思科认证之cisco路由上封BT方法比较分析9 A, t1 i: P$ `+ r1 a
cisco路由上封BT方法比较及分析, }4 K0 H, L) p% L4 q `
最近为了封BT,几乎把NBO的网络论坛找遍了,用NBAR (Network-Based Application Recognition)网络应用识别
% {( i) z/ |' gNBAR是一种动态能在四到七层寻找协议的技术,它不但能做到普通ACL能做到那样控制静态的TCP UDP的报,也能做到控制一般ACLs不能做到动态的端口的那些协议(如BT)之类。+ P" c4 X0 u% {5 U5 M# X3 }% o& G
我就说说过程:
# ^4 D( |8 P, C0 o/ R' h5 y! k1到http://www.cisco.com/pcgi-bin/tablebuild.pl/pdlm 下载bittorrent.pdlm,(要CCO的)
" M% F- F# [, ^, x' A) C) Z$ }2放到TFTP,然后用copy tftp disk2(大多数应该是flash)* p( x0 J4 s; m* m* p
拷到路由器中,6 D# O% l& s1 G, S
route7206#conf t
* ^2 x- w4 U$ z/ \0 _% o2 z3 s/ XEnter configuration commands, one per line. End with CNTL/Z.& q* Z6 _) f2 l( W4 J
route7206(config)#ip nbar pdlm bittorrent.pdlm
6 x) y6 h# W) D3 J5 z. n4 Z: yroute7206(config)#
% t! ]" Z; n9 e9 k) c( N4 }" @!2 w. K1 Z3 |) \6 q9 n
ip nbar pdlm bittorrent.pdlm
5 K9 _7 K: P- i!6 X3 N) n! `( v7 i; H* @4 s# A
1.) 创建一个 a class-map and policy map 并且把它应用到相应的端口:8 ~+ D: |: p; j0 X! M( }+ ]
得到关于BT的部分是
0 D# I/ a& C2 r+ B1 v% k! lclass-map match-all bittorrent
. n- X- A3 F8 h- Cmatch protocol bittorrent7 \# H" B* d' P
!
5 _8 t, W* L! Y8 D8 k+ }!
1 v a% Q8 e% K' `$ fpolicy-map bittorrent-policy
2 b; B# N0 Y4 p% A1 S3 H+ v( kclass bittorrent9 T1 j' a+ ^& }8 _0 W" R) s
drop0 ?" y. S( ]5 C( p$ {
!
( z W& n. {/ b3 `interface GigabitEthernet0/2
. U: r( ^) G1 l8 @3 Pdescription CONNECT INSIDE
. X+ @% b( L1 uip address 192.168.168.1 255.255.255.252 secondary
' h! W0 t! Z$ x% J# wip address 192.168.21.1 255.255.255.00 c7 J, |9 z" c& j4 F6 s5 E9 W
ip nat inside# u9 P2 B, u4 N: r
service-policy input bittorrent-policy5 f/ C9 x! [- s+ L
service-policy output bittorrent-policy
8 Q/ [) t, f4 H h6 X( s9 q# u- Wduplex full
6 {8 d" U6 | p+ xspeed 1000( J% F# `' r2 J0 s, B
media-type rj45! d r+ a/ J+ Z( J
no negotiation auto |