Controlling Peer-to-Peer (P2P) Traffic with Cisco NBAR
by Scott Hebert
Is your network bandwidth being consumed by Peer-to-Peer (P2P) traffic? (Hint: If you don’t know, it’s time to fire up NBAR and do a little investigating.) One way to stop P2P traffic is to use an access-list to block traffic on the well-know P2P ports. Unfortunately, many P2P technologies no longer rely on fixed ports. This means you can’t depend on access-lists being able to block the traffic. Cisco’s NBAR users packet inspection to determine what traffic class a data stream belongs to. With NBAR, it’s no longer necessary to know what ports an application is using.
Stopping P2P traffic with Cisco NBAR is a simple three step process. In the following example, we’ll use NBAR to block BitTorrent on our router’s Gigabit interface.
Create a class-map to match the protocols to be blocked.
SLAP(config)#class-map match-any P2P
SLAP(config-cmap)#match protocol bittorrent
Create a policy-map to specify what should be done with the traffic.
SLAP(config)#policy-map P2P
SLAP(config-pmap)#class P2P
SLAP(config-pmap-c)#drop
Apply the policy to the user-facing (incoming) interface.
SLAP(config)#interface GigabitEthernet 0/2
SLAP(config-if)#service-policy input P2P
You can ensure the policy is working with the show policy-map command.
SLAP#show policy-map interface g0/2 input
GigabitEthernet0/2
Service-policy input: P2P
Class-map: P2P (match-any)
994 packets, 327502 bytes
30 second offered rate 43000 bps, drop rate 43000 bps
Match: protocol bittorrent
994 packets, 327502 bytes
30 second rate 43000 bps
drop
Class-map: class-default (match-any)
195253 packets, 51828774 bytes
30 second offered rate 7282000 bps, drop rate 0 bps
Match: any
In this example you can see that 43Kbps of BitTorrent traffic was blocked. 7.2Mbps of non-BitTorrent traffic was untouched (this is the class-default at the bottom of the output).
Unfortunately, the drop command used in the policy-map above was not introduced until IOS 12.2(13)T. If you are using a version of IOS older than 12.2(13)T, you will need to follow a not-as-simple five step process. This process relies on setting the DSCP field in the incoming packets, and then dropping those packets on the outbound interface. In the following example, we’ll block BitTorrent again, this time using the DSCP field.
Create a class-map to match the protocols to be blocked.
OLDSLAP(config)#class-map match-any P2P
OLDSLAP(config-cmap)#match protocol bittorrent
Create a policy-map to specify what should be done with the traffic.
OLDSLAP(config)#policy-map P2P
OLDSLAP(config-pmap)#class P2P
OLDSLAP(config-pmap-c)#set ip dscp 1
Create an access-list to block packets with the DSCP field set to 1.
OLDSLAP(config)#access-list 100 deny ip any any dscp 1
OLDSLAP(config)#access-list 100 permit ip any any
Apply the policy to the user-facing (incoming) interface.
OLDSLAP(config)#interface GigabitEthernet0/2
OLDSLAP(config-if)#service-policy input P2P
Apply the blocking access-list to the outbound interface.
OLDSLAP(config)#interface POS1/1
OLDSLAP(config-if)#ip access-group 100 out
Congratulations, you’ve successfully blocked P2P traffic on your network. Now, bolt the door and be ready for the angry mob with torches and pitchforks.