RE: NBAR issue, please help!!!

From: Joseph Brunner (joe@affirmedsystems.com)
Date: Wed Aug 15 2007 - 00:54:01 ART

• Next message: Joseph Brunner: "RE: Q on interface command point-to-point ..."
• Previous message: slevin kremera: "IEWB V3 VOL2 LAB6 TASK 3.1 FR"
• Maybe in reply to: Lamine BOUAFIA: "NBAR issue, please help!!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You can just make another "class default" only its

Class-map myany
Match any

Policy-map thepolicy
Class myany
Drop

Now if you want to permit something, but drop everything else...

Class-map match-any myany
Match not access-group 101
Match any

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Antonio Soares
Sent: Tuesday, August 14, 2007 6:02 PM
To: 'Lamine BOUAFIA'; ccielab@groupstudy.com
Subject: RE: NBAR issue, please help!!!

If i understood the issue, you want to drop everything that falls under the
class class-default. In fact drop cannot be used. You could try a police
statement:

!
policy-map TEST
 class class-default
   police 8000 conform-action drop
!
 

Regards,

Antonio Soares
CCIE #18473, CCNP, CCIP

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Lamine BOUAFIA
Sent: terga-feira, 14 de Agosto de 2007 10:25
To: ccielab@groupstudy.com
Subject: NBAR issue, please help!!!

Hi Experts,

I'm trying to block websites by using NBAR, and I have tested a solution by
Brian McGahan and other CCIE but it doesn't work. And the drop command
cannot be configured in class-default

policy-map TRAFFIC

R1(config-pmap)# class MANAGER

R1(config-pmap-c)# class ACCEPTED_WEB

R1(config-pmap-c)# class class-default

R1(config-pmap-c)# drop

Drop cannot be configured in class-default

I have tried with host rather than url but still not working:

class-map match-any ACCEPTED_WEB
   match protocol http host "www.degrouptest.com"
   match protocol http host "www.orange.fr"
   match protocol http host "www.clubinternet.fr"
class-map match-any PHONE_CONTROL
   match protocol h323
   match access-group name PHONE_APP
class-map match-all MANAGER
   match access-group 1
!
policy-map MARK_DSCP
   class MANAGER
      set ip dscp 1
   class PHONE_CONTROL
      set ip dscp 1
   class ACCEPTED_WEB
      set ip dscp 1
!
!
interface FastEthernet0/0
   ip address 192.168.0.1 255.255.255.0
   ip nbar protocol-discovery
   ip nat inside
   service-policy input MARK_DSCP
!
interface FastEthernet0/1
   ip address 196.46.253.102 255.255.255.252
   ip nat outside
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
!
ip nat inside source list 102 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.5 7080 81.52.163.155 7080
extendable
ip nat inside source static tcp 192.168.0.5 22 196.46.253.102 22 extendable
ip nat inside source static tcp 192.168.0.5 80 196.46.253.102 80 extendable
ip nat inside source static udp 192.168.0.3 5808 196.46.253.102 5808
extendable
ip nat inside source static udp 192.168.0.3 5809 196.46.253.102 5809
extendable
ip nat inside source static tcp 192.168.0.10 5900 196.46.253.102 5900
extendable
ip nat inside source static tcp 192.168.0.5 7080 196.46.253.102 7080
extendable
!
ip access-list extended PHONE_APP
   remark VNC Client/Server
   permit tcp any any eq 5900
   permit tcp any eq 5900 any
   remark Agent Phonecontrol
   permit tcp any any eq 14300
   permit tcp any eq 14300 any
   remark Administrateur Phonecontrol
   permit tcp any any eq 14500
   permit tcp any eq 14500 any
   remark ----au cas ou----
   permit udp any any eq 5808
   permit udp any eq 5808 any
   permit udp any any eq 5809
   permit udp any eq 5809 any
   remark Agent CosmoCall
   permit tcp any any eq 14005
   permit tcp any eq 14005 any
!
access-list 1 permit 192.168.0.90
access-list 1 permit 192.168.0.36
access-list 1 permit 192.168.0.9
access-list 1 permit 192.168.0.10
access-list 1 permit 192.168.0.14
access-list 1 permit 192.168.0.25
access-list 1 permit 192.168.0.18

access-list 102 permit ip 192.168.0.0 0.0.0.255 any dscp 1

########################################################

R1#show policy-map interface FastEthernet0/0

FastEthernet0/0

Service-policy input: MARK_DSCP

   Class-map: MANAGER (match-all)

   75267 packets, 11355431 bytes

   5 minute offered rate 0 bps, drop rate 0 bps

   Match: access-group 1

      QoS Set

      dscp 1

   Packets marked 75267

Class-map: PHONE_CONTROL (match-any)

   890407 packets, 156960904 bytes

   5 minute offered rate 1000 bps, drop rate 0 bps

   Match: protocol h323

      0 packets, 0 bytes

      5 minute rate 0 bps

   Match: access-group name PHONE_APP

      890407 packets, 156960904 bytes

      5 minute rate 1000 bps

      QoS Set

      dscp 1

   Packets marked 890407

Class-map: ACCEPTED_WEB (match-any)

   3093 packets, 1052720 bytes

   5 minute offered rate 0 bps, drop rate 0 bps

   Match: protocol http host "www.degrouptest.com"

      2552 packets, 921460 bytes

      5 minute rate 0 bps

   Match: protocol http host "www.orange.fr"

      367 packets, 67946 bytes

      5 minute rate 0 bps

   Match: protocol http host "www.clubinternet.fr"

      174 packets, 63314 bytes

      5 minute rate 0 bps

      QoS Set

      dscp 1

   Packets marked 3093

Any solution please?

Regards,

Lamine

• Next message: Joseph Brunner: "RE: Q on interface command point-to-point ..."
• Previous message: slevin kremera: "IEWB V3 VOL2 LAB6 TASK 3.1 FR"
• Maybe in reply to: Lamine BOUAFIA: "NBAR issue, please help!!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Sep 01 2007 - 11:32:11 ART