From: san (san.study@gmail.com)
Date: Thu Jun 01 2006 - 12:58:54 ART
Hi ,
Can you say, why i am getting this below error while trying http. I have
removed all authentication in vty lines, i am able to telnet & tftp with no
issues.
Rack1R5#copy http://163.1.57.7/config.jpeg null:
%Error opening http://163.1.57.7/config.jpeg (Permission denied)
I tried with tftp inbound & outbound both works fine. One more key point i
found was, NBAR for locally generated traffic is not possible.
On 6/1/06, Koen Zeilstra <koen@koenzeilstra.com> wrote:
>
> It sure helped.
>
> I have test.jpg (which is truly an image on my http server
> enabled switch. With your debug commands I found out it responds with mime
> type image/jpeg. I am matching on *jpg which ofcourse doesn't match.
>
> I switch to:
>
> atch protocol http mime "*jpeg"
>
> and it works.
>
> Thanks!!
>
>
>
> -----------------------
> The only thing to do with good advice is pass it on. It is never any
> use to oneself.
> -- Oscar Wilde
>
> On Thu, 1 Jun 2006, Petr Lapukhov wrote:
>
> | Koen,
> |
> | You see that url matches part of a HTTP GET _request_.
> | (To match hostname you need match protocol http host).
> |
> | Next, mime-type. If you recall what is MIME, you may quickly
> | understand, that matching mime-type actually matches
> | part of HTTP reply BODY. That is, server respond you with
> | octect stream, you got a mime-header in the beginning of the
> | stream, which states "image/jpeg" for example.
> |
> | Now you can match mime-types only if server truly responds you
> | with images :) In my case, I used simple text-file to "simlate" file
> | with "jpeg" extension. It will not be send as MIME-encoded message
> | with mime-type image/jpeg actually :)
> |
> | So you see, that matching mime-types is related to content, and
> | matching url is related solely to requests being made.
> |
> | BTW, if you actually want to see what do you get in response to your
> | HTTP request, you may use "debug ip packet detail dump" (beware!)
> | or more advanced:
> |
> | debug ip nbar filter destination_port tcp 80
> | debug ip nbar capture 200 10 10 10
> | show ip nbar capture
> |
> | HTH
> | Petr
> |
> | 2006/6/1, Koen Zeilstra <koen@koenzeilstra.com>:
> | >
> | > Petr, I sort of missed that. Sorry about that.
> | >
> | > I labbed up your config and it works with
> | >
> | > match protocol http url *.jpg
> | >
> | > however I don't get any matches on:
> | >
> | > match protocol http mim *jpg
> | >
> | >
> | > I applied the service-policy in and outbound. On both directions no
> match.
> | >
> | > Am I doing something wrong?
> | >
> | >
> | > class-map match-all MIME
> | > match protocol http mime "*jpg"
> | > !
> | > policy-map TEST2
> | > class MIME
> | > !
> | > interface Serial0/0
> | > service-policy input TEST2
> | > service-policy output TEST2
> | > !
> | >
> | >
> | >
> | >
> | > -----------------------
> | > Oh, well, I guess this is just going to be one of those lifetimes.
> | >
> | > On Thu, 1 Jun 2006, Petr Lapukhov wrote:
> | >
> | > | Koen, I alredy mention that in previous thread.. :)
> | > |
> | > | You apply policy for HTTP INBOUND. At the same time,
> | > | NBAR recognizes OUTGOING URLs with GET requests,
> | > | and classifies return traffic as HTTP stream, relatedto that
> | > | URLs.
> | > |
> | > | (Also, matchig MIME types will work too. But if you see stuff
> | > | like "*.jpeg" you should clearly think of URL matching).
> | > |
> | > | Here is a scenario where you can verify that:
> | > |
> | > | ----------
> | > |
> | > | R1 is downloading images from SW1, which is the HTTP server
> | > | with ip address 151.10.7.7
> | > |
> | > | R3 is in control of data streams. It utilizes policy map
> | > | inbound on interface Fa 0/0.
> | > |
> | > | -----------
> | > |
> | > | (Following text is best viewed with Courier New Font ;))
> | > |
> | > | R1-----R3::Fa0/0----SW1::Lo0(7.7/24)
> | > |
> | > | SW1:
> | > |
> | > | SW1#sh running-config | inc ip http
> | > | ip http server
> | > | ip http path flash:
> | > |
> | > | SW1#dir flash:*.jpeg
> | > | Directory of flash:/*.jpeg
> | > |
> | > | 95 -rwx 2227 Mar 2 1993 00:28:03 +00:00 image.jpeg
> | > |
> | > |
> | > | R3:
> | > | !
> | > | class-map match-any IMAGES
> | > | match protocol http url "*.jpeg"
> | > | match protocol http url "*.jpg"
> | > | match protocol http url "*.gif"
> | > | match protocol http url "*.png"
> | > | !
> | > | policy-map TEST
> | > | class IMAGES
> | > | police 128000
> | > | !
> | > | interface FastEthernet0/0
> | > | ip address 151.10.33.3 255.255.255.0
> | > | ip nbar protocol-discovery
> | > | service-policy input TEST
> | > | end
> | > |
> | > | R1#copy http://151.10.7.7/image.jpeg null:
> | > | Loading http://151.10.7.7/image.jpeg !
> | > | 2227 bytes copied in 0.040 secs (55675 bytes/sec)
> | > |
> | > | R1#copy http://151.10.7.7/image.jpeg null:
> | > | Loading http://151.10.7.7/image.jpeg !
> | > | 2227 bytes copied in 0.040 secs (55675 bytes/sec)
> | > |
> | > | R3#show ip nbar protocol-discovery interface fastEthernet 0/0
> protocol
> | > http
> | > |
> | > | FastEthernet0/0
> | > | Input Output
> | > |
> | > | ----- ------
> | > |
> | > | Protocol Packet Count Packet Count
> | > |
> | > | Byte Count Byte Count
> | > |
> | > | 5min Bit Rate (bps) 5min Bit Rate
> (bps)
> | > |
> | > | 5min Max Bit Rate (bps) 5min Max Bit
> Rate
> | > (bps)
> | > |
> | > | ------------------------ ------------------------
> | > | ------------------------
> | > | http 12 24
> | > |
> | > | 5594 1544
> | > |
> | > | 0 0
> | > |
> | > | 0 0
> | > |
> | > | unknown 4 4
> | > |
> | > | 240 224
> | > |
> | > | 0 0
> | > |
> | > | 0 0
> | > |
> | > | Total 20 33
> | > |
> | > | 6189 2177
> | > |
> | > | 0 0
> | > |
> | > | 0 0
> | > |
> | > |
> | > | R3#show policy-map interface fastEthernet 0/0
> | > | FastEthernet0/0
> | > |
> | > | Service-policy input: TEST
> | > |
> | > | Class-map: IMAGES (match-any)
> | > | 12 packets, 5594 bytes
> | > | 5 minute offered rate 2000 bps, drop rate 0 bps
> | > | Match: protocol http url "*.jpeg"
> | > | 12 packets, 5594 bytes
> | > | 5 minute rate 2000 bps
> | > | Match: protocol http url "*.jpg"
> | > | 0 packets, 0 bytes
> | > | 5 minute rate 0 bps
> | > | Match: protocol http url "*.gif"
> | > | 0 packets, 0 bytes
> | > | 5 minute rate 0 bps
> | > | Match: protocol http url "*.png"
> | > | 0 packets, 0 bytes
> | > | 5 minute rate 0 bps
> | > | police:
> | > | cir 128000 bps, bc 4000 bytes
> | > | conformed 12 packets, 5594 bytes; actions:
> | > | transmit
> | > | exceeded 0 packets, 0 bytes; actions:
> | > | drop
> | > | conformed 2000 bps, exceed 0 bps
> | > |
> | > | Class-map: class-default (match-any)
> | > | 14 packets, 1236 bytes
> | > | 5 minute offered rate 0 bps, drop rate 0 bps
> | > | Match: any
> | > |
> | > |
> | > | HTH
> | > | Petr
> | > |
> | > |
> _______________________________________________________________________
> | > | Subscription information may be found at:
> | > | http://www.groupstudy.com/list/CCIELab.html
> | > |
> | >
> |
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Thanks & Rgds SAN
This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:31 ART
