RE: NBAR with class based policing

From: Dmitry Volkov (dmitry.volkov@rogers.com)
Date: Sun Jan 25 2004 - 19:59:45 GMT-3

• Next message: Snow, Tim: "RE: CBAC and IPsec in R&S lab?"
• Previous message: asadovnikov: "RE: Documentation CD"
• Maybe in reply to: Dmitry Volkov: "NBAR with class based policing"
• Next in thread: Szabo, Vilmos: "RE: NBAR with class based policing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Looks like You are right, Alec,

Protocol Discovery feature displays various statistics of any
NBAR-supported protocol traffic traversing an interface for the user.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_command_refe
rence_chapter09186a008010a387.html#1096744
To configure networked-based application recognition (NBAR) to discover
traffic for all protocols known to NBAR on a particular interface, use the
ip nbar protocol-discovery command in interface configuration mode. To
disable traffic discovery, use the no form of this command.

I guess the source of confusing here that some sources like Wendell Odom
"Cisco DQOS" book says
page 185 ip nbar protocol-discovery - "ENABLES NBAR FOR TRAFFIC ENTERING THE
INTERFACE"
and later onb page 188: "Had NBAR not been enabled (on interface using above
command), the service-policy command would have been REJECTED" -
Simple test shows - this is not true - service-policy is not rejected
without "ip nbar protocol-discovery"

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On
> Behalf Of Alec
> Sent: Friday, January 23, 2004 12:26 AM
> To: Chris_M; Dmitry Volkov; ccielab@groupstudy.com
> Cc: security@groupstudy.com
> Subject: Re: NBAR with class based policing
>
>
> according to the cisco command reference :
> Use the ip nbar protocol-discovery command to configure NBAR
> to keep traffic
> statistics for all protocols known to NBAR
>
> so why is it necessary for your case if you don't need to collect the
> statistics ?
>
> rgds,
> alec
> ----- Original Message -----
> From: "Chris_M" <cmartin007@msn.com>
> To: "Dmitry Volkov" <dmitry.volkov@rogers.com>;
> <ccielab@groupstudy.com>
> Cc: <security@groupstudy.com>
> Sent: Friday, January 23, 2004 4:11 AM
> Subject: Re: NBAR with class based policing
>
>
> > Dmitrv:
> > You need to have the ip nbar protocol discovery
> command also.
> > Further you need another class map to assign a value to the
> nbar class
> map.
> > For example, i would mark the nbar url with dscp of cs,
> then drop dscp cs
> in
> > your policy map.
> >
> > in your example, how is the policy map going to know what
> to drop? The
> polic
> > command doesnt use nbar.
> >
> >
> > ----- Original Message -----
> > From: "Dmitry Volkov" <dmitry.volkov@rogers.com>
> > To: <ccielab@groupstudy.com>
> > Cc: <security@groupstudy.com>
> > Sent: Thursday, January 22, 2004 11:34 AM
> > Subject: NBAR with class based policing
> >
> >
> > > Hi,
> > >
> > > If I want to use NBAR with class based policing against stuff like
> > codered -
> > > Is it enough to have ?:
> > >
> > > Router(config)#class-map match-any http-hacks
> > > Router(config-cmap)#match protocol http url "*default.ida*"
> > > Router(config-cmap)#match protocol http url "*cmd.exe*"
> > > Router(config-cmap)#match protocol http url "*root.exe*"
> > > Router(config)#policy-map drop-inbound-http-hacks
> > > Router(config-pmap)#class http-hacks
> > > Router(config-pmap)#police 1000000 31250 31250 conform-action drop
> > > exceed-action drop violate-action drop
> > > Router(config)#interface serial 0/0
> > > Router(config)#Description OUTSIDE INTERFACE
> > > Router(config-if)#service-policy input drop-inbound-http-hacks
> > >
> > > Example here
> > >
> >
> http://www.cisco.com/en/US/products/hw/routers/ps359/products_
tech_note09186
> > a00800fc176.shtml#methodc
> > looks strange: Description of steps 1)-5) contradicts with config they
> > place...
> > They talk about 2 policies : inbound on outside interface for
> classification
> > of traffic and outbound for policing:
> > "Note that you must apply a separate policy to the outbound interface.
You
> > cannot apply a single policy that both marks the "Code Red" packets and
> > drops them"
> >
> > but config depicts inbound policing on outside interface, why do I need
to
> > mark them when I just want to drop...
> >
> > Is config above correct ??
> >
> > Thank You
> > Dmitry
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Snow, Tim: "RE: CBAC and IPsec in R&S lab?"
• Previous message: asadovnikov: "RE: Documentation CD"
• Maybe in reply to: Dmitry Volkov: "NBAR with class based policing"
• Next in thread: Szabo, Vilmos: "RE: NBAR with class based policing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:50 GMT-3