RE: NBAR with class based policing

From: Dmitry Volkov (dmitry.volkov@rogers.com)
Date: Thu Jan 22 2004 - 17:47:12 GMT-3

Thank you very much !
However class-default covers ALL other traffic. Isn't it ?

Router#sh policy-map interface s0/0
 Ethernet0/0

  Service-policy input: mark-inbound-http-hacks

    Class-map: http-hacks (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http url "*default.ida*"
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol http url "*cmd.exe*"
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol http url "*root.exe*"
        0 packets, 0 bytes
        5 minute rate 0 bps
      QoS Set
        dscp 1
          Packets marked 0

    Class-map: class-default (match-any)
      68 packets, 8617 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
Router#

Dmitry

> -----Original Message-----
> From: Chris_M [mailto:cmartin007@msn.com]
> Sent: Thursday, January 22, 2004 3:37 PM
> To: dmitry.volkov@rogers.com; ccielab@groupstudy.com
> Cc: security@groupstudy.com
> Subject: Re: NBAR with class based policing
>
>
> hi:
> yes, you need to mark the packets somehow so the policy
> knows what to do
> with the traffic. Also, i would mak ALL other traffic to
> default, so the
> policy knows what to do with those as well.
>
>
> ----- Original Message -----
> From: "Dmitry Volkov" <dmitry.volkov@rogers.com>
> To: "'Chris_M'" <cmartin007@msn.com>; <ccielab@groupstudy.com>
> Cc: <security@groupstudy.com>
> Sent: Thursday, January 22, 2004 12:32 PM
> Subject: RE: NBAR with class based policing
>
>
> > Chris,
> >
> > Agree, I missed "ip nbar protocol discovery".
> > About classification: Are You saying NBAR is strictly classification
> method
> > (not compatible with policing) and I need something like this :
> >
> > Classification on outside:
> >
> > Router(config)#ip cef
> > Router(config)#class-map match-any http-hacks
> > Router(config-cmap)#match protocol http url "*default.ida*"
> > Router(config-cmap)#match protocol http url "*cmd.exe*"
> > Router(config-cmap)#match protocol http url "*root.exe*"
> >
> > Router(config)#policy-map mark-inbound-http-hacks
> > Router(config-pmap)#class http-hacks
> > Router(config-pmap)#set ip dscp 1
> > Router(config)#interface serial 0/0
> > Router(config)#Description OUTSIDE INTERFACE
> > Router(config-if)#service-policy input mark-inbound-http-hacks
> > Router(config-if)#ip nbar protocol discovery
> > ==================================
> > Policing on inside::
> >
> > Router(config)#class-map match-any codered-marked
> > Router(config-cmap)#match ip dscp 1
> >
> > Router(config)#policy-map drop-inbound-http-hacks
> > Router(config-pmap)#class codered-marked
> > Router(config-pmap)#police 1000000 31250 31250 conform-action drop
> > exceed-action drop violate-action drop
> > Router(config)#interface Ethernet 0/0
> > Router(config)#Description INSIDE INTERFACE
> > Router(config-if)#service-policy output drop-inbound-http-hacks
> >
> > Thank You,
> > Dmitry
> >
> > > -----Original Message-----
> > > From: Chris_M [mailto:cmartin007@msn.com]
> > > Sent: Thursday, January 22, 2004 3:11 PM
> > > To: Dmitry Volkov; ccielab@groupstudy.com
> > > Cc: security@groupstudy.com
> > > Subject: Re: NBAR with class based policing
> > >
> > >
> > > Dmitrv:
> > > You need to have the ip nbar protocol discovery
> command also.
> > > Further you need another class map to assign a value to the
> > > nbar class map.
> > > For example, i would mark the nbar url with dscp of cs, then
> > > drop dscp cs in
> > > your policy map.
> > >
> > > in your example, how is the policy map going to know what to
> > > drop? The polic
> > > command doesnt use nbar.
> > >
> > >
> > > ----- Original Message -----
> > > From: "Dmitry Volkov" <dmitry.volkov@rogers.com>
> > > To: <ccielab@groupstudy.com>
> > > Cc: <security@groupstudy.com>
> > > Sent: Thursday, January 22, 2004 11:34 AM
> > > Subject: NBAR with class based policing
> > >
> > >
> > > > Hi,
> > > >
> > > > If I want to use NBAR with class based policing against
> stuff like
> > > codered -
> > > > Is it enough to have ?:
> > > >
> > > > Router(config)#class-map match-any http-hacks
> > > > Router(config-cmap)#match protocol http url "*default.ida*"
> > > > Router(config-cmap)#match protocol http url "*cmd.exe*"
> > > > Router(config-cmap)#match protocol http url "*root.exe*"
> > > > Router(config)#policy-map drop-inbound-http-hacks
> > > > Router(config-pmap)#class http-hacks
> > > > Router(config-pmap)#police 1000000 31250 31250
> conform-action drop
> > > > exceed-action drop violate-action drop
> > > > Router(config)#interface serial 0/0
> > > > Router(config)#Description OUTSIDE INTERFACE
> > > > Router(config-if)#service-policy input drop-inbound-http-hacks
> > > >
> > > > Example here
> > > >
> > > http://www.cisco.com/en/US/products/hw/routers/ps359/products_
> > > tech_note09186
> > > > a00800fc176.shtml#methodc
> > > > looks strange: Description of steps 1)-5) contradicts with
> > > config they
> > > > place...
> > > > They talk about 2 policies : inbound on outside interface for
> > > classification
> > > > of traffic and outbound for policing:
> > > > "Note that you must apply a separate policy to the outbound
> > > interface. You
> > > > cannot apply a single policy that both marks the "Code Red"
> > > packets and
> > > > drops them"
> > > >
> > > > but config depicts inbound policing on outside interface,
> > > why do I need to
> > > > mark them when I just want to drop...
> > > >
> > > > Is config above correct ??
> > > >
> > > > Thank You
> > > > Dmitry

This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:48 GMT-3