RE: NBAR issue, please help!!!

From: Jorge Martinez (jorge_bgp@yahoo.com)
Date: Tue Aug 14 2007 - 20:54:15 ART

• Next message: Radioactive Frog: "CCIE voice lab equipment - Final list appreciate your opinion"
• Previous message: Azhar Ali: "Re: Block Diagrams / Flow Charts"
• Maybe in reply to: Lamine BOUAFIA: "NBAR issue, please help!!!"
• Next in thread: Joseph Brunner: "RE: NBAR issue, please help!!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Take a look at the end of this link, there's an
example of NBAR

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hqos_c/part05/ch05/hdtnbara.htm

--- Antonio Soares <amsoares@netcabo.pt> wrote:

> If i understood the issue, you want to drop
> everything that falls under the
> class class-default. In fact drop cannot be used.
> You could try a police
> statement:
>
> !
> policy-map TEST
> class class-default
> police 8000 conform-action drop
> !
>
>
>
> Regards,
>
> Antonio Soares
> CCIE #18473, CCNP, CCIP
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> Lamine BOUAFIA
> Sent: terga-feira, 14 de Agosto de 2007 10:25
> To: ccielab@groupstudy.com
> Subject: NBAR issue, please help!!!
>
> Hi Experts,
>
>
>
> I'm trying to block websites by using NBAR, and I
> have tested a solution by
> Brian McGahan and other CCIE but it doesn't work.
> And the drop command
> cannot be configured in class-default
>
>
>
> policy-map TRAFFIC
>
> R1(config-pmap)# class MANAGER
>
> R1(config-pmap-c)# class ACCEPTED_WEB
>
> R1(config-pmap-c)# class class-default
>
> R1(config-pmap-c)# drop
>
> Drop cannot be configured in class-default
>
>
>
> I have tried with host rather than url but still not
> working:
>
>
>
> class-map match-any ACCEPTED_WEB
> match protocol http host "www.degrouptest.com"
> match protocol http host "www.orange.fr"
> match protocol http host "www.clubinternet.fr"
> class-map match-any PHONE_CONTROL
> match protocol h323
> match access-group name PHONE_APP
> class-map match-all MANAGER
> match access-group 1
> !
> policy-map MARK_DSCP
> class MANAGER
> set ip dscp 1
> class PHONE_CONTROL
> set ip dscp 1
> class ACCEPTED_WEB
> set ip dscp 1
> !
> !
> interface FastEthernet0/0
> ip address 192.168.0.1 255.255.255.0
> ip nbar protocol-discovery
> ip nat inside
> service-policy input MARK_DSCP
> !
> interface FastEthernet0/1
> ip address 196.46.253.102 255.255.255.252
> ip nat outside
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
> !
> !
> ip nat inside source list 102 interface
> FastEthernet0/1 overload
> ip nat inside source static tcp 192.168.0.5 7080
> 81.52.163.155 7080
> extendable
> ip nat inside source static tcp 192.168.0.5 22
> 196.46.253.102 22 extendable
> ip nat inside source static tcp 192.168.0.5 80
> 196.46.253.102 80 extendable
> ip nat inside source static udp 192.168.0.3 5808
> 196.46.253.102 5808
> extendable
> ip nat inside source static udp 192.168.0.3 5809
> 196.46.253.102 5809
> extendable
> ip nat inside source static tcp 192.168.0.10 5900
> 196.46.253.102 5900
> extendable
> ip nat inside source static tcp 192.168.0.5 7080
> 196.46.253.102 7080
> extendable
> !
> ip access-list extended PHONE_APP
> remark VNC Client/Server
> permit tcp any any eq 5900
> permit tcp any eq 5900 any
> remark Agent Phonecontrol
> permit tcp any any eq 14300
> permit tcp any eq 14300 any
> remark Administrateur Phonecontrol
> permit tcp any any eq 14500
> permit tcp any eq 14500 any
> remark ----au cas ou----
> permit udp any any eq 5808
> permit udp any eq 5808 any
> permit udp any any eq 5809
> permit udp any eq 5809 any
> remark Agent CosmoCall
> permit tcp any any eq 14005
> permit tcp any eq 14005 any
> !
> access-list 1 permit 192.168.0.90
> access-list 1 permit 192.168.0.36
> access-list 1 permit 192.168.0.9
> access-list 1 permit 192.168.0.10
> access-list 1 permit 192.168.0.14
> access-list 1 permit 192.168.0.25
> access-list 1 permit 192.168.0.18
>
> access-list 102 permit ip 192.168.0.0 0.0.0.255 any
> dscp 1
>
>
########################################################
>
> R1#show policy-map interface FastEthernet0/0
>
> FastEthernet0/0
>
>
>
> Service-policy input: MARK_DSCP
>
>
>
> Class-map: MANAGER (match-all)
>
> 75267 packets, 11355431 bytes
>
> 5 minute offered rate 0 bps, drop rate 0 bps
>
> Match: access-group 1
>
> QoS Set
>
> dscp 1
>
> Packets marked 75267
>
>
>
> Class-map: PHONE_CONTROL (match-any)
>
> 890407 packets, 156960904 bytes
>
> 5 minute offered rate 1000 bps, drop rate 0 bps
>
> Match: protocol h323
>
> 0 packets, 0 bytes
>
> 5 minute rate 0 bps
>
> Match: access-group name PHONE_APP
>
> 890407 packets, 156960904 bytes
>
> 5 minute rate 1000 bps
>
> QoS Set
>
> dscp 1
>
> Packets marked 890407
>
>
>
> Class-map: ACCEPTED_WEB (match-any)
>
> 3093 packets, 1052720 bytes
>
>
=== message truncated ===

• Next message: Radioactive Frog: "CCIE voice lab equipment - Final list appreciate your opinion"
• Previous message: Azhar Ali: "Re: Block Diagrams / Flow Charts"
• Maybe in reply to: Lamine BOUAFIA: "NBAR issue, please help!!!"
• Next in thread: Joseph Brunner: "RE: NBAR issue, please help!!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Sep 01 2007 - 11:32:11 ART