Is your network bandwidth being consumed by Peer-to-Peer (P2P) traffic? (Hint: If you don't know, it's time to fire up NBAR and do a little investigating.) One way to stop P2P traffic is to use an access-list to block traffic on the well-know P2P ports. Unfortunately, many P2P technologies no longer rely on fixed ports. This means you can't depend on access-lists being able to block the traffic. Cisco's NBAR users packet inspection to determine what traffic class a data stream belongs to. With NBAR, it's no longer necessary to know what ports an application is using.
Stopping P2P traffic with Cisco NBAR is a simple three step process. In the following example, we'll use NBAR to block BitTorrent on our router's Gigabit interface.
- Create a class-map to match the protocols to be blocked.
SLAP(config)#class-map match-any P2P SLAP(config-cmap)#match protocol bittorrent
- Create a policy-map to specify what should be done with the traffic.
SLAP(config)#policy-map P2P SLAP(config-pmap)#class P2P SLAP(config-pmap-c)#drop
- Apply the policy to the user-facing (incoming) interface.
SLAP(config)#interface GigabitEthernet 0/2 SLAP(config-if)#service-policy input P2P
You can ensure the policy is working with the show policy-map
command.
SLAP#show policy-map interface g0/2 input
GigabitEthernet0/2
Service-policy input: P2P
Class-map: P2P (match-any)
994 packets, 327502 bytes
30 second offered rate 43000 bps, drop rate 43000 bps
Match: protocol bittorrent
994 packets, 327502 bytes
30 second rate 43000 bps
drop
Class-map: class-default (match-any)
195253 packets, 51828774 bytes
30 second offered rate 7282000 bps, drop rate 0 bps
Match: any
In this example you can see that 43Kbps of BitTorrent traffic was blocked. 7.2Mbps of non-BitTorrent traffic was untouched (this is the class-default
at the bottom of the output).
Unfortunately, the drop
command used in the policy-map above was not introduced until IOS 12.2(13)T. If you are using a version of IOS older than 12.2(13)T, you will need to follow a not-as-simple five step process. This process relies on setting the DSCP field in the incoming packets, and then dropping those packets on the outbound interface. In the following example, we'll block BitTorrent again, this time using the DSCP field.
- Create a class-map to match the protocols to be blocked.
OLDSLAP(config)#class-map match-any P2P OLDSLAP(config-cmap)#match protocol bittorrent
- Create a policy-map to specify what should be done with the traffic.
OLDSLAP(config)#policy-map P2P OLDSLAP(config-pmap)#class P2P OLDSLAP(config-pmap-c)#set ip dscp 1
- Create an access-list to block packets with the DSCP field set to 1.
OLDSLAP(config)#access-list 100 deny ip any any dscp 1 OLDSLAP(config)#access-list 100 permit ip any any
- Apply the policy to the user-facing (incoming) interface.
OLDSLAP(config)#interface GigabitEthernet0/2 OLDSLAP(config-if)#service-policy input P2P
- Apply the blocking access-list to the outbound interface.
OLDSLAP(config)#interface POS1/1 OLDSLAP(config-if)#ip access-group 100 out
Congratulations, you've successfully blocked P2P traffic on your network. Now, bolt the door and be ready for the angry mob with torches and pitchforks.
Yes, it would be nice if the world was this simple. In practice those unblocked 7.2Mbps are very much bittorrent traffic.
@ciscoguy - The unblocked traffic is obviously not all bittorrent. But, one thing that is definitely true is that enabling encryption in your bittorrent client will defeat NBAR.
Thanks for your comment.
Remember that stopping bittorrent also stops many unix and linux distibution, not at all a popular policy in some places nowadays, an increasingly so. I've fallen foul of blocking it myself, I had an very irate R+D dept and a livid teaching lab on the phone to me in minutes. Swiftly reversed "or my job in question" - from the top!
Better to keep a a shifty eye on the individual workstations IMHO.
Walk tall, carry a big stick, BOFH tactics., fear and surprise etc etc.
Actually, ntop near the perimiter spills the beans on who's up to what to a large degree, so random violence isn't usually needed :)
How about encrypted bittorrent traffic?
Encrypted BitTorrent traffic can not be examined with deep packet inspection, so it is safe from NBAR-based traffic shaping. If the traffic uses the "default" BitTorrent ports, then it can be shaped using normal methods.
Since BitTorrent does not use required ports, it's somewhat rare to find users using the "default" ports. Most savvy users will use random ports and encryption to avoid detection.
It di not work for me.
you play good ppl
You can always do reverse:
1)define as much traffic as possible.
- create "important" traffic group for trafiic like http/https, pop3/s-pop3,smtp/s-smtp, ssh --> set high prior, define bandwidth (percent, *bytes), like:
- create "less important", like ftp --> set "normal" prior, define bandwidth (percent, *bytes) etc
2) then assume that everything else is "just unimportant" :), so-> lowest prior, low %/*bytes of bandwidth....
This way you will always have enough bandwidth to deliver important/business traffic.
Don't forget to do regular "top-ten" statistics to see what's going on in your net :)
I had the same problem with bittorrent. NBAR is just "too old" for this, can properly match only a small part of BT traffic.
shouldnt:
OLDSLAP(config)#interface POS 1/1
OLDSLAP(config-if)#ip access-group 109 out
Actually be:
OLDSLAP(config)#interface POS 1/1
OLDSLAP(config-if)#ip access-group 100 out
@Shaun -
Definitely! Thanks for finding that.
My pleasure Scott,
I also tried the above to stop torrents but it didnt work.
The policy sees the torrent traffic but its not dropping the packets.
I also tried CCP to configure the firewall at medium security, This blocked the torrents but also stopped access to various websites including hotmail and facebook which I found strange as there is no webblocker installed. As soon as I removed the firewall setting these sites were accesible again.
System is a 2811 using c2800nm-advipservicesk9-mz.124-9.T7.bin
Here is my class map:
class-map match-any P2P
match protocol bittorrent
match protocol edonkey
match protocol gnutella
match protocol fasttrack
match protocol kazaa2
match protocol winmx
match protocol directconnect
match protocol gopher
match protocol napster
Here is the policy
policy-map P2P
class P2P
drop
On the interface conected to the internal network I have:
service-policy input P2P
Below is a partial output:
Router#sh policy-map interface fa 0/0 input
FastEthernet0/0
Service-policy input: P2P
Class-map: P2P (match-any)
47474 packets, 7558033 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol bittorrent
47434 packets, 7544545 bytes
5 minute rate 0 bps
Can anyone suggest whats wrong please?
I would hate to be on a network that an IT Nazi decides to block even legit traffic that is legit, because he/she is on some nutty power trip. All P2P traffic is not bad, as the content can be of legit purposes.
No doubt about it, Mr. Hater.
Unfortunately, not everyone works in an environment where they are allowed to make the decisions on this sort of thing. The good news is that the same technology that can be used to drop traffic can also be used to limit the speed of traffic.
Look at it this way Mr Hater,
Lets say your paying $15k per month yes thats 15000 dollars each and every month for your internet connection and thats only a 2mb pipe. Would you want your employees hoggin all that bandwidth by downloading warez most of which are illegal? or would you want to stop that so you can continue with legitimate businees needs?
Scott,
Did you get the configs you requested ?
Regards
No, I'm afraid I never received them.
Why not just use IOS firewall and
ip inspect name iosfirewall http
ip inspect name iosfirewall https
etc etc.
Know of any good research articles on utp? Seems it's in the process of being standardized. Just wanted to see if you have any information on controlling this protocol.
http://www.utorrent.com/documentation/utp
hi ..
Shaun , I think you should use service policy for input and output for the nat outside interface .
Shaun,
Did you ever figure out what the issue was with it seeing the bittorrent traffic but not dropping it?
TAMER, what are your thoughts on your post from Nov 18th? Can you go into more detail as I am having the same issue as Shaun had.
Thanks,
its simple
shaun use "service-policy input P2P" on the interface of the internal network , so it will never drop the downloads from internal hosts.
he may use "service-policy input P2P" and "service-policy output P2P" on interface facing the internet or the interface facing internal network .
[...] on the windows server . as well, I came across another method other than implementing ACLs . Controlling Peer-to-Peer (P2P) Traffic with Cisco NBAR | Slaptijack ask your network admin, to do either of the [...]
Great article.
However following the exact steps written here, it didnt work basically at all for me.
Yes, first I turned bittorrent encryption off to be fair, but even though only a tiny fraction of the traffic was recognized and dropped. What I did in fact, that I assigned the "service-policy input P2" command to the internet facing interface, instead of the internal one as you suggested. It quickly stopped the traffic successfully.
Of course, as I turned protocoll encryption on, download started to work again immediately.
Strange, but after a couple of times starting and stopping the download, while playing with the encryption enable/disable option, finally download was not blocked even with encryption disabled. Not a really rock-solid feature :)
The main problem we have, it's Megaupload, at this moment, with about 300 users in our ISP...we cannot content the traffic jam....their are taking our HTTP bandwidth to piracy!...
Some ideas?
Thanks
Morocousa!
Actually we have same sentiments about p2p but I have some suggestion I use this blocking ports since my network congested with p2p downloading, so I use port blocking with the use of cisco(linksys router) E2000 I block the port range from 1000-65535 then I test it I successfully close the p2p ports but my problem is how can I configure my Cisco 1941 router using ports blocking. Thank you for your time and reply.
We have the same problem the torrents in the network, but for me I blocked the torrents using Linksys E2000 by blocking the port range from 1000-65535 but my problem is how to block port range using CISCO 1941 router. Thank you for the reply...