Procedure:
1. Enable the Cisco Express Forwarding, P2P traffic cannot be blocked when CEF is disabled.
Service-Router#Config t
Service-Router(config)#ip cef
2. Create a class map named BLOCKED-P2P
Service-Router(config)#class-map match-any BLOCK-P2P
3. enter the protocol to be blocked, here are some of examples of protocols. You can find this in PDLM files
Service-Router(config-cmap)#match protocol bittorrent
Service-Router(config-cmap)#match protocol kazaa2
Service-Router(config-cmap)#match protocol gnutella
4. Create a policy map named QOS-BLOCKED-P2P-POLICY
Service-Router(config)#policy-map QOS-BLOCKED-P2P-POLICY
5. Create a class map attached to this policy map
Service-Router(config-pmap)#class BLOCKED-P2P
6. To drop all traffic that match to maped protocol, enter the command 'drop'
Service-Router(config-pmap-c)#drop
or, if you want to limit the traffic, enter the command 'police'
Service-Router(config-pmap-c)#police cir 8000
Service-Router(config-pmap-c-police)#conform-action drop
Service-Router(config-pmap-c-police)#exceed-action drop
7. In the interface where your LAN is located, enable the NBAR protocol discovery
Service-Router(config-if)#ip nbar protocol-discovery
apply the policy map to this interface,
Service-Router(config-if)#service-policy input QOS-BLOCKED-P2P-POLICY
Check your configuration.
In order to display the packet statistics of all classes that are configured for all service policies either on the specified interface or sub-interface or on a specific permanent virtual circuit (PVC) on the interface, use the show policy-map interface command in privileged EXEC mode
Service-Router#show policy-map interface fastEthernet 0/1
For Policy map configuration,
Service-Router#show running-config policy-map
For class map configuration,
Service-Router#show running-config class-map
Blocking Gnutella with the Custom PDLM
[source: cisco.com]
Let's look at an example of how to use the Custom PDLM. We use Gnutella as the traffic we want to classify and then apply a QoS policy that blocks this traffic.
Gnutella uses six well-known TCP ports - 6346, 6347, 6348, 6349, 6355, and 5634. Other ports may be detected as Pongs are received. If users specify other ports for use in Gnutella file sharing, you can add these ports to your custom match protocol statement.
Here are the steps to creating a QoS service policy that matches on and drops Gnutella traffic.
As noted above, use the "show ip nbar unclassified-port-stats" command to view the NBAR "unclassified" traffic. If your network is transporting Gnutella traffic, you will see output similar to the following.
Port Proto # of Packets
------- -------- -------
6346 tcp 347679
27005 udp 55043
------- -------- -------
6346 tcp 347679
27005 udp 55043
Use the ip nbar port-map custom command to define a custom port-map that matches on the Gnutella ports.
ip nbar port-map custom-02 tcp 5634 6346 6347 6348 6349 6355
Note: Currently, you must use a name such as custom-xx. User-defined names for custom PDLMs will be supported in an upcoming release of Cisco IOS Software.
Use the show ip nbar protocol stats command to confirm matches to the custom statement.
2620# show ip nbar protocol stats byte-count
FastEthernet0/0
Input Output
Protocol Byte Count Byte Count
------------------------------------------------
custom-02 43880517 52101266
FastEthernet0/0
Input Output
Protocol Byte Count Byte Count
------------------------------------------------
custom-02 43880517 52101266
Create a QoS service policy using the commands of the modular QoS CLI (MQC).
d11-5-7206-16(config)# class-map gnutella
d11-5-7206-16(config-cmap)# match protocol custom-02
d11-5-7206-16(config-cmap)# exit
d11-5-7206-16(config)# policy-map sample
d11-5-7206-16(config-pmap)# class gnutella
d11-5-7206-16(config-pmap-c)# police 1000000 31250 31250 conform-action drop exceed-action drop violate-action drop
d11-5-7206-16(config-cmap)# match protocol custom-02
d11-5-7206-16(config-cmap)# exit
d11-5-7206-16(config)# policy-map sample
d11-5-7206-16(config-pmap)# class gnutella
d11-5-7206-16(config-pmap-c)# police 1000000 31250 31250 conform-action drop exceed-action drop violate-action drop
note: Bittorrent client by default uses tcp 6881 to 6889 ports
PDLM Functionality
A PDLM is a separate file available on Cisco.com. A PDLM is used to add support for a protocol that is currently not available as part of the Cisco IOS software.
A PDLM extends the list of protocols that NBAR can recognize. PDLMs also allow NBAR to recognize new protocols without requiring you to install a new Cisco IOS image or reconfigure your router.
New PDLMs are released by Cisco only and can be loaded from flash memory. Contact your local Cisco representative to request additions or changes to the set of protocols classified by NBAR.
To view a list of currently available PDLMs, go to the following URL:
- How to block Social Networking Site in Cisco Router
Share this you friend....
No comments:
Post a Comment