From: Szabo, Vilmos (VS183600@exchange.UnitedKingdom.NCR.COM)
Date: Mon Jan 26 2004 - 06:32:41 GMT-3
Dmitry, All
below is my simple config with nbar classification and policing of codered
on same input interface (without any extra coloring and an additional ACL on
a seperate interface):
!
class-map match-any test
match protocol http url "*root.exe*"
match protocol http url "*x.ida*"
!
policy-map one
class test
police cir 8000
conform-action drop
exceed-action drop
violate-action drop
!
interface Ethernet3/1
ip address 172.16.0.2 255.255.255.0
service-policy input one
duplex half
!
and the result after an attack:
R5#sh policy-map interface
Ethernet3/1
Service-policy input: one
Class-map: test (match-any)
6 packets, 1217 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http url "*root.exe*"
6 packets, 1217 bytes <---------------------------
5 minute rate 0 bps
Match: protocol http url "*x.ida*"
0 packets, 0 bytes
5 minute rate 0 bps
police:
cir 8000 bps, bc 1500 bytes, be 1500 bytes
conformed 6 packets, 1217 bytes; actions: <--------------------
drop
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps, violate 0 bps
Class-map: class-default (match-any)
111 packets, 12579 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
R5#
Regards,
Vilmos
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Szabo, Vilmos
Sent: 23 January 2004 10:15
To: 'Dmitry Volkov'; 'Chris_M'; ccielab@groupstudy.com
Cc: security@groupstudy.com
Subject: RE: NBAR with class based policing
Hi All,
I do not think we need to classify one type of traffic on one interface just
in order to drop this marked traffic on another interface in this particular
scenario.
Yah, we can fly from London to Paris through New York, but there is a
shorter way.
So going back to the original question of Dmitry, I say your original
configuration was completely right, even if the CCO sample did it in an
unnecessarily complicated way.
Yes it is true that you can classify and police traffic with a single
policy-map on a single interface. (What is the classification method, nbar,
acl ... or whatever is absolutely irrelevant for the policer).
Just check the command reference:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos
_c/fqcprt4/qcfpoli.htm
Let me know if you have a different opinion.
Thank you!
Vilmos
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Dmitry Volkov
Sent: 22 January 2004 20:47
To: 'Chris_M'; ccielab@groupstudy.com
Cc: security@groupstudy.com
Subject: RE: NBAR with class based policing
Thank you very much !
However class-default covers ALL other traffic. Isn't it ?
Router#sh policy-map interface s0/0
Ethernet0/0
Service-policy input: mark-inbound-http-hacks
Class-map: http-hacks (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http url "*default.ida*"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url "*cmd.exe*"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url "*root.exe*"
0 packets, 0 bytes
5 minute rate 0 bps
QoS Set
dscp 1
Packets marked 0
Class-map: class-default (match-any)
68 packets, 8617 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Router#
Dmitry
> -----Original Message-----
> From: Chris_M [mailto:cmartin007@msn.com]
> Sent: Thursday, January 22, 2004 3:37 PM
> To: dmitry.volkov@rogers.com; ccielab@groupstudy.com
> Cc: security@groupstudy.com
> Subject: Re: NBAR with class based policing
>
>
> hi:
> yes, you need to mark the packets somehow so the policy
> knows what to do
> with the traffic. Also, i would mak ALL other traffic to
> default, so the
> policy knows what to do with those as well.
>
>
> ----- Original Message -----
> From: "Dmitry Volkov" <dmitry.volkov@rogers.com>
> To: "'Chris_M'" <cmartin007@msn.com>; <ccielab@groupstudy.com>
> Cc: <security@groupstudy.com>
> Sent: Thursday, January 22, 2004 12:32 PM
> Subject: RE: NBAR with class based policing
>
>
> > Chris,
> >
> > Agree, I missed "ip nbar protocol discovery".
> > About classification: Are You saying NBAR is strictly classification
> method
> > (not compatible with policing) and I need something like this :
> >
> > Classification on outside:
> >
> > Router(config)#ip cef
> > Router(config)#class-map match-any http-hacks
> > Router(config-cmap)#match protocol http url "*default.ida*"
> > Router(config-cmap)#match protocol http url "*cmd.exe*"
> > Router(config-cmap)#match protocol http url "*root.exe*"
> >
> > Router(config)#policy-map mark-inbound-http-hacks
> > Router(config-pmap)#class http-hacks
> > Router(config-pmap)#set ip dscp 1
> > Router(config)#interface serial 0/0
> > Router(config)#Description OUTSIDE INTERFACE
> > Router(config-if)#service-policy input mark-inbound-http-hacks
> > Router(config-if)#ip nbar protocol discovery
> > ==================================
> > Policing on inside::
> >
> > Router(config)#class-map match-any codered-marked
> > Router(config-cmap)#match ip dscp 1
> >
> > Router(config)#policy-map drop-inbound-http-hacks
> > Router(config-pmap)#class codered-marked
> > Router(config-pmap)#police 1000000 31250 31250 conform-action drop
> > exceed-action drop violate-action drop
> > Router(config)#interface Ethernet 0/0
> > Router(config)#Description INSIDE INTERFACE
> > Router(config-if)#service-policy output drop-inbound-http-hacks
> >
> > Thank You,
> > Dmitry
> >
> > > -----Original Message-----
> > > From: Chris_M [mailto:cmartin007@msn.com]
> > > Sent: Thursday, January 22, 2004 3:11 PM
> > > To: Dmitry Volkov; ccielab@groupstudy.com
> > > Cc: security@groupstudy.com
> > > Subject: Re: NBAR with class based policing
> > >
> > >
> > > Dmitrv:
> > > You need to have the ip nbar protocol discovery
> command also.
> > > Further you need another class map to assign a value to the
> > > nbar class map.
> > > For example, i would mark the nbar url with dscp of cs, then
> > > drop dscp cs in
> > > your policy map.
> > >
> > > in your example, how is the policy map going to know what to
> > > drop? The polic
> > > command doesnt use nbar.
> > >
> > >
> > > ----- Original Message -----
> > > From: "Dmitry Volkov" <dmitry.volkov@rogers.com>
> > > To: <ccielab@groupstudy.com>
> > > Cc: <security@groupstudy.com>
> > > Sent: Thursday, January 22, 2004 11:34 AM
> > > Subject: NBAR with class based policing
> > >
> > >
> > > > Hi,
> > > >
> > > > If I want to use NBAR with class based policing against
> stuff like
> > > codered -
> > > > Is it enough to have ?:
> > > >
> > > > Router(config)#class-map match-any http-hacks
> > > > Router(config-cmap)#match protocol http url "*default.ida*"
> > > > Router(config-cmap)#match protocol http url "*cmd.exe*"
> > > > Router(config-cmap)#match protocol http url "*root.exe*"
> > > > Router(config)#policy-map drop-inbound-http-hacks
> > > > Router(config-pmap)#class http-hacks
> > > > Router(config-pmap)#police 1000000 31250 31250
> conform-action drop
> > > > exceed-action drop violate-action drop
> > > > Router(config)#interface serial 0/0
> > > > Router(config)#Description OUTSIDE INTERFACE
> > > > Router(config-if)#service-policy input drop-inbound-http-hacks
> > > >
> > > > Example here
> > > >
> > > http://www.cisco.com/en/US/products/hw/routers/ps359/products_
> > > tech_note09186
> > > > a00800fc176.shtml#methodc
> > > > looks strange: Description of steps 1)-5) contradicts with
> > > config they
> > > > place...
> > > > They talk about 2 policies : inbound on outside interface for
> > > classification
> > > > of traffic and outbound for policing:
> > > > "Note that you must apply a separate policy to the outbound
> > > interface. You
> > > > cannot apply a single policy that both marks the "Code Red"
> > > packets and
> > > > drops them"
> > > >
> > > > but config depicts inbound policing on outside interface,
> > > why do I need to
> > > > mark them when I just want to drop...
> > > >
> > > > Is config above correct ??
> > > >
> > > > Thank You
> > > > Dmitry
This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:50 GMT-3