From: Koen Peetermans (K.Peetermans@chello.be)
Date: Fri Jul 09 2004 - 07:12:15 GMT-3
Actually, Apparantly "match protocol dlsw" would only match DIRECT
ENCAPSULATION dlsw (not TCP). But indeed it is a serious gotcha....
Kind regards,
Koen.
>Which makes me wonder why IOS let you choose 'match protocol dlsw' under
>the class map if it isn't going to do anything.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
James Marinas
Sent: vrijdag 9 juli 2004 6:28
To: KWygand@customonline.com; ccielab@groupstudy.com
Subject: RE: NBAR & IP NBAR protocol-discovery
'ip nbar protocol-discovery' isn't needed and you're right about it being
used for gathering protocol statistics on the interface.
In terms of gotchas... It seems that doing a 'match ip protocol____'
uses NBAR's port map. Check out this DLSW example:
class-map match-all DLSW
match protocol dlsw
policy-map POLICY
class DLSW
set precedence 5
interface FastEthernet0/0
service-policy input POLICY
NOTICE THAT THE POLICY MAP ISN'T MATCHING ANY PACKETS
r14#sh policy-map inter fast 0/0
FastEthernet0/0
Service-policy input: POLICY
Class-map: DLSW (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol dlsw
QoS Set
precedence 5
Packets marked 0
THIS IS BECAUSE DLSW IS NOT IN THE PORT MAP
r14# sh ip nbar port-map | begin port-map d
port-map dhcp udp 67 68
port-map dns udp 53
port-map dns tcp 53
Which makes me wonder why IOS let you choose 'match protocol dlsw' under
the class map if it isn't going to do anything.
Now, I'm going to modify NBAR's port-map:
r14(config)#ip nbar port-map custom-01 tcp 2065
r14(config)#end
r14#
*Mar 1 02:46:06.031: %SYS-5-CONFIG_I: Configured from console by console
r14#sh ip nbar port-map | begin port-map custom
port-map custom-01 udp 0
port-map custom-01 tcp 2065
And I'm going to modify the class-map:
class-map match-all DLSW
match protocol custom-01
When I view the policy-map on the interface, it is marking packets as it
should:
r14#sh policy-m inter fast 0/0
FastEthernet0/0
Service-policy input: POLICY
Class-map: DLSW (match-all)
26 packets, 1946 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol custom-01
QoS Set
precedence 5
Packets marked 26
Another potential gotcha is FTP. r14#sh ip nbar port-map | begin port-map
ftp
port-map ftp tcp 21
Notice that ftp-data's port isn't mapped.
Which brings me to the conclusion that if you are using the 'match
protocol', make sure it's in the 'sh ip nbar port-map'. If not, map it
with one of the custom mappings or better yet... use an access-list:
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data
access-list 102 permit tcp any any eq 2065
Hope this helps someone.
>From: "Kenneth Wygand" <KWygand@customonline.com> >Reply-To: "Kenneth
Wygand" <KWygand@customonline.com> >To: <ccielab@groupstudy.com>
>Subject: NBAR & IP NBAR protocol-discovery >Date: Thu, 8 Jul 2004
22:03:00 -0400 > >Hey everyone, > >When using NBAR through a class-based
queuing mechanism (match ip protocol ____ ), do you need to have the
command "IP nbar protocol-discovery" on the associated interface, or is
this command only used for gathering protocol statistics on the
interface? > >I know "ip cef" is required when using NBAR... are there
any other "gotcha's" that are important to know for variations of NBAR
implementations? > >Thanks! >Ken >
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com > >Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
------------------------------------------------------------------------
Get tips for maintaining your PC, notebook accessories and reviews in
Technology 101.
This archive was generated by hypermail 2.1.4 : Sun Aug 01 2004 - 10:11:50 GMT-3