Thursday, March 5, 2009

CCIE ALU - CBWFQ Part 4, CBWFQ as a Security Feature

Foreward: An ALU is an Autonomous Learning Unit, you can read this post to learn more about them.






Users in subnet have been using Kazaa and edonkey to download illegal music files.  Company policy prohibits downloading illegal music, and your CIO would like you to stop Kazaa and Edonkey traffic.  User's default gateway is




Highlight below for the solution:




class-map match-any DROP_TRAFFIC

 match protocol kazaa2

 match protocol edonkey


policy-map QOS2




interface FastEthernet0/0

 service-policy input QOS2



R2(config)#do sh policy-map interface FastEthernet0/0



  Service-policy input: QOS2


    Class-map: DROP_TRAFFIC (match-any)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: protocol kazaa2

        0 packets, 0 bytes

        5 minute rate 0 bps

      Match: protocol edonkey

        0 packets, 0 bytes

        5 minute rate 0 bps



    Class-map: class-default (match-any)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: any




One great feature of Class Based Weighted Fair Queueing (CBWFQ) is the option to assign the action "drop" within a policy-map, turning CBWFQ into a security tool.  Combined with NBAR to perform deep inspection on packets, you can selectively drop traffic based on application.


Keeping in mind that CBWFQ can be used to drop traffic is a great way to address questions that prevent you from using all of the traditional security tools such as access-lists, it also allows you to drop very specific traffic such as Kazaa and Edonkey.


Additionally, this question shows the "match-any" keyword on a class-map.  By default, a class-map with multiple match statements is a "match-all" class-map.  That means if you had a class match that matched an access-list and a DSCP value, both items would need to be true for that class-map to apply.  However, in this case we are matching two applications, so a "match-all" class-map would never match, since traffic cannot be BOTH applications.  By using the "match-any" keyword, we can use fewer class-maps to match the traffic.


In this question we apply the policy-map in the inbound direction on FA0/0, however we could have also applied it outbound on Serial0/1 of R2.  It is best to block traffic as close to the source as possible, so I blocked it inbound at FastEthernet0/0.



DocCD items to reference:

Configuration Guide (Class-Based Weighted Fair Queueing Configuration Task List)



match protocol

drop (in a class-map)

service-policy in

show policy-map interface



No comments:

Post a Comment