From: Dobby, Wayne (Perth) (Wayne.Dobby@WorleyParsons.com)
Date: Thu Dec 13 2007 - 19:14:00 EST
Don't recall where I found this on the web but I came across it a couple months ago when our security manager was looking at blocking/shaping Skype. So for those running Cisco routers this might solve your problems.
_________________________________________________________________________________________________________________________
On April 4th 2006, Cisco released IOS version 12.4 (4) T. Cisco introduced much awaited Skype classification in NBAR . So now with simple policy you can block skype. Skype can be blocked in a similar way as we use to block kazza,limewire and other p2p applications.
Example:-
NBAR configuration to drop Skype packets
class−map match−any p2p
match protocol skype
policy−map block−p2p
class p2p
drop
int FastEthernet0
description PIX−facing interface
service−policy input block−p2p
If you are unsure about the bandwidth eating applications being used in your organisation. you can access the interface connected to the Internet and configure following command
ip nbar protocol-discovery.
This will enable nbar discovery on your router.
Use following command:-
show ip nbar protocol-discovery stats bit-rate top-n 10
it will show you top 10 bandwidth eating applications being used by the users. Now you will be able to block/restrict traffic with appropriate QoS policy.
we can also use ip nbar port-map command to look for the protocol or protocol name, using a port number or numbers other than the well-known Internet Assigned Numbers Authority (IANA)-assigned) port numbers.
Usage as per cisco:-
ip nbar port-map protocol-name [tcp | udp] port-number
Up to 16 ports can be specified with this command. Port number values can range from 0 to 65535
____________________________________________________________________________________________________
Rgrds,
Wayne Dobby
Network Specialist
ICT | WorleyParsons | www.worleyparsons.com
*** WORLEYPARSONS GROUP NOTICE ***"This email is confidential. If you are not the intended recipient, you must not disclose or use the information contained in it. If you have received this email in error, please notify us immediately by return email and delete the email and any attachments. Any personal views or opinions expressed by the writer may not necessarily reflect the views or opinions of any company in the WorleyParsons Group of Companies."
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:16 EDT