Is your network bandwidth being consumed by Peer-to-Peer (P2P) traffic? (Hint: If you don't know, it's time to fire up NBAR and do a little investigating.) One way to stop P2P traffic is to use an access-list to block traffic on the well-know P2P ports. Unfortunately, many P2P technologies no longer rely on fixed ports. This means you can't depend on access-lists being able to block the traffic. Cisco's <acronym title="Network Based Application Recognition">NBAR</acronym> users packet inspection to determine what traffic class a data stream belongs to. With NBAR, it's no longer necessary to know what ports an application is using.
Stopping P2P traffic with Cisco NBAR is a simple three step process. In the following example, we'll use NBAR to block BitTorrent on our router's Gigabit interface.
-
Create a class-map to match the protocols to be blocked.
SLAP(config)#class-map match-any P2P SLAP(config-cmap)#match protocol bittorrent -
Create a policy-map to specify what should be done with the traffic.
SLAP(config)#policy-map P2P SLAP(config-pmap)#class P2P SLAP(config-pmap-c)#drop -
Apply the policy to the user-facing (incoming) interface.
SLAP(config)#interface GigabitEthernet 0/2 SLAP(config-if)#service-policy input P2P
You can ensure the policy is working with the show policy-map command.
SLAP#show policy-map interface g0/2 input
GigabitEthernet0/2
Service-policy input: P2P
Class-map: P2P (match-any)
994 packets, 327502 bytes
30 second offered rate 43000 bps, drop rate 43000 bps
Match: protocol bittorrent
994 packets, 327502 bytes
30 second rate 43000 bps
drop
Class-map: class-default (match-any)
195253 packets, 51828774 bytes
30 second offered rate 7282000 bps, drop rate 0 bps
Match: any
In this example you can see that 43Kbps of BitTorrent traffic was blocked. 7.2Mbps of non-BitTorrent traffic was untouched (this is the class-default at the bottom of the output).
Unfortunately, the drop command used in the policy-map above was not introduced until IOS 12.2(13)T. If you are using a version of IOS older than 12.2(13)T, you will need to follow a not-as-simple five step process. This process relies on setting the <acronym title="Differentiated Services Code Point">DSCP</acronym> field in the incoming packets, and then dropping those packets on the outbound interface. In the following example, we'll block BitTorrent again, this time using the DSCP field.
-
Create a class-map to match the protocols to be blocked.
OLDSLAP(config)#class-map match-any P2P OLDSLAP(config-cmap)#match protocol bittorrent -
Create a policy-map to specify what should be done with the traffic.
OLDSLAP(config)#policy-map P2P OLDSLAP(config-pmap)#class P2P OLDSLAP(config-pmap-c)#set ip dscp 1 -
Create an access-list to block packets with the DSCP field set to 1.
OLDSLAP(config)#access-list 100 deny ip any any dscp 1 OLDSLAP(config)#access-list 100 permit ip any any -
Apply the policy to the user-facing (incoming) interface.
OLDSLAP(config)#interface GigabitEthernet0/2 OLDSLAP(config-if)#service-policy input P2P -
Apply the blocking access-list to the outbound interface.
OLDSLAP(config)#interface POS1/1 OLDSLAP(config-if)#ip access-group 100 out
Congratulations, you've successfully blocked P2P traffic on your network. Now, bolt the door and be ready for the angry mob with torches and pitchforks.
