Re: NBAR with class based policing

From: Alec (clapun@graduate.hku.hk)
Date: Fri Jan 23 2004 - 02:25:51 GMT-3

• Next message: David Deng: "RE: prevent loop on ospf link"
• Previous message: Ellie Chou: "IPsec-what's the difference between these two timer?"
• Maybe in reply to: Dmitry Volkov: "NBAR with class based policing"
• Next in thread: Alexander Arsenyev (GU/ETL): "RE: NBAR with class based policing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

according to the cisco command reference :
Use the ip nbar protocol-discovery command to configure NBAR to keep traffic
statistics for all protocols known to NBAR

so why is it necessary for your case if you don't need to collect the
statistics ?

rgds,
alec
----- Original Message -----
From: "Chris_M" <cmartin007@msn.com>
To: "Dmitry Volkov" <dmitry.volkov@rogers.com>; <ccielab@groupstudy.com>
Cc: <security@groupstudy.com>
Sent: Friday, January 23, 2004 4:11 AM
Subject: Re: NBAR with class based policing

> Dmitrv:
> You need to have the ip nbar protocol discovery command also.
> Further you need another class map to assign a value to the nbar class
map.
> For example, i would mark the nbar url with dscp of cs, then drop dscp cs
in
> your policy map.
>
> in your example, how is the policy map going to know what to drop? The
polic
> command doesnt use nbar.
>
>
> ----- Original Message -----
> From: "Dmitry Volkov" <dmitry.volkov@rogers.com>
> To: <ccielab@groupstudy.com>
> Cc: <security@groupstudy.com>
> Sent: Thursday, January 22, 2004 11:34 AM
> Subject: NBAR with class based policing
>
>
> > Hi,
> >
> > If I want to use NBAR with class based policing against stuff like
> codered -
> > Is it enough to have ?:
> >
> > Router(config)#class-map match-any http-hacks
> > Router(config-cmap)#match protocol http url "*default.ida*"
> > Router(config-cmap)#match protocol http url "*cmd.exe*"
> > Router(config-cmap)#match protocol http url "*root.exe*"
> > Router(config)#policy-map drop-inbound-http-hacks
> > Router(config-pmap)#class http-hacks
> > Router(config-pmap)#police 1000000 31250 31250 conform-action drop
> > exceed-action drop violate-action drop
> > Router(config)#interface serial 0/0
> > Router(config)#Description OUTSIDE INTERFACE
> > Router(config-if)#service-policy input drop-inbound-http-hacks
> >
> > Example here
> >
>
http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186
> > a00800fc176.shtml#methodc
> > looks strange: Description of steps 1)-5) contradicts with config they
> > place...
> > They talk about 2 policies : inbound on outside interface for
> classification
> > of traffic and outbound for policing:
> > "Note that you must apply a separate policy to the outbound interface.
You
> > cannot apply a single policy that both marks the "Code Red" packets and
> > drops them"
> >
> > but config depicts inbound policing on outside interface, why do I need
to
> > mark them when I just want to drop...
> >
> > Is config above correct ??
> >
> > Thank You
> > Dmitry
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: David Deng: "RE: prevent loop on ospf link"
• Previous message: Ellie Chou: "IPsec-what's the difference between these two timer?"
• Maybe in reply to: Dmitry Volkov: "NBAR with class based policing"
• Next in thread: Alexander Arsenyev (GU/ETL): "RE: NBAR with class based policing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:49 GMT-3