From: Marvin Greenlee (marvingreenlee@yahoo.com)
Date: Wed Sep 01 2004 - 19:46:59 GMT-3
Cisco keeps adding additional functionality to the
MQC. Look at all the QoS features that have been
added or changed with 12.2T/12.3.
12.3 New QoS features
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123tech/qs_ftlst.htm
Set fr-de - class based marking
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t5/cbpmark2.htm#wp1059488
Enhanced Packet Marking
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftenpkmk.htm
MQC - Three-level hierarchical policer
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ft3level.htm
Percentage Based Policing / Shaping - MQC
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftpctpol.htm
For the lab, I think that the drop keyword is the
cleanest way to do it. Many of the examples that I
have seen which used dscp had multiple outbound
interfaces where the outbound ACL needed to be
applied.
Applying the multiple outbound ACLs will slow down the
router. Also, there is overhead because the router
would have to make routing decisions for the traffic,
only to drop it later with the outbound ACL.
As far as I know, the lab would have a version of
12.2T(13) or newer, so the 'drop' keyword should be
available.
Marvin Greenlee
Network Learning, Inc
marvin@ccbootcamp.com
--- ccie2be <ccie2be@nyc.rr.com> wrote:
>
> So, there's nothing inherent in the way MQC works
> that would prevent a
> service policy applied to an interface from doing
> multiple things:
> classifying packets and then dropping or policing
> them, would you agree?
>
> Is it fair to assume that in the lab, I could use
> the drop keyword?
>
> Or, as an alternative, couldn't I also use "police"
> in the policy-map and
> then drop for conforming, exceeding and violating?
>
> Thanks again, Tim
>
>
> ----- Original Message -----
> From: "Marvin Greenlee" <marvingreenlee@yahoo.com>
> To: "ccie2be" <ccie2be@nyc.rr.com>
> Cc: <ccielab@groupstudy.com>
> Sent: Wednesday, September 01, 2004 4:15 PM
> Subject: Re: Using NBAR to drop traffic
>
>
> > The "drop" keyword was not added until 12.2(13)T.
> > Marking inbound and dropping outbound is a method
> that
> > can be used even if you are running an older IOS
> > version.
> >
> > Cisco - MQC Unconditional Packet Discard -
> >
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftcbdrp.htm
> >
> >
> > Marvin Greenlee
> > Network Learning, Inc.
> > marvin@ccbootcamp.com
> >
> > --- ccie2be <ccie2be@nyc.rr.com> wrote:
> >
> > > Hi guys,
> > >
> > > According to Richard Deal in his new book
> (released
> > > this month), Cisco Router
> > > Firewall Security, to use NBAR to filter
> traffic,
> > > you must do the following:
> > >
> > > 1) Define the traffic you wish to block with
> > > match protocol ...
> > >
> > > 2) Mark this traffic with dscp in policy-map
> > >
> > > 3) Apply to INBOUND interface using service
> > > policy...
> > >
> > > 4) Use acl to filter on previously marked
> dscp
> > > value on OUTBOUND
> > > interface.
> > >
> > > In other words, two interfaces must be involved.
> > >
> > > To me, this doesn't seem correct.
> > >
> > > Why not just drop the unwanted traffic on the
> > > INBOUND interface like this:
> > >
> > > class-map match-all BLOCK-BAD-STUFF
> > > match protocol fasttrack
> > > match protocol gnutella
> > > match protocol http url "*worm*"
> > > match protocol http url "*trojan*"
> > > match protocol http url "*code-red*"
> > > !
> > > !
> > > policy-map DROP-BAD-STUFF
> > > class BLOCK-BAD-STUFF
> > > drop
> > >
> > > int s0
> > > service policy input DROP-BAD-STUFF
> > >
> > > Won't the above config do the trick? If not,
> can
> > > someone explain why?
> > >
> > > Thanks, Tim
> > >
> > >
> >
> >
> >
> > _______________________________
> > Do you Yahoo!?
> > Win 1 of 4,000 free domain names from Yahoo! Enter
> now.
> > http://promotions.yahoo.com/goldrush
>
>
This archive was generated by hypermail 2.1.4 : Fri Oct 01 2004 - 15:00:35 GMT-3