There has been severe backlash against ISPs blocking certain types of traffic, specifically peer-to-peer (P2P) traffic. The backlash has even caused some ISPs to reverse their decision about blocking or throttling such traffic.

In the enterprise, however, where the data network may also be carrying voice and video traffic, sooner or later you will have to prioritize traffic and at some point you’ll run into the issue of either throttling or totally blocking P2P, especially file sharing applications that end users may be using without management approval or even without knowing they are running such applications.

There are several applications that allow P2P sharing, Limewire, BitTorrent, Azureus, Kazaa and eDonkey are a few that come to mind, I have my own favorite but that’s an article for another day.

The problem with P2P applications is that they are designed to worm their way through firewalls. Unlike IM software that can use port 80 (which is required for web browsing), P2P applications will usually use a specific port other than the ones normally used for DNS or web browsing.

The trick to blocking such applications is to first identify which applications may be running on your network, then putting filters into place to block the specific ports the applications use. There are some P2P software that will use port 80 for transfers. Blobster and Piolet use port 80 for transfer, the way to block them on your network is to block the initial connection they try to download the peer list from. For Blobster and Piolet the IP you want to block is 128.121.0.0 with subnet mask of 255.255.0.0, block all port 80 traffic to this segment and you’ll render Blobster and Piolet useless.

eDonkey is pretty easy to rein in, simply block TCP port 4662 at the firewall and you’re done. Simple enough right?

Now let’s talk about trickier applications, the ones that use the FastTrack network like Kazaa, Grokster and iMesh. FastTrack is the most popular P2P network around and uses any open TCP/UDP ports to search and download files. This behavior makes it impossible to block them by IP or by blocking specific ports. To block this type of traffic you need a Network Based Application Recognition mechanism, like the one that can be implemented on Cisco for their IOS software. Here is a sample code that will block such traffic for IOS software release 12.2(13) T:

class-map match-any p2p

   match protocol fasttrack file-transfer *

policy-map block-p2p

   class p2p

      drop

int FastEthernet0

   description PIX-facing interface

   service-policy input block-p2p

Gnutella network is another network that requires NBAR for filtering. You can block Gnutella traffic by adding the Gnutella-matching line under the same class-map, the rest of the code will be same as blocking FastTrack traffic:

class-map match-any p2p

   match protocol gnutella file-transfer *