of some known p2p apps, created a policy-map to drop the matched traffic and added the service policy to the interface. The problem is, when I run "show ip nbar protocol-discovery" eDonkey is not being blocked. Below is the relavent config:
class-map match-any p2p
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
match protocol novadigm
policy-map block-p2p
class p2p
drop
interface FastEthernet0/0
no ip address
ip access-group 150 in
no ip redirects
no ip unreachables
ip nbar protocol-discovery
ip flow ingress
ip flow egress
duplex auto
speed auto
no cdp enable
service-policy input block-p2p
service-policy output Voice
!
interface FastEthernet0/0.11
description Local LAN
encapsulation dot1Q 11
ip address 10.1.X.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
no cdp enable
service-policy input block-p2p
!
interface FastEthernet0/0.200
description Local WAN
encapsulation dot1Q 200
ip address 10.1.YYY.5 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip ospf priority 0
service-policy input block-p2p
Results of show policy-map int fa0/0.11
FastEthernet0/0.11
Service-policy input: block-p2p
Class-map: p2p (match-any)
6155 packets, 395222 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol edonkey
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol fasttrack
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol gnutella
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol kazaa2
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol winmx
6128 packets, 392940 bytes
5 minute rate 0 bps
Match: protocol novadigm
27 packets, 2282 bytes
5 minute rate 0 bps
drop
Results of show ip nbar pro int fa0/0.11
FastEthernet0/0.11
Input Output
----- ------
Protocol acket Count Packet Count
Byte Count Byte Count
5min Bit Rate (bps) 5min Bit Rate (bps)
5min Max Bit Rate (bps) 5min Max Bit Rate (bps)
------------------------ ------------------------ ------------------------
edonkey 1842915 1859275
1475234220 1874109161
0 0
9654000 14592000
http 1096487 2265466
276457930 1728864847
33000 81000
218000 8664000
What am I missing?
Thanks
Paul
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, that resolved the issue.
ASKER