[c-nsp] NBAR on 7600 - Internet Gateway

Aivars aivars at ml.lv
Sun Nov 20 12:17:40 EST 2005


Limiting P2P is a nasty business! You have to make L7 lookups to
really catch it out. Just port filtering will not do the job. 3500XL
can't to even that. We have spent a lot of time figuring out how to
do it the best way. There is no easy answer. You can do it on the edge
with smaller routers like 871, 18xx, 28xx or you will need a special
shaper box. Cisco has  SCE 1000 and Cisco SCE 2000 Service Control
Engines for that purpose (ex Pcube or something like that). As far as I know it is planned to
have a module for 65xx/76xx witch will do he same job. Another alternative
is Allot. These things will give you an ability to see in nice graphs
and limit or mark applications running through it. This fun is not
cheap.

Aivars

Sunday, November 20, 2005, 2:47:48 PM, you wrote:

KO> My 7609 has 4 OC3s worth of traffic, pushing the full table and receiving
KO> it, now that the OC3s are almost always busy and we cant get a new one,
KO> we're looking at doing some limiting on p2p traffic, i wonder whats the best
KO> way to do this, should i list the ports i know (emule, ares, kazaa,
KO> bearshare...) and put a police-map to do it or is NBAR a better solution,
KO> how about processing on the box ?

KO> I wonder if its advised to do such configurations on this router or on the
KO> GigaEther switch its connected to: if it supports it

KO> C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5)XU, RELEASE SOFTWARE
KO> (fc1)
KO> _______________________________________________
KO> cisco-nsp mailing list  cisco-nsp at puck.nether.net
KO> https://puck.nether.net/mailman/listinfo/cisco-nsp
KO> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list