RE: blocking website using NBAR still doesn't work

From: Victor Cappuccio (vcappuccio@ccbootcamp.com)
Date: Sat Aug 11 2007 - 03:28:32 ART

Next message: Victor Cappuccio: "RE: blocking website using NBAR still doesn't work"
Previous message: b_lamine@yahoo.fr: "blocking website using NBAR still doesn't work"
Maybe in reply to: b_lamine@yahoo.fr: "blocking website using NBAR still doesn't work"
Next in thread: Victor Cappuccio: "RE: blocking website using NBAR still doesn't work"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Lamine

R1 --- R4f0/0 --- SW1(web server)

Sw1#deb ip http all
Sw1#
rack5>1
[Resuming connection 1 to R1 ... ]
copy http://10.10.7.7/run.html null0
Destination filename [null0]?
rack5>7
[Resuming connection 7 to sw1 ... ]

Sw1#
rack5>1
[Resuming connection 1 to R1 ... ]

Loading http://10.10.7.7/run.html !
%Error copying http://10.10.7.7/run.html (Not enough space on device)
R1#
R1#
rack5>7
[Resuming connection 7 to sw1 ... ]

1d22h: Tue, 02 Mar 1993 22:31:36 GMT 10.10.123.1 /run.html ok
Protocol = HTTP/1.1 Method = GET
1d22h: Date = Wed, 06 Jun 2007 23:35:10 GMT

Sw1#
Sw1#
rack5>4
[Resuming connection 4 to R4 ... ]

R4#show policy-map inter
FastEthernet0/0

Service-policy input: PMPOLICY

    Class-map: PICTURES (match-all)
      0 packets, 0 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: protocol http url "*.jpeg|*.jpg|*.gif"
      Match: access-group 101
      Match: protocol http host "10.10.7.7"
      drop

    Class-map: WEBSERVER (match-all)
      8 packets, 3362 bytes
      30 second offered rate 1000 bps, drop rate 0 bps
      Match: protocol http host "10.10.7.7"
      police:
          cir 640000 bps, bc 20000 bytes
        conformed 8 packets, 3362 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 1000 bps, exceed 0 bps

    Class-map: class-default (match-any)
      717 packets, 64081 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: any
R4#

rack5>7
[Resuming connection 7 to sw1 ... ]

Sw1#

!now we have some fake information in the flash of this stuff

Sw1#copy running-config flash:ima.gif
Destination filename [ima.gif]?

2689 bytes copied in 1.225 secs (2195 bytes/sec)
Sw1#copy running-config flash:ima.jpeg
Destination filename [ima.jpeg]?

2689 bytes copied in 0.646 secs (4163 bytes/sec)
Sw1#copy running-config flash:ima.jpg
Destination filename [ima.jpg]?

2689 bytes copied in 0.638 secs (4215 bytes/sec)
Sw1#show flash

Directory of flash:/

    2 -rwx 7963038 Mar 1 1993 02:57:02 +00:00
c3560-advipservicesk9-mz.122-25.SEE2.bin
    3 -rwx 1442 Mar 1 1993 01:06:10 +00:00 run.jpg
    4 -rwx 864 Mar 1 1993 00:09:21 +00:00 test
    5 -rwx 1096 Mar 1 1993 22:16:15 +00:00 vlan.dat
    6 -rwx 24 Mar 2 1993 05:45:09 +00:00 private-config.text
    7 -rwx 2679 Mar 2 1993 22:02:58 +00:00 run.html
    8 -rwx 2135 Mar 2 1993 05:45:09 +00:00 config.text
    9 -rwx 2689 Mar 2 1993 22:32:43 +00:00 ima.gif
   10 -rwx 2689 Mar 2 1993 22:32:49 +00:00 ima.jpeg
   11 -rwx 2689 Mar 2 1993 22:32:53 +00:00 ima.jpg

!Yeah

32514048 bytes total (24529920 bytes free)
Sw1#
rack5>1
[Resuming connection 1 to R1 ... ]

R1#copy http://10.10.7.7/ima.gif null0
Destination filename [null0]?
Loading http://10.10.7.7/ima.gif !
%Error copying http://10.10.7.7/ima.gif (Not enough space on device)
R1#
rack5>4
[Resuming connection 4 to R4 ... ]

R4#show policy-map inter
FastEthernet0/0

Service-policy input: PMPOLICY

    Class-map: WEBSERVER (match-all)
      12 packets, 4904 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: protocol http host "10.10.7.7"
      police:
          cir 640000 bps, bc 20000 bytes
        conformed 12 packets, 4904 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps

R4#show run | in access-list 101
access-list 101 permit tcp host 10.7.7.7 eq www host 150.1.1.1
access-list 101 permit tcp host 10.10.67.7 eq www host 150.1.1.1
access-list 101 permit tcp host 10.7.7.7 eq www any
access-list 101 permit tcp host 10.10.67.7 eq www any
R4# !Stupid Router!
R4#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
R4(config)#no access-list 101
R4(config)#
R4(config)#access-list 101 permit tcp host 10.10.7.7 eq www host 150.1.1.1
R4(config)#access-list 101 permit tcp host 10.10.67.7 eq www host 150.1.1.1
R4(config)#access-list 101 permit tcp host 10.10.7.7 eq www any
R4(config)#access-list 101 permit tcp host 10.10.67.7 eq www any
R4(config)#^Z
R4#
rack5>1
[Resuming connection 1 to R1 ... ]

R1#copy http://10.10.7.7/ima.gif null0
Destination filename [null0]?

rack5>4
[Resuming connection 4 to R4 ... ]

R4#show policu
R4#show policy
R4#show policy-map inter f0/0
FastEthernet0/0

Service-policy input: PMPOLICY

    Class-map: PICTURES (match-all)
      4 packets, 1243 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: protocol http url "*.jpeg|*.jpg|*.gif"
      Match: access-group 101
      Match: protocol http host "10.10.7.7"
      drop

    Class-map: class-default (match-any)
      803 packets, 70341 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: any
R4#
rack5>1
[Resuming connection 1 to R1 ... ]
Loading http://10.10.7.7/ima.gif
rack5>!! We still have nothing
[Resuming connection 1 to R1 ... ]
!
%Error reading http://10.10.7.7/ima.gif (Broken pipe)
R1#
R1#
R1#
R1#
R1#
R1#
R1#
R1#
rack5>4
[Resuming connection 4 to R4 ... ]

R4#
R4#show policy-map inter f0/0 ?
  input Input policy
  output Output policy
  | Output modifiers
  <cr>

R4#show policy-map inter f0/0
FastEthernet0/0

Service-policy input: PMPOLICY

    Class-map: PICTURES (match-all)
      8 packets, 3384 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: protocol http url "*.jpeg|*.jpg|*.gif"
      Match: access-group 101
      Match: protocol http host "10.10.7.7"
      drop

    Class-map: class-default (match-any)
      825 packets, 71957 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: any

R4#show policy-map inter f0/0
FastEthernet0/0

Service-policy input: PMPOLICY

    Class-map: WEBSERVER (match-all)
      12 packets, 4904 bytes !!!!SOME HERE
      30 second offered rate 0 bps, drop rate 0 bps
      Match: protocol http host "10.10.7.7"
      police:
          cir 640000 bps, bc 20000 bytes
        conformed 12 packets, 4904 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps

    Class-map: class-default (match-any)
      825 packets, 71957 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: any
R4#show run policy-map
Building configuration...

Current configuration : 88 bytes
!
policy-map PMPOLICY
class PICTURES
drop
class WEBSERVER
police 640000
!
end

R4#show run class-map
Building configuration...

Current configuration : 215 bytes
!
class-map match-all PICTURES
match protocol http url "*.jpeg|*.jpg|*.gif"
match access-group 101
match protocol http host "10.10.7.7"
class-map match-all WEBSERVER
match protocol http host "10.10.7.7"
!
end

R4#show run int f0/0
Building configuration...

Current configuration : 236 bytes
!
interface FastEthernet0/0
ip address 10.10.34.4 255.255.255.0
ip access-group 102 in
ip pim sparse-dense-mode
no ip route-cache cef
no ip route-cache
load-interval 30
duplex auto
speed auto
service-policy input PMPOLICY
end

thanks,
Victor Cappuccio.-
- CCSI# 31452

CCBOOTCAMP - A Cisco Sponsored Organization (SO)
email: vcappuccio@ccbootcamp.com
Toll Free: 877-654-2243
Direct: +1-702-968-5100 = Outside the USA
FAX: +1-702-446-8012
YES! We take Cisco Learning Credits!
Training And Remote Racks: http://www.ccbootcamp.com

-----Original Message-----
From: nobody@groupstudy.com on behalf of b_lamine@yahoo.fr
Sent: Sat 11-Aug-07 5:48 AM
To: ccielab@groupstudy.com
Subject: blocking website using NBAR still doesn't work

Hi all,

Im trying to block websites by using NBAR, and I have tested a solution by
Brian McGahan and other CCIE but it doesnt work. And the drop command cannot
be configured in class-default

policy-map TRAFFIC
R1(config-pmap)# class MANAGER
R1(config-pmap-c)# class ACCEPTED_WEB
R1(config-pmap-c)# class class-default
R1(config-pmap-c)# drop
Drop cannot be configured in class-default

I have tried with host rather than url but still not working:

class-map match-any ACCEPTED_WEB
match protocol http host "www.degrouptest.com"
match protocol http host "www.orange.fr"
match protocol http host "www.clubinternet.fr"
class-map match-any PHONE_CONTROL
match protocol h323
match access-group name PHONE_APP
class-map match-all MANAGER
match access-group 1
!
!
policy-map MARK_DSCP
class MANAGER
set ip dscp 1
class PHONE_CONTROL
set ip dscp 1
class ACCEPTED_WEB
set ip dscp 1
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nbar protocol-discovery
ip nat inside
service-policy input MARK_DSCP
!
interface FastEthernet0/1
ip address 196.46.253.102 255.255.255.252
ip nat outside
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
!
ip nat inside source list 102 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.5 7080 81.52.163.155 7080
extendable
ip nat inside source static tcp 192.168.0.5 22 196.46.253.102 22 extendable
ip nat inside source static tcp 192.168.0.5 80 196.46.253.102 80 extendable
ip nat inside source static udp 192.168.0.3 5808 196.46.253.102 5808
extendable
ip nat inside source static udp 192.168.0.3 5809 196.46.253.102 5809
extendable
ip nat inside source static tcp 192.168.0.10 5900 196.46.253.102 5900
extendable
ip nat inside source static tcp 192.168.0.5 7080 196.46.253.102 7080
extendable
!
ip access-list extended PHONE_APP
remark VNC Client/Server
permit tcp any any eq 5900
permit tcp any eq 5900 any
remark Agent Phonecontrol
permit tcp any any eq 14300
permit tcp any eq 14300 any
remark Administrateur Phonecontrol
permit tcp any any eq 14500
permit tcp any eq 14500 any
remark ----au cas ou----
permit udp any any eq 5808
permit udp any eq 5808 any
permit udp any any eq 5809
permit udp any eq 5809 any
remark Agent CosmoCall
permit tcp any any eq 14005
permit tcp any eq 14005 any
!
access-list 1 permit 192.168.0.90
access-list 1 permit 192.168.0.36
access-list 1 permit 192.168.0.9
access-list 1 permit 192.168.0.10
access-list 1 permit 192.168.0.14
access-list 1 permit 192.168.0.25
access-list 1 permit 192.168.0.18

access-list 102 permit ip 192.168.0.0 0.0.0.255 any dscp 1

########################################################

R1#show policy-map interface FastEthernet0/0
FastEthernet0/0
Service-policy input: MARK_DSCP

Class-map: MANAGER (match-all)
75267 packets, 11355431 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 1
QoS Set
dscp 1
Packets marked 75267

Class-map: PHONE_CONTROL (match-any)
890407 packets, 156960904 bytes
5 minute offered rate 1000 bps, drop rate 0 bps
Match: protocol h323
0 packets, 0 bytes
5 minute rate 0 bps
Match: access-group name PHONE_APP
890407 packets, 156960904 bytes
5 minute rate 1000 bps
QoS Set
dscp 1
Packets marked 890407

Class-map: ACCEPTED_WEB (match-any)
3093 packets, 1052720 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http host "www.degrouptest.com"
2552 packets, 921460 bytes
5 minute rate 0 bps
Match: protocol http host "www.orange.fr"
367 packets, 67946 bytes
5 minute rate 0 bps
Match: protocol http host "www.clubinternet.fr"
174 packets, 63314 bytes
5 minute rate 0 bps
QoS Set
dscp 1
Packets marked 3093

Any solution please?

Regards,
Lamine

Next message: Victor Cappuccio: "RE: blocking website using NBAR still doesn't work"
Previous message: b_lamine@yahoo.fr: "blocking website using NBAR still doesn't work"
Maybe in reply to: b_lamine@yahoo.fr: "blocking website using NBAR still doesn't work"
Next in thread: Victor Cappuccio: "RE: blocking website using NBAR still doesn't work"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Sep 01 2007 - 11:32:10 ART