Re: NBAR Not matching !

From: Bob Sinclair (bsin@cox.net)
Date: Sun Jun 05 2005 - 17:28:57 GMT-3

Scott,

Thanks for checking this out. These inconsistencies make life difficult!

I have been able to get NBAR to match against the following class-map:

Class Map match-all CIF (id 3)
   Match protocol http url "*cifs*"

by telnetting to ubix.org 80, followed by: GET /cifs/NetBIOS.html HTTP/1.0
ENTER ENTER

I noticed that a "drop" for this class seems to work inbound, but not outbound
(for the GET). Any tips on testing NBAR HTTP matches via telnet for lab
purposes?

Thanks,

Bob Sinclair
CCIE #10427, CCSI 30427, CISSP
www.netmasterclass.net

  ----- Original Message -----
  From: Scott Morris
  To: 'Bob Sinclair' ; 'CCIE' ; 'Group Study'
  Sent: Sunday, June 05, 2005 3:53 PM
  Subject: RE: NBAR Not matching !

  Bob, you picqued my interest a bit here....

  I set it up with router's telnetting to the port 80 server... Nothing
  listed as being marked...

  Then I decided to trying things with a "real" web browser. Still nothing
  listed as being marked, but it did indeed work.

  I set my policy up to drop the match protocol http url "*test.txt*" and
then
  went to http://(ip)/ first to verify my server was working (oh yeah, do "ip
  http server" also!) and then tried a few other files and links afterwards.
  Without the policy enabled, I would immediately either get a page returned
  or a blank page if the file didn't exist.

  As soon as I put my service-policy on, when I looked for any file or link
  OTHER than test.txt, the return was immediate. With test.txt, the little
  hourglass thing kept on running as it it were waiting for a response.

  Do the packet was dropped as it should, although with "show policy-map
  testing" nothing was listed as being matched and dropped.

  So my guess is that we are simply looking at a logging/matching/reporting
  issue here, not one of functionality!

  And the router did bitch at me about CEF needing to be enabled, but the
  results did NOT vary whether discovery was or was not enabled. And per my
  other experiences with NBAR in real life, it does not need to be enabled in
  order to function.

  HTH,

  Scott

  -----Original Message-----
  From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Bob
  Sinclair
  Sent: Sunday, June 05, 2005 12:12 PM
  To: CCIE; Group Study
  Subject: Re: NBAR Not matching !

  Tim,

  Though I see no documentation claiming this, it seems to be the case on my
  box that protocol-discovery is required, as Munsar suggests. This may be
  version dependent, but a recreation of your test works fine on my box with
  protocol discovery enabled on the interface, and not at all if not.

  IOS (tm) 3600 Software (C3620-IK9O3S6-M), Version 12.2(15)T9,

  Have you tried rebooting? Is CEF enabled? Tried matching some other
  protocols? Tried applying outbound?

  HTH,

  Bob Sinclair
  CCIE #10427, CCSI 30427, CISSP
  www.netmasterclass.net

    ----- Original Message -----
    From: CCIE
    To: Group Study
    Sent: Sunday, June 05, 2005 9:00 AM
    Subject: NBAR Not matching !

    Have being reading the NBAR post so I decide to do some
    simple testing. I setup 150.1.7.7 behind router 3 with
    a HTTP server in my case its a router running "ip http server".

    I can not get a simple url match to work at all. See the
    config snippets below:

    !
     class-map match-all web
      match protocol http url "*test.txt*"
    !
    !
     policy-map web
      class web
       set precedence 7
    !
    interface Serial0/0
     ip address 157.1.123.3 255.255.255.0
     service-policy input web
    !

    This is how I generate the HTTP request from a host on
    the other end of the serial link:

    Rack1R2#150.1.7.7 80
    Trying 150.1.7.7, 80 ... Open
    GET /test.txt HTTP/1.0

    HTTP/1.1 404 Not Found
    Date: Tue, 02 Mar 1993 05:35:36 GMT
    Server: cisco-IOS
    Accept-Ranges: none

    404 Not Found

    [Connection to 150.1.7.7 closed by foreign host]
    Rack1R2#

    However when I check the service policy it is not matching:

    Rack1R3#show policy-map in s 0/0

     Serial0/0

      Service-policy input: web

        Class-map: web (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: protocol http url "*test.txt*"
          QoS Set
            precedence 7
              Packets marked 0

        Class-map: class-default (match-any)
          32 packets, 3668 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: any
    Rack1R3#
    !

    Any ideas, I can see HTTP is being recognised by NBAR
    by looking at the protocol discovery stats. Also if I
    change the class map to only look for the protocol HTTP
    I get hits. I have cef enabled ;-) .

    Regards,
    Kevin

    _______________________________________________________________________
    Subscription information may be found at:
    http://www.groupstudy.com/list/CCIELab.html

  _______________________________________________________________________
  Subscription information may be found at:
  http://www.groupstudy.com/list/CCIELab.html

  _______________________________________________________________________
  Subscription information may be found at:
  http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:41 GMT-3