[c-nsp] Blocking Peer-to-peer with a 7200
Justin M. Streiner
streiner at cluebyfour.org
Thu Mar 31 14:18:16 EDT 2011
On Thu, 31 Mar 2011, Olav Langeland wrote:
> On 30.03.2011 14:59, opslists at rhemasound.org wrote:
>> I am trying to block peer-to-peer from a hotel using a Cisco 7200. Has
>> anyone else had success doing this? If so what config do you use, and
>> what IOS version.
>> I just finished getting nowhere with TAC on a case for a different
>> location, our test PC doing Linux ISO downloads never got touched even
>> though the counters were showing blocked traffic.
>>
>> Thanks.
> Have a look at Cisco NBAR
> (http://www.cisco.com/en/US/products/ps6616/products_ios_protocol_group_home.html).
> "Mission critical applications including ERP and workforce optimization
> applications can be intelligently identified and classified using Network
> Based Application Recognition ( NBAR ). Once these mission critical
> applications are classified they can be guaranteed a minimum amount of
> bandwidth, policy routed, and marked for preferential treatment. Non-critical
> applications including Internet gaming applications and MP3 file sharing
> applications can also be classified using NBAR and marked for best effort
> service, policed, or blocked as required."
The last time I looked at NBAR, it did a decent job of catching some of
the more well-defined stuff, but I don't know if I'd throw it at P2P
traffic being tunneled over HTTP because that's going to be a
constantly moving target. You could probably also create a policy that
permits known services and does best-effort on everything else, but
keeping that policy up to date could get very resource-intensive on your
ops staff. Another thing to watch out for is that NBAR can get
resource-intensive on the router as the traffic levels increase.
jms
More information about the cisco-nsp
mailing list