Re: NBAR Not matching

From: gladston@br.ibm.com
Date: Mon Jun 06 2005 - 11:01:03 GMT-3

• Next message: gladston@br.ibm.com: "Fw: NBAR Not matching"
• Previous message: Eugene Ward: "Re: policing with MQC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Funny this "sniffing" capability of 12.2T (debug ip nbar filter
destination_port tcp 80,
debug ip nbar capture 200 10 10 10 and show ip nbar capture).

It showed that, using PuTTY, "GET /test.html HTTP/1.0" is divided in two
packets:
(I edited the result of show ip nbar capture to show just necessary
information)

FF[4 ] TCP 142.20.125.5(11019) -> 142.20.3.1(80 ) ACK PSH
              test.html
FF[5 ] TCP 142.20.125.5(11019) -> 142.20.3.1(80 ) ACK PSH
                HTTP/1.0
 
Changing the ip tcp mss and ip tcp window-size just not changed the
result.
 
 
NBAR inbound works:

Rack2R2#sh policy-map interface ser 0/0

 Serial0/0

  Service-policy input: URL

    Class-map: URL (match-all)
      3 packets, 157 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http url "*test.html*"
      QoS Set
        precedence 4
          Packets marked 3

NBAR outbound works:

Rack2R2#sh policy-map interface ser 0/1

 Serial0/1

  Service-policy output: URL

    Class-map: URL (match-all)
      3 packets, 157 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http url "*test.html*"
      QoS Set
        precedence 4
          Packets marked 3

Configs:

For inbound NBAR:

 class-map match-all URL
  match protocol http url "*test.html*"
!
policy-map URL
  class URL
   set precedence 4
!
interface Serial0/0
 bandwidth 64
 ip address 142.20.125.2 255.255.255.224
 ip pim sparse-dense-mode
 service-policy input URL
 encapsulation frame-relay
 ip ospf authentication-key cisco
 ip ospf priority 0
 ipv6 address 2001:125::2/64
 ipv6 rip IPV6-RIP enable
 custom-queue-list 1
 frame-relay de-group 5 205
 frame-relay map ipv6 2001:125::1 205
 frame-relay map ipv6 2001:125::5 205 broadcast
 frame-relay map ip 142.20.125.1 205
 frame-relay map ip 142.20.125.5 205 broadcast
 no frame-relay inverse-arp

For outbound NBAR:

interface Serial0/1
 ip address 142.20.23.2 255.255.255.0
 ip access-group 160 in
 ip access-group 161 out
 ip router isis
 ip pim sparse-dense-mode
 service-policy output URL
 encapsulation frame-relay
 no ip mroute-cache
 ipv6 address FEC0:2E3D:5B7C:23::2/64
 ipv6 traffic-filter Inbound out
 ipv6 router isis
 no fair-queue
 isis circuit-type level-2-only
 isis authentication mode md5
 isis authentication key-chain Isis-authen level-2
 frame-relay map clns 200 broadcast
 frame-relay map ipv6 FE80::2D0:58FF:FE4A:EC80 200 broadcast
 frame-relay map ipv6 FEC0:2E3D:5B7C:23::3 200 broadcast
 frame-relay map ip 142.20.23.3 200 broadcast
 no frame-relay inverse-arp

Version is:
(C2600-J1S3-M), Version 12.2(15)T5 for the router running NBAR

(C2600-J1S3-M), Version 12.2(15)T5 for the router used for Telnet 80
access

Version of PuTTY, 0.57

Cordially
------------------------------------------------------------------
Gladston

p.s.: sorry for all that replies replicated; I don't know if it was my
computer or the site.

• Next message: gladston@br.ibm.com: "Fw: NBAR Not matching"
• Previous message: Eugene Ward: "Re: policing with MQC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:41 GMT-3