NBAR - Discovering the Source

From: gladston@br.ibm.com
Date: Thu Sep 02 2004 - 09:04:31 GMT-3

• Next message: ccie: "RE: protocol down"
• Previous message: gladston@br.ibm.com: "Re: NBAR - Discovering the Source"
• Next in thread: Sam Munzani: "Re: NBAR - Discovering the Source"
• Maybe reply: Sam Munzani: "Re: NBAR - Discovering the Source"
• Maybe reply: Sam Munzani: "Re: NBAR - Discovering the Source"
• Maybe reply: gladston@br.ibm.com: "Re: NBAR - Discovering the Source"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

As a previous discussion stated, we can use NBAR to classify traffic and policy to limit the traffic.

I understand that if we want to discover which source IP is sourcing the traffic discovered by NBAR one solution would be mark the DSCP with a specific value and use an access-list to log these packets.
But it is not working. Any light on this?

NBAR is doing its job (it discovered 62 packets belonging to Fasttrack):

RT#sh policy-map interface vl xx

 Vlanxx

  service-policy output: Not-Authorized-Traffic

    class-map: Not-Authorized-Traffic (match-any)
      62 packets, 48664 bytes
      5 minute offered rate 2000 bps, drop rate 0 bps
      match: protocol kazaa2
        0 packets, 0 bytes
        5 minute rate 0 bps
      match: protocol fasttrack
        62 packets, 48664 bytes
        5 minute rate 2000 bps
      match: protocol napster
        0 packets, 0 bytes
        5 minute rate 0 bps
      match: protocol gnutella
        0 packets, 0 bytes
        5 minute rate 0 bps
      match: protocol http url "*worm*"
        0 packets, 0 bytes
        5 minute rate 0 bps
      match: protocol http url "*trojan*"
        0 packets, 0 bytes
        5 minute rate 0 bps
      match: protocol http url "*code-red*"
        0 packets, 0 bytes
        5 minute rate 0 bps
      police:
        1000000 bps, 1000000 limit, 1000000 extended limit
        conformed 62 packets, 48664 bytes; action: set-dscp-transmit 50
        exceeded 0 packets, 0 bytes; action: drop
        violated 0 packets, 0 bytes; action: drop
        conformed 0 bps, exceed 0 bps violate 0 bps
 
But nothing is logged:

RT#sh access-lists LOG
Extended IP access list LOG
    permit ip any any dscp 50 log
    permit ip any any (25230 matches)

This is the configuration used:

class-map match-any Not-Authorized-Traffic
  match protocol kazaa2
  match protocol fasttrack
  match protocol napster
  match protocol gnutella
  match protocol http url "*worm*"
  match protocol http url "*trojan*"
  match protocol http url "*code-red*"
!
policy-map Not-Authorized-Traffic
  class Not-Authorized-Traffic
     police 1000000 1000000 1000000 conform-action set-dscp-transmit 50 exceed-action drop
!
interface Vlanxx
 service-policy output Not-Authorized-Traffic
!
interface ATM y/y/y.500
 ip access-group LOG out
!
ip access-list extended LOG
 permit ip any any dscp 50 log
 permit ip any any
!
end

Police-map is configured on the LAN and access-list is configured on WAN.

• Next message: ccie: "RE: protocol down"
• Previous message: gladston@br.ibm.com: "Re: NBAR - Discovering the Source"
• Next in thread: Sam Munzani: "Re: NBAR - Discovering the Source"
• Maybe reply: Sam Munzani: "Re: NBAR - Discovering the Source"
• Maybe reply: Sam Munzani: "Re: NBAR - Discovering the Source"
• Maybe reply: gladston@br.ibm.com: "Re: NBAR - Discovering the Source"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Oct 01 2004 - 15:00:35 GMT-3