Re: Using NBAR to drop traffic

From: ccie2be (ccie2be@nyc.rr.com)
Date: Wed Sep 01 2004 - 20:57:35 GMT-3

• Next message: mani poopal: "RE: ip pim nbma mode/auto rp/dense mode"
• Previous message: Vazman@aol.com: "OT: CCIE Security Practice Labs - Lab7"
• Next in thread: Marvin Greenlee: "Re: Using NBAR to drop traffic"
• Maybe reply: Marvin Greenlee: "Re: Using NBAR to drop traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thank you, I'll take a look at those new features.

Tim
----- Original Message -----
From: "Marvin Greenlee" <marvingreenlee@yahoo.com>
To: "ccie2be" <ccie2be@nyc.rr.com>
Cc: <ccielab@groupstudy.com>
Sent: Wednesday, September 01, 2004 6:46 PM
Subject: Re: Using NBAR to drop traffic

> Cisco keeps adding additional functionality to the
> MQC. Look at all the QoS features that have been
> added or changed with 12.2T/12.3.
>
> 12.3 New QoS features
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123tech/qs_ftlst.htm
>
>
> Set fr-de - class based marking
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t5/cbpmark2.htm#wp1059488
>
> Enhanced Packet Marking
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftenpkmk.htm
>
> MQC - Three-level hierarchical policer
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ft3level.htm
>
> Percentage Based Policing / Shaping - MQC
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftpctpol.htm
>
> For the lab, I think that the drop keyword is the
> cleanest way to do it. Many of the examples that I
> have seen which used dscp had multiple outbound
> interfaces where the outbound ACL needed to be
> applied.
>
> Applying the multiple outbound ACLs will slow down the
> router. Also, there is overhead because the router
> would have to make routing decisions for the traffic,
> only to drop it later with the outbound ACL.
>
> As far as I know, the lab would have a version of
> 12.2T(13) or newer, so the 'drop' keyword should be
> available.
>
>
> Marvin Greenlee
> Network Learning, Inc
> marvin@ccbootcamp.com
>
> --- ccie2be <ccie2be@nyc.rr.com> wrote:
>
>
>
>
> >
> > So, there's nothing inherent in the way MQC works
> > that would prevent a
> > service policy applied to an interface from doing
> > multiple things:
> > classifying packets and then dropping or policing
> > them, would you agree?
> >
> > Is it fair to assume that in the lab, I could use
> > the drop keyword?
> >
> > Or, as an alternative, couldn't I also use "police"
> > in the policy-map and
> > then drop for conforming, exceeding and violating?
> >
> > Thanks again, Tim
> >
> >
> > ----- Original Message -----
> > From: "Marvin Greenlee" <marvingreenlee@yahoo.com>
> > To: "ccie2be" <ccie2be@nyc.rr.com>
> > Cc: <ccielab@groupstudy.com>
> > Sent: Wednesday, September 01, 2004 4:15 PM
> > Subject: Re: Using NBAR to drop traffic
> >
> >
> > > The "drop" keyword was not added until 12.2(13)T.
> > > Marking inbound and dropping outbound is a method
> > that
> > > can be used even if you are running an older IOS
> > > version.
> > >
> > > Cisco - MQC Unconditional Packet Discard -
> > >
> >
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftcbdrp.htm
> > >
> > >
> > > Marvin Greenlee
> > > Network Learning, Inc.
> > > marvin@ccbootcamp.com
> > >
> > > --- ccie2be <ccie2be@nyc.rr.com> wrote:
> > >
> > > > Hi guys,
> > > >
> > > > According to Richard Deal in his new book
> > (released
> > > > this month), Cisco Router
> > > > Firewall Security, to use NBAR to filter
> > traffic,
> > > > you must do the following:
> > > >
> > > > 1) Define the traffic you wish to block with
> > > > match protocol ...
> > > >
> > > > 2) Mark this traffic with dscp in policy-map
> > > >
> > > > 3) Apply to INBOUND interface using service
> > > > policy...
> > > >
> > > > 4) Use acl to filter on previously marked
> > dscp
> > > > value on OUTBOUND
> > > > interface.
> > > >
> > > > In other words, two interfaces must be involved.
> > > >
> > > > To me, this doesn't seem correct.
> > > >
> > > > Why not just drop the unwanted traffic on the
> > > > INBOUND interface like this:
> > > >
> > > > class-map match-all BLOCK-BAD-STUFF
> > > > match protocol fasttrack
> > > > match protocol gnutella
> > > > match protocol http url "*worm*"
> > > > match protocol http url "*trojan*"
> > > > match protocol http url "*code-red*"
> > > > !
> > > > !
> > > > policy-map DROP-BAD-STUFF
> > > > class BLOCK-BAD-STUFF
> > > > drop
> > > >
> > > > int s0
> > > > service policy input DROP-BAD-STUFF
> > > >
> > > > Won't the above config do the trick? If not,
> > can
> > > > someone explain why?
> > > >
> > > > Thanks, Tim
> > > >
> > > >
> > >
> > >
> > >
> > > _______________________________
> > > Do you Yahoo!?
> > > Win 1 of 4,000 free domain names from Yahoo! Enter
> > now.
> > > http://promotions.yahoo.com/goldrush
> >
> >
> _______________________________________________________________________
> > Please help support GroupStudy by purchasing your
> > study materials from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
>
>
> __________________________________
> Do you Yahoo!?
> New and Improved Yahoo! Mail - Send 10MB messages!
> http://promotions.yahoo.com/new_mail

• Next message: mani poopal: "RE: ip pim nbma mode/auto rp/dense mode"
• Previous message: Vazman@aol.com: "OT: CCIE Security Practice Labs - Lab7"
• Next in thread: Marvin Greenlee: "Re: Using NBAR to drop traffic"
• Maybe reply: Marvin Greenlee: "Re: Using NBAR to drop traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Oct 01 2004 - 15:00:35 GMT-3