Re: NBAR with class based policing

From: Chris_M (cmartin007@msn.com)
Date: Thu Jan 22 2004 - 17:36:55 GMT-3

• Next message: Dmitry Volkov: "RE: NBAR with class based policing"
• Previous message: Dmitry Volkov: "RE: NBAR with class based policing"
• Maybe in reply to: Dmitry Volkov: "NBAR with class based policing"
• Next in thread: Dmitry Volkov: "RE: NBAR with class based policing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

hi:
    yes, you need to mark the packets somehow so the policy knows what to do
with the traffic. Also, i would mak ALL other traffic to default, so the
policy knows what to do with those as well.

----- Original Message -----
From: "Dmitry Volkov" <dmitry.volkov@rogers.com>
To: "'Chris_M'" <cmartin007@msn.com>; <ccielab@groupstudy.com>
Cc: <security@groupstudy.com>
Sent: Thursday, January 22, 2004 12:32 PM
Subject: RE: NBAR with class based policing

> Chris,
>
> Agree, I missed "ip nbar protocol discovery".
> About classification: Are You saying NBAR is strictly classification
method
> (not compatible with policing) and I need something like this :
>
> Classification on outside:
>
> Router(config)#ip cef
> Router(config)#class-map match-any http-hacks
> Router(config-cmap)#match protocol http url "*default.ida*"
> Router(config-cmap)#match protocol http url "*cmd.exe*"
> Router(config-cmap)#match protocol http url "*root.exe*"
>
> Router(config)#policy-map mark-inbound-http-hacks
> Router(config-pmap)#class http-hacks
> Router(config-pmap)#set ip dscp 1
> Router(config)#interface serial 0/0
> Router(config)#Description OUTSIDE INTERFACE
> Router(config-if)#service-policy input mark-inbound-http-hacks
> Router(config-if)#ip nbar protocol discovery
> ==================================
> Policing on inside::
>
> Router(config)#class-map match-any codered-marked
> Router(config-cmap)#match ip dscp 1
>
> Router(config)#policy-map drop-inbound-http-hacks
> Router(config-pmap)#class codered-marked
> Router(config-pmap)#police 1000000 31250 31250 conform-action drop
> exceed-action drop violate-action drop
> Router(config)#interface Ethernet 0/0
> Router(config)#Description INSIDE INTERFACE
> Router(config-if)#service-policy output drop-inbound-http-hacks
>
> Thank You,
> Dmitry
>
> > -----Original Message-----
> > From: Chris_M [mailto:cmartin007@msn.com]
> > Sent: Thursday, January 22, 2004 3:11 PM
> > To: Dmitry Volkov; ccielab@groupstudy.com
> > Cc: security@groupstudy.com
> > Subject: Re: NBAR with class based policing
> >
> >
> > Dmitrv:
> > You need to have the ip nbar protocol discovery command also.
> > Further you need another class map to assign a value to the
> > nbar class map.
> > For example, i would mark the nbar url with dscp of cs, then
> > drop dscp cs in
> > your policy map.
> >
> > in your example, how is the policy map going to know what to
> > drop? The polic
> > command doesnt use nbar.
> >
> >
> > ----- Original Message -----
> > From: "Dmitry Volkov" <dmitry.volkov@rogers.com>
> > To: <ccielab@groupstudy.com>
> > Cc: <security@groupstudy.com>
> > Sent: Thursday, January 22, 2004 11:34 AM
> > Subject: NBAR with class based policing
> >
> >
> > > Hi,
> > >
> > > If I want to use NBAR with class based policing against stuff like
> > codered -
> > > Is it enough to have ?:
> > >
> > > Router(config)#class-map match-any http-hacks
> > > Router(config-cmap)#match protocol http url "*default.ida*"
> > > Router(config-cmap)#match protocol http url "*cmd.exe*"
> > > Router(config-cmap)#match protocol http url "*root.exe*"
> > > Router(config)#policy-map drop-inbound-http-hacks
> > > Router(config-pmap)#class http-hacks
> > > Router(config-pmap)#police 1000000 31250 31250 conform-action drop
> > > exceed-action drop violate-action drop
> > > Router(config)#interface serial 0/0
> > > Router(config)#Description OUTSIDE INTERFACE
> > > Router(config-if)#service-policy input drop-inbound-http-hacks
> > >
> > > Example here
> > >
> > http://www.cisco.com/en/US/products/hw/routers/ps359/products_
> > tech_note09186
> > > a00800fc176.shtml#methodc
> > > looks strange: Description of steps 1)-5) contradicts with
> > config they
> > > place...
> > > They talk about 2 policies : inbound on outside interface for
> > classification
> > > of traffic and outbound for policing:
> > > "Note that you must apply a separate policy to the outbound
> > interface. You
> > > cannot apply a single policy that both marks the "Code Red"
> > packets and
> > > drops them"
> > >
> > > but config depicts inbound policing on outside interface,
> > why do I need to
> > > mark them when I just want to drop...
> > >
> > > Is config above correct ??
> > >
> > > Thank You
> > > Dmitry

• Next message: Dmitry Volkov: "RE: NBAR with class based policing"
• Previous message: Dmitry Volkov: "RE: NBAR with class based policing"
• Maybe in reply to: Dmitry Volkov: "NBAR with class based policing"
• Next in thread: Dmitry Volkov: "RE: NBAR with class based policing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:48 GMT-3