From: Scott Morris (smorris@ipexpert.com)
Date: Mon Jun 25 2007 - 18:09:52 ART
I would think it would be easier to modify the ip port-map to include 8080
as an http port. Then you just have to do your second class-map to include
80 and 8080.
Just my thought...
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
#153, CISSP, et al.
CCSI/JNCI-M/JNCI-J
VP - Technical Training - IPexpert, Inc.
IPexpert Sr. Technical Instructor
A Cisco Learning Partner - We Accept Learning Credits!
smorris@ipexpert.com
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
http://www.ipexpert.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Antonio Soares
Sent: Monday, June 25, 2007 3:43 PM
To: 'M S'; malcolm.salmons@gmail.com
Cc: ccielab@groupstudy.com
Subject: RE: NBAR http matching
I noticed that if we want to match a host running on a non-default port,
let's say 8080, we must include this in the match statement. In the example
bellow, my web server (a cisco router) is running on port 8080:
!
class-map match-all http-host-port8080
match protocol http host "12.12.12.2:8080"
class-map match-all http-host-port80
match protocol http host "12.12.12.2"
class-map match-all http-gif
match protocol http url "*.gif"
class-map match-all http-url
match protocol http url "*exec*"
!
!
policy-map qos
class http-url
class http-gif
class http-host-port80
class http-host-port8080
!
!
!
!
R1#sh policy-map interface
FastEthernet0/0
Service-policy input: qos
Class-map: http-url (match-all)
124 packets, 10918 bytes
5 minute offered rate 0 bps
Match: protocol http url "*exec*"
Class-map: http-gif (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps
Match: protocol http url "*.gif"
Class-map: http-host-port80 (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps
Match: protocol http host "12.12.12.2"
Class-map: http-host-port8080 (match-all)
51 packets, 5900 bytes
5 minute offered rate 0 bps
Match: protocol http host "12.12.12.2:8080"
Class-map: class-default (match-any)
669 packets, 320813 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
R1#
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Antonio Soares
Sent: segunda-feira, 25 de Junho de 2007 3:15
To: 'M S'; malcolm.salmons@gmail.com
Cc: ccielab@groupstudy.com
Subject: RE: NBAR http matching
Something interesting that i want to add to this discussion:
I captured my traffic when opening the DocCD and what i got:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1st GET Packet:
URL=/univercd/home/home.htm
Host=www.cisco.com
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Frame 6 (477 bytes on wire, 477 bytes captured) Ethernet II, Src:
00:19:d2:06:f8:cd (00:19:d2:06:f8:cd), Dst:
00:18:39:bc:46:b0 (00:18:39:bc:46:b0)
Internet Protocol, Src: 192.168.1.100 (192.168.1.100), Dst: 198.133.219.25
(198.133.219.25)
Transmission Control Protocol, Src Port: 3548 (3548), Dst Port: 80 (80),
Seq: 1, Ack: 1, Len: 423
Hypertext Transfer Protocol
GET /univercd/home/home.htm HTTP/1.1\r\n
Request Method: GET
Request URI: /univercd/home/home.htm
Request Version: HTTP/1.1
Accept: */*\r\n
Accept-Language: pt\r\n
UA-CPU: x86\r\n
Accept-Encoding: gzip, deflate\r\n
If-Modified-Since: Tue, 19 Jun 2007 18:44:38 GMT\r\n
If-None-Match: "850a"\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.1)\r\n
Host: www.cisco.com\r\n
Connection: Keep-Alive\r\n
Cookie: CP_GUTC=213.164.58.13.1182692844447933\r\n
\r\n
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2nd GET Packet:
URL=/univercd/cc/lib/splash.gif
Host=www.cisco.com
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Frame 19 (535 bytes on wire, 535 bytes captured) Ethernet II, Src:
00:19:d2:06:f8:cd (00:19:d2:06:f8:cd), Dst:
00:18:39:bc:46:b0 (00:18:39:bc:46:b0)
Internet Protocol, Src: 192.168.1.100 (192.168.1.100), Dst: 198.133.219.25
(198.133.219.25)
Transmission Control Protocol, Src Port: 3549 (3549), Dst Port: 80 (80),
Seq: 1, Ack: 1, Len: 481
Hypertext Transfer Protocol
GET /univercd/cc/lib/splash.gif HTTP/1.1\r\n
Request Method: GET
Request URI: /univercd/cc/lib/splash.gif
Request Version: HTTP/1.1
Accept: */*\r\n
Referer: http://www.cisco.com/univercd/home/home.htm\r\n
Accept-Language: pt\r\n
UA-CPU: x86\r\n
Accept-Encoding: gzip, deflate\r\n
If-Modified-Since: Tue, 19 Jun 2007 20:21:18 GMT\r\n
If-None-Match: "1119"\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.1)\r\n
Host: www.cisco.com\r\n
Connection: Keep-Alive\r\n
Cookie: CP_GUTC=213.164.58.13.1182692844447933\r\n
\r\n
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
So the Match protocol http actually matches the HTTP GET Packets.
The GET Packets are sent from the client to the server only.
So i think any policy can be applied inbound or outbound depending where the
clients are and what we are asked to do.
A common question i saw several times is how to block images. Here we may
use wildcards to match the URL containing the image file.
For example, if i want to block any .gif, i would do:
!
class-map match-all http-images
match protocol http url "*.gif"
!
!
policy-map qos
class http-images
drop
!
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of M S
Sent: segunda-feira, 25 de Junho de 2007 1:10
To: malcolm.salmons@gmail.com
Cc: ccielab@groupstudy.com
Subject: RE: NBAR http matching
I've been watching this discussion.
Can i get some input on the assumptions I make as they relate to this
document, please?
Thank you!
When matching by HOST is performed, NBAR performs a regular expression match
on the host field contents inside an HTTP GET packet and classifies all
packets from that host.
match protocol http host "abc.com" matches all packets comming FROM abc.com.
So, any policy that matches http host must be an inbound policy.
class-map HOSTS
match protocol http host "abc.com"
policy-map HTTP-FILTERS
class HOSTS
!
interface Serial0/0
service input HTTP-FILTERS
description abc is outside of my network over this seriallink
When matching by URL is performed, NBAR recognizes the HTTP GET packets
containing the URL, and then matches all packets that are part of the HTTP
GET request. When specifying a URL for classification, include only the
portion of the URL following www.hostname.domain in the match statement. For
example, in the URL www.anydomain.com/latest/whatsnew.html, include only
/latest/whatsnew.html.
match protocol http url is not confined to any specific direction. If a port
80 packet contains a get statement, NBAR will parse the string for a match
based on the regular experession.
class-map URL
match protocol http url "*/new/*"
policy-map BLOCK-URL
class URL
drop
Now, if i want to use both toghether I will have to use nested policy-maps
policy-map HTTP-FILTERS
class HOSTS
service-policy BLOCK-URL
!
interface Serial0/0
service input HTTP-FILTERS
This policy will allow the requests to abc.com to leave the site, but
packets directed to the news directory will be dropped.
--------------------------------------------------------------------
From: malcolm.salmons@gmail.com
Reply-To: malcolm.salmons@gmail.com
To: ccielab@groupstudy.com
Subject: NBAR http matching
Date: Sun, 10 Jun 2007 16:30:26 -0400
Hi
I'm having a few problems detemining the difference between match
protocol http host, url and mime and how to apply them to practical
examples. For example if I wanted to match traffic for a particular
directory for a specific website, e.g. www.abc.com/news
How would I go about matching this?
Would it be:
class-map match-all web-directory
match protocol http host "www.abc.com"
match protocol http url "/news/"
Or am I way off the mark here?
Any help would be greatly appreciated.
Thanks
_______________________________________________________________________
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
------------------------------------------------------------------------
Hotmail to go? Get your Hotmail, news, sports and much more!
This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:51 ART