Cisco IOS version 12.4(4)T introduced the much awaited Skype classification in NBAR. Now, with simple policy you can block Skype in much the same way as you used to block kazza, limewire, and other p2p applications.
NBAR configuration to drop Skype packets
class "map match" any p2p
match protocol skype
policy "map block" p2p
description PIX "facing interface
policy "input block" p2p
If you are unsure about the bandwidth-eating applications being used in your organization, you can access the interface connected to the Internet and configure using the following command:
"ip nbar protocol-discovery"
This will enable nbar discovery on your router.
If you use the following command:
"show ip nbar protocol-discovery stats bit-rate top-n 10"
It will show you the top 10 bandwidth-eating applications being used by the users. Now, you will be able to block/restrict traffic with appropriate QoS policy.
You can also use "ip nbar port-map" command to look for the protocol or protocol name using a port number or numbers other than the well-known Internet Assigned Numbers Authority (IANA)-assigned port numbers.
Usage as per Cisco:
"ip nbar port-map protocol-name [tcp | udp] port-number"
Up to 16 ports can be specified with the above command. Port number values can range from 0 to 65535.
- Mujeeb Ahmed, Sysnet, Karachi, Sindh, Pakistan