This short blog post shows you how to block peer to peer traffic on a cisco router.
This example is based on a Cisco 1801 ADSL router but will work equally well on any device running the correct image.
We will be using NBAR to identify the p2p traffic.
Before you can configure NBAR you must enable CEF
conf t
Router(config)#ip cef
For this example I am running adventerprisek9-mz.124-24.T3.bin
First you need to create a class-map
Router{config)#class-map match-any p2p
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
match protocol skype
match protocol cuseeme
match protocol novadigm
match protocol ssh
match protocol irc
Next you need to create a policy-map to define what you want to do with the identified traffic. In this case drop.
Router(config)#policy-map P2P-DROP
class p2p
drop
Then finally you need to apply the policy to an Interface – in this case it will be Dialler 1
Router(config)#int Dialer1
service-policy input P2P-DROP
You can verify correct operation of the policy by trying to connect a P2P client out through the device and chekcing the policy. In this example I tried some SSH
Router#sh policy-map int Dialer1
Dialer1
Service-policy input: P2P-DROP
Class-map: p2p (match-any)
32 packets, 1388 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol edonkey
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol fasttrack
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol gnutella
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol kazaa2
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol winmx
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol skype
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol cuseeme
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol novadigm
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol ssh
14 packets, 594 bytes 14 packets of SSH were blocked
5 minute rate 0 bps
Match: protocol irc
0 packets, 0 bytes
5 minute rate 0 bps
drop
Class-map: class-default (match-any)
10716 packets, 8020763 bytes
5 minute offered rate 3000 bps, drop rate 0 bps
Match: any
Router#
To see all protocols being discovered by nbar run the following command.
Router#sh ip nbar protocol-discovery
Have fun!