Foreward: An ALU is an Autonomous Learning Unit, you can read this post to learn more about them.
Question:
Users in subnet 1.1.124.0/24 have been using Kazaa and edonkey to download illegal music files. Company policy prohibits downloading illegal music, and your CIO would like you to stop Kazaa and Edonkey traffic. User's default gateway is 1.1.124.2.
Highlight below for the solution:
Solution:
R2:
class-map match-any DROP_TRAFFIC
match protocol kazaa2
match protocol edonkey
!
policy-map QOS2
class DROP_TRAFFIC
drop
!
interface FastEthernet0/0
service-policy input QOS2
Confirmation:
R2(config)#do sh policy-map interface FastEthernet0/0
FastEthernet0/0
Service-policy input: QOS2
Class-map: DROP_TRAFFIC (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol kazaa2
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol edonkey
0 packets, 0 bytes
5 minute rate 0 bps
drop
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Explanation:
One great feature of Class Based Weighted Fair Queueing (CBWFQ) is the option to assign the action "drop" within a policy-map, turning CBWFQ into a security tool. Combined with NBAR to perform deep inspection on packets, you can selectively drop traffic based on application.
Keeping in mind that CBWFQ can be used to drop traffic is a great way to address questions that prevent you from using all of the traditional security tools such as access-lists, it also allows you to drop very specific traffic such as Kazaa and Edonkey.
Additionally, this question shows the "match-any" keyword on a class-map. By default, a class-map with multiple match statements is a "match-all" class-map. That means if you had a class match that matched an access-list and a DSCP value, both items would need to be true for that class-map to apply. However, in this case we are matching two applications, so a "match-all" class-map would never match, since traffic cannot be BOTH applications. By using the "match-any" keyword, we can use fewer class-maps to match the traffic.
In this question we apply the policy-map in the inbound direction on FA0/0, however we could have also applied it outbound on Serial0/1 of R2. It is best to block traffic as close to the source as possible, so I blocked it inbound at FastEthernet0/0.
DocCD items to reference:
Configuration Guide (Class-Based Weighted Fair Queueing Configuration Task List)
Posts
No comments:
Post a Comment