From: Dmitry Volkov (dmitry.volkov@rogers.com)
Date: Thu Jan 22 2004 - 17:32:10 GMT-3
Chris,
Agree, I missed "ip nbar protocol discovery".
About classification: Are You saying NBAR is strictly classification method
(not compatible with policing) and I need something like this :
Classification on outside:
Router(config)#ip cef
Router(config)#class-map match-any http-hacks
Router(config-cmap)#match protocol http url "*default.ida*"
Router(config-cmap)#match protocol http url "*cmd.exe*"
Router(config-cmap)#match protocol http url "*root.exe*"
Router(config)#policy-map mark-inbound-http-hacks
Router(config-pmap)#class http-hacks
Router(config-pmap)#set ip dscp 1
Router(config)#interface serial 0/0
Router(config)#Description OUTSIDE INTERFACE
Router(config-if)#service-policy input mark-inbound-http-hacks
Router(config-if)#ip nbar protocol discovery
==================================
Policing on inside::
Router(config)#class-map match-any codered-marked
Router(config-cmap)#match ip dscp 1
Router(config)#policy-map drop-inbound-http-hacks
Router(config-pmap)#class codered-marked
Router(config-pmap)#police 1000000 31250 31250 conform-action drop
exceed-action drop violate-action drop
Router(config)#interface Ethernet 0/0
Router(config)#Description INSIDE INTERFACE
Router(config-if)#service-policy output drop-inbound-http-hacks
Thank You,
Dmitry
> -----Original Message-----
> From: Chris_M [mailto:cmartin007@msn.com]
> Sent: Thursday, January 22, 2004 3:11 PM
> To: Dmitry Volkov; ccielab@groupstudy.com
> Cc: security@groupstudy.com
> Subject: Re: NBAR with class based policing
>
>
> Dmitrv:
> You need to have the ip nbar protocol discovery command also.
> Further you need another class map to assign a value to the
> nbar class map.
> For example, i would mark the nbar url with dscp of cs, then
> drop dscp cs in
> your policy map.
>
> in your example, how is the policy map going to know what to
> drop? The polic
> command doesnt use nbar.
>
>
> ----- Original Message -----
> From: "Dmitry Volkov" <dmitry.volkov@rogers.com>
> To: <ccielab@groupstudy.com>
> Cc: <security@groupstudy.com>
> Sent: Thursday, January 22, 2004 11:34 AM
> Subject: NBAR with class based policing
>
>
> > Hi,
> >
> > If I want to use NBAR with class based policing against stuff like
> codered -
> > Is it enough to have ?:
> >
> > Router(config)#class-map match-any http-hacks
> > Router(config-cmap)#match protocol http url "*default.ida*"
> > Router(config-cmap)#match protocol http url "*cmd.exe*"
> > Router(config-cmap)#match protocol http url "*root.exe*"
> > Router(config)#policy-map drop-inbound-http-hacks
> > Router(config-pmap)#class http-hacks
> > Router(config-pmap)#police 1000000 31250 31250 conform-action drop
> > exceed-action drop violate-action drop
> > Router(config)#interface serial 0/0
> > Router(config)#Description OUTSIDE INTERFACE
> > Router(config-if)#service-policy input drop-inbound-http-hacks
> >
> > Example here
> >
> http://www.cisco.com/en/US/products/hw/routers/ps359/products_
> tech_note09186
> > a00800fc176.shtml#methodc
> > looks strange: Description of steps 1)-5) contradicts with
> config they
> > place...
> > They talk about 2 policies : inbound on outside interface for
> classification
> > of traffic and outbound for policing:
> > "Note that you must apply a separate policy to the outbound
> interface. You
> > cannot apply a single policy that both marks the "Code Red"
> packets and
> > drops them"
> >
> > but config depicts inbound policing on outside interface,
> why do I need to
> > mark them when I just want to drop...
> >
> > Is config above correct ??
> >
> > Thank You
> > Dmitry
This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:48 GMT-3