Re: NBAR question

From: Edwards, Andrew M (andrew.m.edwards@boeing.com)
Date: Tue Jul 26 2005 - 14:14:46 GMT-3

• Next message: gladston@br.ibm.com: "Queue with GTS"
• Previous message: Brian McGahan: "RE: Secure Ethernet dot1q Tunnels"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

So I've started REALLY messing with the NBAR for Qos/Security issues and
have a few questions specific to match protocol http and its
sub-options.

Regarding the "host" option.

I have had no luck getting the CCO documentation to work as specified.
Surprised? I'm not.

Anyhow, it seems that you MUST use regular expressions with the host
option to match on a FQDN ONLY.

As an example, I have not gotten the following doccd example to match:

Match protocol http host cisco*

According to the docCD this would match on any hostname that starts with
cisco followed by zero or more characters.

However, I have tried this with the host parameter, gone to
www.cisco.com and not had any matches.

I only got a match when I did this:

Match protocol http host *.cisco.com

This matches any subdomain of cisco.com; such as newsroom.cisco.com;
support.cisco.com; etc.

Or

Match protocol http host *cisco.com

In addition to subdomain matching as stated above, matches on
majordomain levels where zero or more characters preceed cisco.com.
Examples would be ddcisco.com or www.ddcisco.com, etc.

Or

Match protocol http host *.cisco.*

This matches just like *.cisco.com. But also matches on *.cisco.net,
*.cisco.org, *.cisco.<add anything including null string>

As for the URL option, I have not gotten the doccd example to be
successful either.

class-map class1
match protocol http url whatsnew/latest*

I only got a match when I did this:

Match protocol http url /univercd/home/home.htm

This is an exact match following the FQDN.

I also did this and got a match:

Match protocol http url /univercd/*

Basically anthing on the univercd matches.

So I did a few more checks and it looks like the URL portion is only
matching on the portion after the FQDN.

--------------------
So in summary, what I've seen is this; and please someone interject if
they have seen differently.

For the HOST option, match protocol http matches only on the host
portion of the URL with the use of regular expressions to match.

For the URL option, match protocol http does not match on the host
portion of the URL, but instead matches on everything following the host
portion in the URL with the use of regular expressions to match.

Anyone else messed with this enough to care or comment?

• Next message: gladston@br.ibm.com: "Queue with GTS"
• Previous message: Brian McGahan: "RE: Secure Ethernet dot1q Tunnels"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:31 GMT-3