Re: NBAR - Discovering the Source

From: Sam Munzani (sam@munzani.com)
Date: Thu Sep 02 2004 - 10:31:08 GMT-3

• Next message: gladston@br.ibm.com: "Route-Map Policy List"
• Previous message: gladston@br.ibm.com: "Re: Re: NBAR - Discovering the Source"
• Maybe in reply to: gladston@br.ibm.com: "NBAR - Discovering the Source"
• Next in thread: gladston@br.ibm.com: "Re: NBAR - Discovering the Source"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

gladston@br.ibm.com wrote:

>I realize that I configured the service output; then I configured input expecting now packets would be marked with DSCP 50 and be logged, but not changed. NBAR still works but no log of packets with DSCP 50.
>
>
>
You can't mark & match on same interface. Apply service policy in input
mode to your lan interface and let it mark the packet with DSCP 50, then
apply outbound interface on your WAN interface that checks for any DSCP
50 packets and drops them with log.

In short, make following changes to your config and it will work.

policy-map Not-Authorized-Traffic
  class Not-Authorized-Traffic
     set dscp 50
!
interface Vlanxx
 service-policy input Not-Authorized-Traffic
!
interface ATM y/y/y.500
 ip access-group LOG out
!
ip access-list extended LOG
 permit ip any any dscp 50 log
 permit ip any any

Sam Munzani
CCIE # 6479 (R&S, Security)

• Next message: gladston@br.ibm.com: "Route-Map Policy List"
• Previous message: gladston@br.ibm.com: "Re: Re: NBAR - Discovering the Source"
• Maybe in reply to: gladston@br.ibm.com: "NBAR - Discovering the Source"
• Next in thread: gladston@br.ibm.com: "Re: NBAR - Discovering the Source"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Oct 01 2004 - 15:00:34 GMT-3