• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

NBAR not blocking on my Cisco routers?

C

cross6

Senior member
I'm trying to use nbar to block gnutella and fasttrack networks. This what I have on my router, it's part of an HSRP group. The same setup is on it's hsrp partner.

However when I load up a gnutella app it connect no problem.


class-map match-all nbar
match protocol gnutella file-transfer "*"
match protocol fasttrack file-transfer "*"
!
!
policy-map killp2p
class nbar
drop
!
!
!
interface FastEthernet0/0
description PRIMARY HSRP INTERFACE
ip address 10.0.0.157 255.255.255.0
duplex auto
speed auto
standby 1 ip 10.0.0.21
standby 1 priority 110
standby 1 preempt
standby 1 track 100
standby 2 ip 10.0.0.211
standby 2 priority 95
standby 2 preempt
standby 2 track 100
service-policy input killp2p
Click to expand...
 
Blocking P2P is fairly hard if you don't want to clamp your network down. Currently I have the following on my router and it is helps although from my testing I can still connect and d/l just alot slower.

class-map match-any p2p
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol napster
match protocol http url "\.hash=*"
match protocol http url "/.hash=*"

policy-map block-p2p
class p2p
drop

interface FastEthernet0/0
ip nbar protocol-discovery
service-policy output block-p2p
 
Originally posted by: w0ss
Blocking P2P is fairly hard if you don't want to clamp your network down. Currently I have the following on my router and it is helps although from my testing I can still connect and d/l just alot slower.

class-map match-any p2p
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol napster
match protocol http url "\.hash=*"
match protocol http url "/.hash=*"

policy-map block-p2p
class p2p
drop

interface FastEthernet0/0
ip nbar protocol-discovery
service-policy output block-p2p
Click to expand...


hmmm thanks
 
well then is that router the HSRP active one? applied the policy to both routers?

enable nbar? enable nbar on the interface? CEF enable globally and on interface?

you can verify all this stuff with "show ip interface"
 
Originally posted by: spidey07
well then is that router the HSRP active one? applied the policy to both routers?

enable nbar? enable nbar on the interface? CEF enable globally and on interface?

you can verify all this stuff with "show ip interface"
Click to expand...


his what I have on my router, it's part of an HSRP group. The same setup is on it's hsrp partner.
Click to expand...
 
#show policy-map interface
FastEthernet0/0

Service-policy input: killp2p

Class-map: nbar (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol gnutella file-transfer "*"
Match: protocol fasttrack file-transfer "*"
Match: protocol kazaa2 file-transfer "*"
Match: protocol http url "\.hash=*"
Match: protocol http url "/.hash=*"
drop

Class-map: class-default (match-any)
2482410 packets, 959344130 bytes
5 minute offered rate 59000 bps, drop rate 0 bps
Match: any

 
#show ip cef summ
IP CEF with switching (Table Version 92), flags=0x0
80 routes, 0 reresolve, 0 unresolved (0 old, 0 new), peak 9
9 instant recursive resolutions, 0 used background process
80 leaves, 18 nodes, 30880 bytes, 102 inserts, 22 invalidations
0 load sharing elements, 0 bytes, 0 references
universal per-destination load sharing algorithm, id 591A3E79
3(0) CEF resets, 1 revisions of existing leaves
Resolution Timer: Exponential (currently 1s, peak 1s)
1 in-place/0 aborted modifications
refcounts: 5159 leaf, 4864 node

Table epoch: 0 (80 entries at this epoch)

Adjacency Table has 58 adjacencies
 
Originally posted by: Cooky
What does this line do??
match protocol http url "\.hash=*"

How did you come up w/ it??
Click to expand...

Cisco used to have a document for configureing p2p blocking. The one listed should work however there was another that I used when I set it up. I searched but cannot seem to find it. I think it was to block some applications that try to tunnel p2p over http.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top