Re: NBAR with class based policing

From: Chris_M (cmartin007@msn.com)
Date: Thu Jan 22 2004 - 17:11:23 GMT-3

• Next message: Dmitry Volkov: "RE: NBAR with class based policing"
• Previous message: Dmitry Volkov: "NBAR with class based policing"
• Maybe in reply to: Dmitry Volkov: "NBAR with class based policing"
• Next in thread: Dmitry Volkov: "RE: NBAR with class based policing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dmitrv:
        You need to have the ip nbar protocol discovery command also.
Further you need another class map to assign a value to the nbar class map.
For example, i would mark the nbar url with dscp of cs, then drop dscp cs in
your policy map.

in your example, how is the policy map going to know what to drop? The polic
command doesnt use nbar.

----- Original Message -----
From: "Dmitry Volkov" <dmitry.volkov@rogers.com>
To: <ccielab@groupstudy.com>
Cc: <security@groupstudy.com>
Sent: Thursday, January 22, 2004 11:34 AM
Subject: NBAR with class based policing

> Hi,
>
> If I want to use NBAR with class based policing against stuff like
codered -
> Is it enough to have ?:
>
> Router(config)#class-map match-any http-hacks
> Router(config-cmap)#match protocol http url "*default.ida*"
> Router(config-cmap)#match protocol http url "*cmd.exe*"
> Router(config-cmap)#match protocol http url "*root.exe*"
> Router(config)#policy-map drop-inbound-http-hacks
> Router(config-pmap)#class http-hacks
> Router(config-pmap)#police 1000000 31250 31250 conform-action drop
> exceed-action drop violate-action drop
> Router(config)#interface serial 0/0
> Router(config)#Description OUTSIDE INTERFACE
> Router(config-if)#service-policy input drop-inbound-http-hacks
>
> Example here
>
http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186
> a00800fc176.shtml#methodc
> looks strange: Description of steps 1)-5) contradicts with config they
> place...
> They talk about 2 policies : inbound on outside interface for
classification
> of traffic and outbound for policing:
> "Note that you must apply a separate policy to the outbound interface. You
> cannot apply a single policy that both marks the "Code Red" packets and
> drops them"
>
> but config depicts inbound policing on outside interface, why do I need to
> mark them when I just want to drop...
>
> Is config above correct ??
>
> Thank You
> Dmitry

• Next message: Dmitry Volkov: "RE: NBAR with class based policing"
• Previous message: Dmitry Volkov: "NBAR with class based policing"
• Maybe in reply to: Dmitry Volkov: "NBAR with class based policing"
• Next in thread: Dmitry Volkov: "RE: NBAR with class based policing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:48 GMT-3