[nsp] Re: cisco nbar stuff

Nicholas R. Ianelli xtreme at erie.net
Tue Apr 8 16:27:44 EDT 2003


Me too. ISS had a detailed white paper in regards to these types of
apps, how they operate, known ports, ways to block them and how they get
around those blocks!

http://documents.iss.net/whitepapers/X-Force_P2P.pdf


Nick

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joshua Smith
Sent: Tuesday, April 08, 2003 2:44 PM
To: Jim Dueltgen; cisco-nsp at puck.nether.net
Subject: [nsp] Re: cisco nbar stuff

i recall seeing something on this list or nanog about p2p apps
and how they will use alternate ports if the 'known' one that
they would originally use is unavailable/blocked/filtered

just some extra fodder for the fire...

Jim Dueltgen <jimd at lmi.net> wrote:
> Thanks Mark,
> 
> I'll try the OS upgrade and see if that helps.  I'm a little 
> chagrined that I let my more colorful map and policy names slip 
> through...twice.  So much for manual search and replace when one is 
> exhausted.  So, yes, in the actual config the class-map and 
> policy-map names all match and flow through to the appropriate places 
> and traffic is being identified and throttled, but still the T1 is 
> filling up and it's all now classified as "unknown."  What's strange 
> is that before applying the policy map the T1 was being filled with 
> recognized kazaa2 traffic.  I'll try the OS upgrade.  Thanks again.
> 
> - Jim
> 
> 
> At 7:18 PM +0200 4/8/03, Mark Pace Balzan wrote:
> >Jim,
> >
> >I did some playing around with nbar and 12.2(13)T, and here follows
my
> >feedback.
> >As always, this is my opinon and experience, and I stand to be
corrected:
> >
> >- You applied an input service policy 'operation-packet-freedom' to
your
> >ethernet interface.
> >I liked the descriptive name, but should that not be your policy map
name
> >'p2p-map' ?
> >
> >- When I tried to match and police kazaa2 traffic, I too was left
with
alot
> >of unknown traffic. I have via other products determined that the
unknown
> >traffic is indeed mainly kazaa2, which was not identified by NBAR.
> >
> >- The release notes for 12.2(13)T mention some issues related to nbar
and
> >kazaa2 traffic classification. some of these issues seem to be
addressed
in
> >12.2(13)T2 or T3, but I havent had time to try these.
> >
> >
> >just my two cents worth.  anyone else been working in this direction,
and
> >care to share experiences ?
> >
> >
> >cheers
> >
> >
> >Mark
> >
> >
> >
> >
> >>  Message: 1
> >>  Date: Mon, 7 Apr 2003 19:32:23 -0700
> >>  From: Jim Dueltgen <jimd at lmi.net>
> >>  Subject: [nsp]	NBAR unclassified traffic up as rate limiting is
put
> >>	in place?
> >>  To: cisco-nsp at puck.nether.net
> >>  Message-ID: <p05200f0fbab7e07b90c1@[66.117.131.84]>
> >>  Content-Type: text/plain; charset="us-ascii" ; format="flowed"
> >>
> >>  I'm playing around with NBAR on a 2620 running 12.2(13)T.  I'm
> >>  looking to bandwidth limit the use of those pesky P2P apps across
> >>  that T1.  I think I've got it implemented correctly as "sho ip
nbar
> >>  protocol-discovery" clearly shows the kazaa2 and fasttrack (the
two
> >>  targets of my class map) 5 minute bit rate fitting down into my
> >>  policy limits.  However, at the same time the 5 minute bit rate of
> >>  all of the "unknown" traffic has grown to fill all of the
bandwidth
> >>  made available by policy limits.  The line is as saturated as
ever.
> >>  Am I doing something wrong or are these programs getting around
the
> >>  limits by being more clever than the PDLMs and NBAR?  Here's the
> >>  config (only the IP addresses have been changed to protect the
> >>  guilty):
> >>
> >>  class-map match-any p2p-class
> >>     match protocol kazaa2
> >>     match protocol fasttrack
> >>  !
> >>  policy-map p2p-map
> >>     class piggies
> >>      police cir 256000 bc 64000 be 128000
> >>        conform-action transmit
> >>        exceed-action drop
> >>  !
> >>  interface FastEthernet0/0
> >>    ip address 192.168.1.1 255.255.255.0
> >>    ip nbar protocol-discovery
> >>    speed 100
> >>    full-duplex
> >>    service-policy input operation-packet-freedom
> >>  !
> >>  interface Serial0/0
> >>    ip address 10.1.1.1 255.255.255.0
> >>    ip nbar protocol-discovery
> >>    no ip mroute-cache
> >>    service-policy input operation-packet-freedom
> >>
> >>  Here's the current nbar info:
> >>
> >>    FastEthernet0/0
> >>                               Input                    Output
> >>      Protocol                 Packet Count             Packet Count
> >>                               Byte Count               Byte Count
> >>                               5 minute bit rate (bps)  5 minute
> >>  bit rate (bps)
> >>      ------------------------ ------------------------
> >>  ------------------------
> >>      kazaa2                   176182858                86919702
> >>                               146964916583             28358892324
> >>                               245000                   67000
> >>      fasttrack                37788209                 31714535
> >>                               33414399197              20906754867
> >  >                              88000                    189000
> >>  [...]
> >>      unknown                  92213883                 164490587
> >>                               54345142378              167135533630
> >>                               1221000                  624000
> >>      Total                    353962553                343978552
> >>                               246496757983             274991876201
> >>                               1667000                  999000
> >>
> >>    Serial0/0
> >>                               Input                    Output
> >>      Protocol                 Packet Count             Packet Count
> >>                               Byte Count               Byte Count
> >>                               5 minute bit rate (bps)  5 minute
> >>  bit rate (bps)
> >>      ------------------------ ------------------------
> >>  ------------------------
> >>      fasttrack                246486                   206601
> >>                               253777388                106718162
> >>                               207000                   65000
> >>      kazaa2                   170480                   383364
> >>                               42349405                 230400940
> >>                               66000                    185000
> >>  [...]
> >>      unknown                  852688                   748976
> >>                               516781526                692594208
> >>                               612000                   1206000
> >>      Total                    1391021                  1463846
> >>                               879547644                1092559828
> >>                               997000                   1561000
> >>
> >>  Anyone have any experience with this they can share?
> >>
> >>  Regards,
> >>
> >>  Jim Dueltgen
> >>  LMi.net
> >>
> >>  ------------------------------
> >>
> >>  Message: 2
> >>  Date: Mon, 7 Apr 2003 20:57:31 -0700
> >>  From: Jim Dueltgen <jimd at lmi.net>
> >>  Subject: [nsp] NBAR unclassified traffic [follow up]
> >>  To: cisco-nsp at puck.nether.net
> >>  Message-ID: <p05200f10bab7f8753328@[66.117.131.84]>
> >>  Content-Type: text/plain; charset="us-ascii" ; format="flowed"
> >>
> >>  Typo in my config example under policy-map fixed here:
> >>
> >>  class-map match-any p2p-class
> >>     match protocol kazaa2
> >>     match protocol fasttrack
> >>  !
> >>  policy-map p2p-map
> >>     class p2p-class
> >>      police cir 256000 bc 64000 be 128000
> >>        conform-action transmit
> >>        exceed-action drop
> >>  !
> >>  interface FastEthernet0/0
> >>    ip address 192.168.1.1 255.255.255.0
> >>    ip nbar protocol-discovery
> >>    speed 100
> >>    full-duplex
> >>    service-policy input operation-packet-freedom
> >>  !
> >>  interface Serial0/0
> >>    ip address 10.1.1.1 255.255.255.0
> >>    ip nbar protocol-discovery
> >>    no ip mroute-cache
> >>    service-policy input operation-packet-freedom
> >>
> >>  Tried to make the config more generic looking and wound up making
it
> >>  look like I didn't know what the heck I'm doing.  That may still
be
> >>  the case but at least it's due to something other than a typo now.
> >>
> >>  - Jim
> >
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >http://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



"Walk with me through the Universe,
 And along the way see how all of us are Connected.
 Feast the eyes of your Soul,
 On the Love that abounds.
 In all places at once, seemingly endless,
 Like your own existence."
     - Stephen Hawking -


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list