Roger Perkin

Network Automation Architect

Block P2P traffic on Cisco router

This short blog post shows you how to block peer to peer traffic on a cisco router.

This example is based on a Cisco 1801 ADSL router but will work equally well on any device running the correct image.

We will be using NBAR to identify the p2p traffic.

Before you can configure NBAR you must enable CEF

conf t

Router(config)#ip cef

For this example I am running adventerprisek9-mz.124-24.T3.bin

First  you need to create a class-map

Router{config)#class-map match-any p2p
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
match protocol skype
match protocol cuseeme
match protocol novadigm
match protocol ssh
match protocol irc

Next you need to create a policy-map to define what you want to do with the identified traffic. In this case drop.

Router(config)#policy-map P2P-DROP
class p2p
drop

Then finally you need to apply the policy to an Interface – in this case it will be Dialler 1

Router(config)#int Dialer1

service-policy input P2P-DROP

You can verify correct operation of  the policy by trying to connect a P2P client out through the device and chekcing the policy. In this example I tried some SSH

Router#sh policy-map int Dialer1
Dialer1

Service-policy input: P2P-DROP

Class-map: p2p (match-any)
32 packets, 1388 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol edonkey
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol fasttrack
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol gnutella
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol kazaa2
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol winmx
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol skype
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol cuseeme
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol novadigm
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol ssh
14 packets, 594 bytes 14 packets of SSH were blocked
5 minute rate 0 bps
Match: protocol irc
0 packets, 0 bytes
5 minute rate 0 bps
drop

Class-map: class-default (match-any)
10716 packets, 8020763 bytes
5 minute offered rate 3000 bps, drop rate 0 bps
Match: any
Router#

To see all protocols being discovered by nbar run the following command.

Router#sh ip nbar protocol-discovery

Have fun!


Category: Tag: , ,
ansible course for network engineers
Get Access to my Ansible Course NOW