[c-nsp] NBAR on 7600 - Internet Gateway
Palis Michael
security at cytanet.com.cy
Thu Dec 1 01:16:37 EST 2005
NBAR is done in software in Cisco 7600. Cisco told us that they are going to
release a plane that will handle NBAR in hardware in the near future fot the
Cisco 7600. We try it on the C7600 but with just 50Mgw, CPU goes to 50%.
In order to limit p2p we are doing NBAR and classification on 7500 and then
policing on the 7600 since there are other QOS limitations on C7600. This
solution works pretty well but it need continuously monitoring since a
slight change in traffic patterns affects policing.
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Aivars
Sent: Sunday, November 20, 2005 7:18 PM
To: Kim Onnel
Cc: Cisco List 2 (E-mail)
Subject: Re: [c-nsp] NBAR on 7600 - Internet Gateway
Limiting P2P is a nasty business! You have to make L7 lookups to
really catch it out. Just port filtering will not do the job. 3500XL
can't to even that. We have spent a lot of time figuring out how to
do it the best way. There is no easy answer. You can do it on the edge
with smaller routers like 871, 18xx, 28xx or you will need a special
shaper box. Cisco has SCE 1000 and Cisco SCE 2000 Service Control
Engines for that purpose (ex Pcube or something like that). As far as I know
it is planned to
have a module for 65xx/76xx witch will do he same job. Another alternative
is Allot. These things will give you an ability to see in nice graphs
and limit or mark applications running through it. This fun is not
cheap.
Aivars
Sunday, November 20, 2005, 2:47:48 PM, you wrote:
KO> My 7609 has 4 OC3s worth of traffic, pushing the full table and
receiving
KO> it, now that the OC3s are almost always busy and we cant get a new one,
KO> we're looking at doing some limiting on p2p traffic, i wonder whats the
best
KO> way to do this, should i list the ports i know (emule, ares, kazaa,
KO> bearshare...) and put a police-map to do it or is NBAR a better
solution,
KO> how about processing on the box ?
KO> I wonder if its advised to do such configurations on this router or on
the
KO> GigaEther switch its connected to: if it supports it
KO> C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5)XU, RELEASE SOFTWARE
KO> (fc1)
KO> _______________________________________________
KO> cisco-nsp mailing list cisco-nsp at puck.nether.net
KO> https://puck.nether.net/mailman/listinfo/cisco-nsp
KO> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list