Controlling Peer-to-Peer (P2P) Traffic with Cisco NBAR

Is your network bandwidth being consumed by Peer-to-Peer (P2P) traffic? (Hint: If you don't know, it's time to fire up NBAR and do a little investigating.) One way to stop P2P traffic is to use an access-list to block traffic on the well-know P2P ports. Unfortunately, many P2P technologies no longer rely on fixed ports. This means you can't depend on access-lists being able to block the traffic. Cisco's <acronym title="Network Based Application Recognition">NBAR</acronym> users packet inspection to determine what traffic class a data stream belongs to. With NBAR, it's no longer necessary to know what ports an application is using.

Stopping P2P traffic with Cisco NBAR is a simple three step process. In the following example, we'll use NBAR to block BitTorrent on our router's Gigabit interface.

  1. Create a class-map to match the protocols to be blocked.

    block SLAP(config)#class-map match-any P2P SLAP(config-cmap)#match protocol bittorrent

  2. Create a policy-map to specify what should be done with the traffic.

    block SLAP(config)#policy-map P2P SLAP(config-pmap)#class P2P SLAP(config-pmap-c)#drop

  3. Apply the policy to the user-facing (incoming) interface.

    block SLAP(config)#interface GigabitEthernet 0/2 SLAP(config-if)#service-policy input P2P

You can ensure the policy is working with the show policy-map command.

SLAP#show policy-map interface g0/2 input
 GigabitEthernet0/2

  Service-policy input: P2P

    Class-map: P2P (match-any)
      994 packets, 327502 bytes
      30 second offered rate 43000 bps, drop rate 43000 bps
      Match: protocol bittorrent
        994 packets, 327502 bytes
        30 second rate 43000 bps
      drop

    Class-map: class-default (match-any)
      195253 packets, 51828774 bytes
      30 second offered rate 7282000 bps, drop rate 0 bps
      Match: any

In this example you can see that 43Kbps of BitTorrent traffic was blocked. 7.2Mbps of non-BitTorrent traffic was untouched (this is the class-default at the bottom of the output).

Unfortunately, the drop command used in the policy-map above was not introduced until IOS 12.2(13)T. If you are using a version of IOS older than 12.2(13)T, you will need to follow a not-as-simple five step process. This process relies on setting the <acronym title="Differentiated Services Code Point">DSCP</acronym> field in the incoming packets, and then dropping those packets on the outbound interface. In the following example, we'll block BitTorrent again, this time using the DSCP field.

  1. Create a class-map to match the protocols to be blocked.

    block OLDSLAP(config)#class-map match-any P2P OLDSLAP(config-cmap)#match protocol bittorrent

  2. Create a policy-map to specify what should be done with the traffic.

    block OLDSLAP(config)#policy-map P2P OLDSLAP(config-pmap)#class P2P OLDSLAP(config-pmap-c)#set ip dscp 1

  3. Create an access-list to block packets with the DSCP field set to 1.

    block OLDSLAP(config)#access-list 100 deny ip any any dscp 1 OLDSLAP(config)#access-list 100 permit ip any any

  4. Apply the policy to the user-facing (incoming) interface.

    block OLDSLAP(config)#interface GigabitEthernet0/2 OLDSLAP(config-if)#service-policy input P2P

  5. Apply the blocking access-list to the outbound interface.

    block OLDSLAP(config)#interface POS1/1 OLDSLAP(config-if)#ip access-group 100 out

Congratulations, you've successfully blocked P2P traffic on your network. Now, bolt the door and be ready for the angry mob with torches and pitchforks.

My Bookshelf

Reading Now

Other Stuff