Is your network bandwidth being consumed by Peer-to-Peer (P2P) traffic? (Hint: If you don’t know, it’s time to fire up NBAR and do a little investing.) One way to stop P2P traffic is to use an access-list to block traffic on the well-know P2P ports. Unfortunately, many P2P technologies no longer rely on fixed ports. This means you can’t depend on access-lists being able to block the traffic. Cisco’s NBAR users packet inspection to determine what traffic class a data stream belongs to. With NBAR, it’s no longer necessary to know what ports an application is using.
Stopping P2P traffic with Cisco NBAR is a simple three step process. In the following example, we’ll use NBAR to block BitTorrent on our router’s Gigabit interface.
- Create a class-map to match the protocols to be blocked.
SLAP(config)#class-map match-any P2P SLAP(config-cmap)#match protocol bittorrent - Create a policy-map to specify what should be done with the traffic.
SLAP(config)#policy-map P2P SLAP(config-pmap)#class P2P SLAP(config-pmap-c)#drop - Apply the policy to the user-facing (incoming) interface.
SLAP(config)#interface GigabitEthernet 0/2 SLAP(config-if)#service-policy input P2P
You can ensure the policy is working with the show policy-map command.
SLAP#show policy-map interface g0/2 input
GigabitEthernet0/2
Service-policy input: P2P
Class-map: P2P (match-any)
994 packets, 327502 bytes
30 second offered rate 43000 bps, drop rate 43000 bps
Match: protocol bittorrent
994 packets, 327502 bytes
30 second rate 43000 bps
drop
Class-map: class-default (match-any)
195253 packets, 51828774 bytes
30 second offered rate 7282000 bps, drop rate 0 bps
Match: anyIn this example you can see that 43Kbps of BitTorrent traffic was blocked. 7.2Mbps of non-BitTorrent traffic was untouched (this is the class-default at the bottom of the output).
Unfortunately, the drop command used in the policy-map above was not introduced until IOS 12.2(13)T. If you are using a version of IOS older than 12.2(13)T, you will need to follow a not-as-simple five step process. This process relies on setting the DSCP field in the incoming packets, and then dropping those packets on the outbound interface. In the following example, we’ll block BitTorrent again, this time using the DSCP field.
- Create a class-map to match the protocols to be blocked.
OLDSLAP(config)#class-map match-any P2P OLDSLAP(config-cmap)#match protocol bittorrent - Create a policy-map to specify what should be done with the traffic.
OLDSLAP(config)#policy-map P2P OLDSLAP(config-pmap)#class P2P OLDSLAP(config-pmap-c)#set ip dscp 1 - Create an access-list to block packets with the DSCP field set to 1.
OLDSLAP(config)#access-list 100 deny ip any any dscp 1 OLDSLAP(config)#access-list 100 permit ip any any - Apply the policy to the user-facing (incoming) interface.
OLDSLAP(config)#interface GigabitEthernet 0/2 OLDSLAP(config-if)#service-policy input P2P - Apply the blocking access-list to the outbound interface.
OLDSLAP(config)#interface POS 1/1 OLDSLAP(config-if)#ip access-group 109 out
Congratulations, you’ve successfully blocked P2P traffic on your network. Now, bolt the door and be ready for the angry mob with torches and pitchforks.
Get Slaptijack updates delivered to your Inbox or RSS Reader for free!
October 30th, 2007 at 3:56 pm
Yes, it would be nice if the world was this simple. In practice those unblocked 7.2Mbps are very much bittorrent traffic.
October 31st, 2007 at 1:22 am
@ciscoguy - The unblocked traffic is obviously not all bittorrent. But, one thing that is definitely true is that enabling encryption in your bittorrent client will defeat NBAR.
Thanks for your comment.
May 22nd, 2008 at 4:40 am
Remember that stopping bittorrent also stops many unix and linux distibution, not at all a popular policy in some places nowadays, an increasingly so. I’ve fallen foul of blocking it myself, I had an very irate R+D dept and a livid teaching lab on the phone to me in minutes. Swiftly reversed “or my job in question” - from the top!
Better to keep a a shifty eye on the individual workstations IMHO.
Walk tall, carry a big stick, BOFH tactics., fear and surprise etc etc.
Actually, ntop near the perimiter spills the beans on who’s up to what to a large degree, so random violence isn’t usually needed