P2P: peer-to-peer
2 Why we
need to limit the application of P2P?
P2P application is deadly killer for Internet bandwidth, CXL a P2P client may occupy
the 90% above of total bandwidth, it will
seriously affect the normal
Internetusers of Internet cafes, especially playing online game users.
3 How to limit the application of P2P?
1 through
the ACL restricted port
The ACL restricted port. One is restricted to P2P port, open to all other ports,this method has its limitations, because now some P2P software, port can
change, the blockade will automatically change the port, and even can be changed to port 80, if even
this letter, the network will not work; two is the only open useful port, close other port, this method is to strictly control the network,but also feasible for small networks of simple, and if it is a large network, the data flow and complex that management can be very difficult; therefore these two methods on the Internet are not suitable for.
2 combining QOS and ACL restricted port flow
The data flow with QOS and ACL to limit P2P port. Because the majority ofworm virus and P2P ports is greater than 3000, but the
normal application is used more than 3000 ports, if we will be closed more than 3000 ports, this application also unable
to carry out normal, so a
compromise is speed portmore than 3000 data stream. In practical application according to the actual situation may need to change the port number to make effect on the otherapplication is reduced to the minimum.
For example:
In the wide area network interface and QOS used in combination with the acl.
ACL number
3100
Rule 1000 permit TCP destination-port GT 3000
Rule 1010 permit UDP destination-port GT 3000
In the wide area network interface configuration QOS.
#
Traffic classifier p2pin operator or
If-match ACL
3100
#
Traffic behavior p2pin
Car cir
2048000 CBS 1024000 EBS 0 green pass red discard
#
QoS policy p2pin
Classifier p2pin behavior p2pin
#
Interface Ethernet1/0
IP address 162.1.1.2 255.255.255.252
QoS apply policy p2pin inbound
#
In the LAN interface
and QOS used in combination with
the acl.
ACL number
3300
Rule 1000 permit TCP source-port GT 3000
Rule 1010 permit UDP source-port GT 3000
In a local area network interface configuration QOS.
#
Traffic classifier p2pout operator or
If-match ACL
3300
#
Traffic behavior p2pout
Car cir
2048000 CBS 1024000 EBS 0 green pass red discard
#
QoS policy p2pout
Classifier p2pout behavior p2pout
#
Interface Ethernet3/0
IP address 192.168.1.1 255.255.255.0
QoS apply policy p2pout inbound
#
3 limit
sessions of the single NAT
Single user
limit after the VRP software support NAT, to do a single IP address conversion limit the NAT TCP
connections, because a major
characteristics of P2P software such as BT is also
have a connection number, which occupiesNAT large number of tables, so the
method can be applied effectivelylimitations
of BT, such as our IP 192.168.1.2 to set the maximum NAT numberis
100; the normal network access must be
enough, but if you use BT, so soonthe IP NAT
table number will reach
100, once reached the peak, and other access to the IP could not NAT conversion, must wait until the part NAT tableafter failure, can use
again, so as to effectively protect the network bandwidth,also reached the warning role.
4 limit software through the client
Through the software
settings on the client to prohibit
the use of P2P software.There are
many Internet cafe management software may according to need toban
all software running, suggest the need to prohibit the P2P application of Internet cafes in this way.
Above we
summarize some methods currently
available P2P software, the onlyway according to the actual network circumstances, of course, can also be a combination of methods.
2: limit of common
P2P software port ACL
ACL number
3100 EF8F
Rule 1000 deny TCP destination-port EQ 2710
Rule 1010 deny TCP destination-port EQ 6969
Rule 1020 deny TCP destination-port range 88818999
Rule 1030 deny TCP destination-port EQ 10137
Rule 1040 deny TCP destination-port EQ 16881
Rule 1050 deny TCP destination-port range 46614662
Rule 1060 deny UDP destination-port EQ 4665
Rule 1070 deny UDP destination-port EQ 4672
More in : More information,please view: http://www.huanetwork.com
没有评论:
发表评论