From: sumit.kumar@comcast.net
Date: Sat Jun 04 2005 - 14:31:35 GMT-3
Tim,
You are one of the valuable contributors to this "list of fraternity". This list is true icon of globalization and people worldwide working together for a common goal. (Thanks to Paul)
I usually check all your posts since most of them make you think "out of the box".
Thanks and keep em' coming.
Sean - thanks to you too for all your contributions.
Sumit
-------------- Original message --------------
> Sumit,
>
> Thanks again for all your responses. They really help bring the
> understanding home.
>
> As much as I can, I try to reciprocate by posting information I think others
> will find useful.
>
> If you're interested, I've posted some detailed write-ups on Mobile IP
> recently. If this topic is one you're not all that strong in, please feel
> free to read those posts and ask me any questions about it.
>
> Tim
>
> _____
>
> From: sumit.kumar@comcast.net [mailto:sumit.kumar@comcast.net]
> Sent: Saturday, June 04, 2005 12:56 PM
> To: ccie2be; 'Sean C'; ccielab@groupstudy.com
> Subject: RE: using NBAR to match web traffic
>
> Tim, Sean,
>
> Thanks for your appreciation, it helps to keep the morale up in this fight
> with green books and green boxes.
>
> Tim,
>
> looking at the header, the request (GET/PUT) field doesnot carry the
> hostname(www.cisco.com) similary the host field doesnot carry foldername
> (/whatsnew/).
> If the requirement is to make a full match I will go with two statements,
>
> match url "/whatsnew/*"
> match host "www.cisco.com"
>
> If you add anything more it will be a mismatch.
>
> The bottomline is the "match" should be as specific as possible and you can
> cover the arbitrary values (like the files in the directory)with *..
>
> Sean,
>
> Since it is regular expression based match (like as-path list) the *
> wouldnot hurt but again we should try to to make the match as precise as
> possible. Think in terms of as path access-list keeping in mind the
> differences - like you will never have more than one hostname in the host
> field etc.
>
> Also the inverted commas are complimentary you'll see them in config even if
> you donot use them.
>
> thanks
> Sumit
> -------------- Original message --------------
>
> > Sumit,
> >
> > Thanks for taking the time to write up that response. It was excellent !!!
>
> >
> > I really appreciate it as I'm sure many, many others on GS do as well.
> >
> > From your post, I see how the match http url and the match http host
> > commands work.
> >
> > Based on your post, it appears to me that if you have both a host and a
> > directory portion you want to match, you HAVE TO use both match commands,
> ie
> > you HAVE TO use both the match url and the match host commands.
> >
> > Would you agree with that?
> >
> > If so, would you also agree that the problem of including both portions in
>
> > one match command is that the match command will ignore some portion of
> the
> > string to be matched?
> >
> > IOW, if I use this c! ommand,
> >
> > match prot http url "www.cisco.com/latest/whatsnew.html"
> >
> > the host portion is ignored?
> >
> > And, likewise, if I use this command,
> >
> > match prot http host "www.cisco.com/latest/whatsnew.html"
> >
> > the portion after "www.cisco.com" will be ignored?
> >
> > Thanks again for your valuable input on this topic.
> >
> > Tim
> >
> > -----Original Message-----
> > From: Sumit [mailto:sumit.kumar@comcast.net]
> > Sent: Saturday, June 04, 2005 10:59 AM
> > To: Sean C; ccie2be@nyc.rr.com; ccielab@groupstudy.com
> > Subject: Re: using NBAR to match web traffic
> >
> > Sean,
> >
> > I'm sure you would have read this on CCO
> >
> > "When specifying a URL for classification, include only the portion of the
>
> > URL following the www.hostname.domain in the match statement. For example,
>
> > for the URL www.cisco.com/lates! t/whatsnew.html, include only
> > /latest/whatsnew.html.
> > HOST specification is identical to URL specification. NBAR performs a
> > regular expression match on the HOST field contents inside an HTTP GET
> > packet and classifies all packets from that host. For example, for the URL
>
> > www.cisco.com/latest/whatsnew.html, include only www.cisco.com.
> >
> > For MIME type matching, the MIME type can contain any user-specified text
> > string. In MIME type matching, NBAR classifies the packet containing the
> > MIME type and all subsequent packets, which are sent to the source of the
> > HTTP GET request."
> >
> > Now lets look at HTTP request header. Go to http://web-sniffer.net/ and
> type
> >
> > http://www.web-apps.com/web-app/ in url field - here's the output :
> >
> >
> > GET /web-app/ HTTP/1.1
> > Host: www.web-apps.com
> > Connection: close
> > Accept-Encoding: gzip
> > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
> &! gt; application/vnd.ms-powerpoint, application/vnd.ms-excel,
> application/msword,
> > application/pdf, application/x-shockwave-flash, */*[CRLF]
> > Accept-Language: en-us[CRLF]
> >
> > In the output the GET request field has only "/web-app/" which will be
> > searched by "match http url" and host field has the FQDN will be searched
> > by "match host" command. "Match mime" will also look in the get field,
> > here's the output if you have logo.gif in the url it appears in the GET
> > field
> >
> > GET /logo.gif HTTP/1.1
> > GET /logo.gif HTTP/1.1
> > Host: www.fake.com
> > Connection: close
> > Accept-Encoding: gzip
> >
> > I hope it helps.
> >
> > Sumit
> >
> >
> > From: "Sean C"
> > To: ; ;
> >
> > Sent: Saturday, June 04, 2005 10:08 AM
> > Subject: Re: usin! g NBAR to match web traffic
> >
> >
> > > Hi Sumit,
> > >
> > > I appreciate the answer because I'm an admitted newbie on this - but
> what
> > is
> > > the difference then? Or, more specifically, what is the value of using
> > the
> > > 'match http host' command? I think I understand that 'match http host'
> > will
> > > just search the http header, and 'match http url' will look at the
> > > requests - but I'm not sure why to use 'host' at all then.
> > >
> > > I tried a couple of googles but still don't see the value. Appreciate
> any
> > > help offered,
> > > Sean
> > > ----- Original Message -----
> > > From:
> > > To: "Sam Joseph" ; ;
> > > ;
> > > Sent: Friday, June 03, 2005 8:23 PM
> > > Subject: RE: using NBAR to match web traffic
> > >
> > > > > > Remember "match http url' looks at the GET/PUT/TRACE etc. requests
>
> > whereas
> > > > "match http host" searches the host field in the http header.
> > > >
> > > > Google "http header" , lot of sites allow you to see the http header
> > for
> > > > any url. That will give a clear understanding.
> > > >
> > > > Sumit
> > > > -------------- Original message --------------
> > > >
> > > >> How about this Config:
> > > >>
> > > >> class-map match-all WEB-APP
> > > >> match protocol http host *www.web-based-app.com*
> > > >> match protocol http url *webapp/*
> > > >>
> > > >> Thanks.
> > > >>
> > > >> >From: "ccie2be"
> > > >> >Reply-To: "ccie2be"
> > > >> >To: "'Stephen Fisher'" , "Group Study"
> > &! gt; >> >
> > > >> >Subject: RE: using NBAR t o match web traffic
> > > >> >Date: Fri, 3 Jun 2005 18:50:32 -0400
> > > >> >
> > > >> >Hey Steve,
> > > >> >
> > > >> >Actually, that missing * was a typo. I meant to include it.
> > > >> >
> > > >> >The reason I posted this question was because the IE Solution was
> > > >> >different.
> > > >> >
> > > >> >This is the IE solution:
> > > >> >
> > > >> >class-map match-all WEB-APP
> > > >> > match prot http host "www.web-based-app.com"
> > > >> > match prot http url "webapp/*"
> > > >> >
> > > >> >
> > > >> >As you can see, IE breaks it down into 2 match statements. And, I
> > wanted
> > > >> >to
> > > >> >know if the way I thought of would work being th! at it's different
> from
> > > >> >the
> > > >> >IE Solution.
> > > >> >
> > > >> >I know that often there is more than 1 correct way to accomplish
> > > >> >something
> > > >> >but without knowing how to verify my config, I can't be sure if this
>
> > is
> > > >> >one
> > > >> >of them.
> > > >> >
> > > >> >Thanks for getting back to me.
> > > >> >
> > > >> >-----Original Message-----
> > > >> >From: Stephen Fisher [mailto:stephentfisher@yahoo.com]
> > > >> >Sent: Friday, June 03, 2005 6:28 PM
> > > >> >To: ccielab@groupstudy.com
> > > >> >Cc: ccie2be
> > > >> >Subject: Re: using NBAR to match web traffic
> > > >> >
> > > >> >On Fri, Jun 03, 2005 at 01:52! :45PM -0400, ccie2be wrote:
> > > >> >
> > > >> > > I want to permit users to access only a web based application
> which
> > > >> > > has a root directory of
> > > >> > >
> > > >> > > http://www.web-based-app.com/webapp/
> > > >> > >
> > > >> > > Will this work?
> > > >> > >
> > > >> > > class-map WEB-APP
> > > >> > > match protocol http url "http://www.web-based-app.com/webapp/"
> > > >> >
> > > >> >My notes from practicing this topic say that you need to put
> wildcards
> > > >> >or else it will match only what you specify for the URL field, so
> > > >> >try this:
> > > >> >
> > > >> > match protocol http url "http://www.web-based-app.com/webapp/*"
> > > >> >
> > > >> >Although I could be wrong?
> > > >>! >
> > > >> > > In the lab, if giving a similar fake url, is there any way to
> > verify
> > > >> > > my config is correct?
> > > >> >
> > > >> >I can't think of any other than knowing how it works before hand :(
> > > >> >
> > > >> >
> > > >> >Steve
> > > >> >
> > > >>
> > >_______________________________________________________________________
> > > >> >Subscription information may be found at:
> > > >> >http://www.groupstudy.com/list/CCIELab.html
> > > >>
> > > >> _________________________________________________________________
> > > >> Express yourself instantly with MSN Messenger! Download today - it's
> > > >> FREE!
> > > >> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> >! > >>
> > > >> ________________________________
> _______________________________________
> > > >> Subscription information may be found at:
> > > >> http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:40 GMT-3