I know that what we will talk about today applies mainly to the firewall. There is no reason for us to use the router to block certain data, but sometimes we will face some problems that will force us to do so.

Today, we will block Peer-to-Peer protocols on the Cisco router. To do this, we will use a Cisco-developed tool that organizes data flow and identifies a wide range of applications, including web and application applications running through client / server Packets sent via routers and switches, known as Network Based Application Recognition

1. First of all, we have to activate Cisco Express Forwarding (CEF) without which we can not block the P2P protocols. To do this we have to write the following command


 After that we will need to work class-map to identify which protocols we will block and call them BLOCKED-P2P and then add the protocols that will be blocked

Cisco'sHide
NetworkSet (config) # class-map match-any BLOCKED-P2P
match protocol edonkey
match protocol irc
match protocol Napigator
match protocol Blubster
match protocol Piolet
match protocol RocketItNet
match protocol Overnet
match protocol Grokster
match protocol iMesh
match protocol Kazaa
match protocol Morpheus
match protocol Bitcoin
match protocol Alt-Coins
match protocol Ares Galaxy
match protocol Warez P2P
match protocol NeoModus Direct Connect
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
match protocol skype
match protocol cuseeme
match protocol novadigm
match protocol ssh
match protocol Aimster
match protocol Applejuice
match protocol Filetopia
match protocol Freenet
match protocol GnucleusLAN
match protocol GoBoogy
match protocol KuGoo
match protocol MUTE
match protocol Soribada
match protocol Soulseek
match protocol Xunlei
match protocol BitTorrent

Explanation: It is possible to find that some of these protocols are still not supported by the operating system on the router or switch, which will do the process of blocking through it, but most of them are certainly supported, and the process of blocking these protocols consume a lot of Ramat

We will then make a policy-map or access-list to determine the reaction used after P2P. However, to determine the best choice, we need to make clear that a drop-out from the policy-map will not be available in IOS 12.2 (13) ) T or earlier


Or use the access-list by typing the following commands

Cisco'sHide
NetworkSet (config) # access-list 189 deny ip any any P2P-DROP
NetworkSet (config) # access-list 189 permit ip any any

4 - Then enter the port on which we will apply policy-map it and write the following commands

Cisco'sHide
NetworkSet (config) # interface FastEthernet0 / 0
NetworkSet (config) # service-policy input P2P-DROP

Or enter the same port and write the following command to apply the access-list.

Cisco'sHide
NetworkSet (config) # interface FastEthernet0 / 0

NetworkSet (config) # ip access-group 189 out

To ensure that the settings we have activated are correct, we need to type the following command

Cisco'sHide
NetworkSet # show policy-map interface f0 / 0
FastEthernet0 / 0

Service-policy input: P2P-DROP

Class-map: BLOCKED-P2Pmatch-any
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol edonkey
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol irc
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol kazaa2
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol fasttrack
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol gnutella
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol winmx
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol skype
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol cuseeme
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol novadigm
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol ssh
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol bittorrent
0 packets, 0 bytes
5 minute rate 0 bps
drop

Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

Note: For BitTorrent Point, there are some problems we can face when applying the method. A user may change the port used by torrent programs from 6881 to 6999. To make sure that this does not happen to the network administrator, or to prevent using this port As for the problem with the encryption of the connection, the solution will be located on the firewall...