Re: NBAR Not matching !

From: Bob Sinclair (bsin@cox.net)
Date: Sun Jun 05 2005 - 13:11:44 GMT-3

• Next message: CCIE: "Re: NBAR Not matching !"
• Previous message: CCIE: "Re: NBAR Not matching !"
• Maybe in reply to: CCIE: "NBAR Not matching !"
• Next in thread: CCIE: "Re: NBAR Not matching !"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Tim,

Though I see no documentation claiming this, it seems to be the case on my
box that protocol-discovery is required, as Munsar suggests. This may be
version dependent, but a recreation of your test works fine on my box with
protocol discovery enabled on the interface, and not at all if not.

IOS (tm) 3600 Software (C3620-IK9O3S6-M), Version 12.2(15)T9,

Have you tried rebooting? Is CEF enabled? Tried matching some other
protocols? Tried applying outbound?

HTH,

Bob Sinclair
CCIE #10427, CCSI 30427, CISSP
www.netmasterclass.net

  ----- Original Message -----
  From: CCIE
  To: Group Study
  Sent: Sunday, June 05, 2005 9:00 AM
  Subject: NBAR Not matching !

  Have being reading the NBAR post so I decide to do some
  simple testing. I setup 150.1.7.7 behind router 3 with
  a HTTP server in my case its a router running "ip http server".

  I can not get a simple url match to work at all. See the
  config snippets below:

  !
   class-map match-all web
    match protocol http url "*test.txt*"
  !
  !
   policy-map web
    class web
     set precedence 7
  !
  interface Serial0/0
   ip address 157.1.123.3 255.255.255.0
   service-policy input web
  !

  This is how I generate the HTTP request from a host on
  the other end of the serial link:

  Rack1R2#150.1.7.7 80
  Trying 150.1.7.7, 80 ... Open
  GET /test.txt HTTP/1.0

  HTTP/1.1 404 Not Found
  Date: Tue, 02 Mar 1993 05:35:36 GMT
  Server: cisco-IOS
  Accept-Ranges: none

  404 Not Found

  [Connection to 150.1.7.7 closed by foreign host]
  Rack1R2#

  However when I check the service policy it is not matching:

  Rack1R3#show policy-map in s 0/0

   Serial0/0

    Service-policy input: web

      Class-map: web (match-all)
        0 packets, 0 bytes
        5 minute offered rate 0 bps, drop rate 0 bps
        Match: protocol http url "*test.txt*"
        QoS Set
          precedence 7
            Packets marked 0

      Class-map: class-default (match-any)
        32 packets, 3668 bytes
        5 minute offered rate 0 bps, drop rate 0 bps
        Match: any
  Rack1R3#
  !

  Any ideas, I can see HTTP is being recognised by NBAR
  by looking at the protocol discovery stats. Also if I
  change the class map to only look for the protocol HTTP
  I get hits. I have cef enabled ;-) .

  Regards,
  Kevin

  _______________________________________________________________________
  Subscription information may be found at:
  http://www.groupstudy.com/list/CCIELab.html

• Next message: CCIE: "Re: NBAR Not matching !"
• Previous message: CCIE: "Re: NBAR Not matching !"
• Maybe in reply to: CCIE: "NBAR Not matching !"
• Next in thread: CCIE: "Re: NBAR Not matching !"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:40 GMT-3