From: stephen skinner (stephenski@gmail.com)
Date: Tue Sep 13 2005 - 17:57:10 GMT-3
ok
i will take this on a bit ,
lets say i have a router with CEF enabled .
i have had to do this for something else.
i have read various posts which give two answer`s
i have two acl`s
ip access-list 101 permit tcp any any eq 80
ip access-list 101 permit tcp any any eq www
also i have
ip nbar-protocol discovery
now i have read that is i have CEF and the second access list configired
then i have NBAR running
i have also read that
i need to have the nbar protocol discovery aswell as the second acl and CEF
then i have configured NBAR
also i have read that if i have CEF and the first ACL i have nbar
configured
i believe that if you have the second ACL and CEF and the ip nbar procotcol
discovery ,then only then you have nbar configured
can you confirm which is which . because i would like to know once and for
all when the requirment is match all web traffic coming in on int X . what
would be the my best option
many thanks in advanced
steve
On 9/13/05, Tim <ccie2be@nyc.rr.com> wrote:
>
> Chris,
>
> I'm not sure even Wendall Odom would accept that moniker. And, even if it
> were true at the moment, by next week, it might not be given how quickly
> things have been changing.
>
> Kumara, I also had that same question as you not all that long ago. That
> was when I learned about the difference between using nbar and an acl to
> classify traffic. I think this discussion included Simon Hart and maybe
> Chris as well.
>
> To make sure you get this right in the lab, you have to think very
> carefully
> about the task requirements before using one approach or the other.
>
> Consider this:
> ____________
> | |
> Web client --- | |
> | router | int s0
> Web server --- | |
> |___________|
>
>
> Now, let's say the requirement is limit web requests into int s0.
>
> If you used nbar to classify the web traffic, you would lose points. Is it
> obvious to you why that is?
>
> IF so, you understand the subtle but extremely important difference
> between
> using an acl to classify traffic and using nbar.
>
> HTH, Tim
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Chris Lewis (chrlewis)
> Sent: Tuesday, September 13, 2005 9:36 AM
> To: kumara.shunmugam@wipro.com; andrew.m.edwards@boeing.com;
> ccielab@groupstudy.com
> Subject: RE: QoS- Policing Method
>
> I don't know that I can accept that moniker, however......
>
> I am generally against best practices type recommendations of any type
> for the lab exam. The proctors are just too good at presenting the
> exceptions to any general rules. In the real world, it is of course a
> different matter, best practice recommendations for design are valid and
> Cisco provides a lot of those (most complete are the SRNDs on CCO).
>
> For the purposes of this endeavor, the only course I am aware of is to
> understand how each protocol you want to classify works, understand what
> each command does, and then you are in a position to classify any
> oddball combination thrown at you in the exam.
>
> As another example, if you want to look at what has already been said on
> this topic, a Google search like the following lists a whole bunch.
>
> ftp ftp-data passive active match protocol
site:groupstudy.com<http://groupstudy.com>
>
> If there is a specific question to which you do not get an answer,
> please post again and I'll do my best to answer.
>
> Cheers
>
> Chris
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> kumara.shunmugam@wipro.com
> Sent: Tuesday, September 13, 2005 12:55 AM
> To: Chris Lewis (chrlewis); andrew.m.edwards@boeing.com;
> ccielab@groupstudy.com
> Subject: RE: QoS- Policing Method
>
> Thanks Chris & Edwards
>
> The actual question was in the book is very clear about the direction.
> It's the client traffic going to the specified servers from a VLAN. Yes,
> it is "service-policy output" command that needed here. However, as you
> pointed out , it is always important to classify the traffic correctly
> in the Lab. I think if we have any clarification about the traffic
> direction, we could ask proctor ...
>
> What you say.. ? or do we have any best practices document for ACL
> filtering specific to each protocols (example , ftp,ftp-data,ntp etc). I
> think as a Qos master, Chris should able to provide us some tips..
>
> -----Original Message-----
> From: Chris Lewis (chrlewis) [mailto:chrlewis@cisco.com]
> Sent: Monday, September 12, 2005 6:13 PM
> To: Edwards, Andrew M; Kumara Guru Shunmugam L (WI01 - Services);
> ccielab@groupstudy.com
> Subject: RE: QoS- Policing Method
>
> Good points,
>
> My comments is related to the choice of ACLs or NBAR. If you are asked
> to limit the E0 interface overall, I would take that to mean both
> inbound and outbound traffic (although checking with the proctor would
> not be a bad idea). You have to apply the service-policy in or out, but
> either way you want to to catch inbound and outbound traffic of the type
> you're interested in.
>
> With the ACLs you have, you are only matching on the destination ports
> of the protocols you are interested in, take access-list 106 as an
> example.
>
> access-list 106 permit tcp any any eq www
>
> This matches any source address/port, but only port 80 destination, to
> catch traffic the other way, include a second line for www as below:
>
> access-list 106 permit tcp any any eq www Access-list 106 permit tcp any
> eq www any
>
> This way you catch traffic passing the other direction that is part of
> http and it counts towards the target rate specified for the interface
> overall.
>
> NBAR catches both directions by default, which may or may be what you
> want for other questions.
>
> Chris
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Edwards, Andrew M
> Sent: Monday, September 12, 2005 7:10 PM
> To: kumara.shunmugam@wipro.com; ccielab@groupstudy.com
> Subject: RE: QoS- Policing Method
>
> Kumara,
>
> Here has been my experience with any QoS task. From my own experience
> in the lab, I don't believe I have been asked to do anything
> unreasonable within the QoS or security framework.
>
> What I have noticed however is that I have not been very successful with
> these topics.
>
> The only commonality I have found is that both require you to correctly
> classify the traffic. For myself, I believe this has been my problem
> with these two areas. Thus, I have spent a great deal of time thinking
> of ways to actually classify a given traffic set into a class with
> either the MQC's multitude of options, or ACLs.
>
> I highly suggest to any CCIE candidate that you really understand and
> learn how to classify traffic and then verify you actually classified it
> correctly.
>
> IOW, you might not want to rely only on an ACL, but instead use NBAR...
> Or maybe both 8)
>
> Further, I would ask you this, "What does the word "mail" include?" Is
> it just SMTP, POP3, etc...
>
> Just my 2 cents.
>
> Andy
>
> -----Original Message-----
> From: kumara.shunmugam@wipro.com [mailto:kumara.shunmugam@wipro.com]
> Sent: Monday, September 12, 2005 12:09 AM
> To: ccielab@groupstudy.com
> Subject: QoS- Policing Method
>
>
> Hi Guys
>
> I have a requirement as specified below. I have also included my
> answer,Kindly verify the answer and provide me your feedback
>
> 1. Limit the E0 interface traffic (overall) to 115.2Kbps (Bc=12000,
> be=32000),
> The interface traffic less than 115.2K should have the precedence set to
> 4 and all other traffic greater than 115.2Kbps should be dropped
>
> 2. Limit the mail (smtp,pop3) traffic in E0 to 56Kbps (Bc=8000,
> be=24000), The
> Mail traffic less than 56K should have the precedence set to 4 and all
> other traffic greater than 56Kbps should have the precedence set to 0
>
> 3. Similarly, Limit the HTTP traffic in E0 to 72Kbps (Bc=8000,
> be=24000), The
> web traffic less than 72K should have the precedence set to 4 and all
> other traffic greater than 72Kbps should be dropped
>
> I have used the MQC method to achieve the results....Is it OK ?
>
>
> class-map match-all mail
> match access-group 105
>
> class-map match-all web
> match access-group 106
> !
> !
> policy-map child
> class mail
> police cir 56000 bc 8000 be 24000
> conform-action set-prec-transmit 4
> exceed-action set-prec-transmit 0
> class web
> police cir 72000 bc 8000 be 24000
> conform-action set-prec-transmit 4
> exceed-action drop
>
> policy-map parent
> class class-default
> police cir 115000 bc 12000 be 32000
> conform-action set-prec-transmit 4
> exceed-action drop
> service-policy child
>
>
> access-list 105 permit tcp any any eq smtp access-list 105 permit tcp
> any any eq pop3 access-list 106 permit tcp any any eq www
>
> Please confirm/
>
>
>
>
> Confidentiality Notice
>
> The information contained in this electronic message and any attachments
> to this message are intended for the exclusive use of the addressee(s)
> and may contain confidential or privileged information. If you are not
> the intended recipient, please notify the sender at Wipro or
> Mailadmin@wipro.com immediately and destroy all copies of this message
> and any attachments.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
> Confidentiality Notice
>
> The information contained in this electronic message and any attachments
> to this message are intended for the exclusive use of the addressee(s)
> and may contain confidential or privileged information. If you are not
> the intended recipient, please notify the sender at Wipro or
> Mailadmin@wipro.com immediately and destroy all copies of this message
> and any attachments.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:15 GMT-3