QOS profile for Kazaa (P2P)? 1

[techguru69]

Hi all,
Anyone have a QOS profile/Access List/etc. set up to reduce the bandwidth for the Kazaa or other P2P products? I'd like to see what you have if you do so I can limit my users.

Thanks.

 

[johnny99]

We do it a little different.
We block that kind of traffic on our firewalls.

To allow users to use programs like Kazaa is a security problem.

But if it's only on your LAN, what kind of data do they share since bandwith is a problem?

 

[techguru69]

I should have explained my situation better.

We are a campus-type environment, so users can bring their own laptops in and connect wireless to our network and internet connection. Obviously, security is not very enforceable at this level.

I want to scale back the bandwidth used for P2P apps, by port or protocol.

On the firewall, I've asked Cisco - a PIX won't do it.

 

[johnny99]

Just to check if I understand it right.
The P2P problem, is that a bandwith problem on the LAN or your internet connection?

How big a network do we talk about?

 

[techguru69]

I would think it would be both the Lan and the internet connection - wouldn't it? Since the packets must flow through the Extreme switch, creating traffic, and then through the router and firewall in/out from the Internet. I don't believe our users use the P2P to share amongst themselves - just to download.
The network is small. 1 Alpine, 4 48i's. 160 edge nodes tops.

Thanks for the help.

 

[johnny99]

I know that our firewall people have a limit on some types of traffic in our firewall. We use Raptor from Symantec (DON'T BUY THAT) and SonicWalls.
I know they can implement it in the Raptor box.

We use BlackDiamond as our core switch, but I don't remember that I have ever seen something about limitation on bandwith, but on the other hand QoS is supported on the BlackDiamond.

 

[Comstocb]

You will have to investigate what ports (at layer 4) are used by these p2p apps. Once known, you can define a min and max bandwidth for one of the 8 available hardware queues and then define an access list to put all traffic using these ports into this queue. Extreme calls this act creating an access profile. Lets choose qp4 (qp1-qp8 are available, everything is in qp1 by default) for example.

configure qp4 minbw 0% maxbw 30% priority low

(low just means the 802.1q bit is set the same as qp1, you would want that on tagged links. also, don't mess with the minbuf and maxbuf settings)
This restricts the max port bandwidth to 30%, use whatever you want here. This will probable be fine on only the switch connected to the internet feed but if you think a problem with p2p internally is happening, you need to put this on all switches. Tagging negates this need but that is a whole other topic.
Next, on the switch that routes to the internet:

create access-list p2p tcp destination any ip-port range 3000 4000 source any ip-port range 3000 4000 permit qosprofile qp4 ports any

I am guessing that kazaa uses tcp but if its udp, adjust accordingly. the port range is a guess to show the command syntax. I think you had all i series equipment so this is all good, non i series is a bit different.

 

[johnny99]

Yes, but as I understod the problem this will only limit the trafic on the LAN.
Can this also be used specificly on the port where the firewall is connectet so that the limit only applices to internet access?

 

[Comstocb]

It can work both ways. You seem to want to restrict the internet feed so the way to do that is:

configure port 3:8 qosprofile p2p

3:8 would actually be whatever the port # is that connects to your firewall. You can watch the profile in action by using qosmonitor

sho po 3:8 qosmonitor

I think thats the command syntax. there is a way to have it enter a log entry when the maxbw is passed, this would let you know how often the rule is effective but I can't recall the command syntax currently. let me know if this helps

brian

 

[XoverIP]

Many Cisco PIX & routers can solve this by using Network Based Application Recognition (NBAR). NBAR can detect a ‘signature’ of an application (the application could be, AOL IM, KazZa, IRC etc). You can define a policy for a specific application & NBAR can I.D. the application then apply the policy. It’s an outstanding feature that’s not very well-know. Here’s a good URL for you to look @:

http://www.cisco.com/warp/public/732/Tech/qos/nbar/

J. Martin Wills; CNCS, NNCAS, NNCDS, ENS-S, ENA, CCNP, CCDP