Re: one question on matching images (MQC)

From: Bit Gossip (bit.gossip@chello.nl)
Date: Wed Sep 05 2007 - 14:57:42 ART

• Next message: Cisco Nuts: "RE: SP lab info"
• Previous message: Scott Vermillion: "EBGP AS mispatch - Again"
• Maybe in reply to: Joseph Brunner: "one question on matching images (MQC)"
• Next in thread: Joseph Brunner: "RE: one question on matching images (MQC)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Group,
on this subject of matching images I have an alterative proposal to
class-map match-all URL-IMAGES
 match protocol http url "*jpg|*.png|*.gif"

which is:

class-map match-any MIME-IMAGES
 match protocol http mime "image/*"
!
It is much shorter and theoretically should match all image types having an
official MIME type regardless of the file extension.
I have tested it and works for jpeg and gif but unfortunately not for png
even if png has an official mime image/png :-(
Maybe a bug? I am using 7200 Software (C7200-IK9S-M), Version 12.4(12) on a
real Cisco 7206VXR (NPE300)

Any comments? Below may lab
Bit

~~~~~~~~~~~~~~~~~~~~~~~~
My objective is to block all images from server 23.23.23.3 in
/HTTP/Temp/icons/ but NOT box2.gif
and than allow anything else. There are the 2 version of the class-map to
match all image types.

class-map match-all BOX2.GIF
 match protocol http host "23.23.23.3"
 match protocol http url "/HTTP/Temp/icons/box2.gif"
class-map match-any MIME-IMAGES
 match protocol http mime "image/*"
class-map match-all ICONS
 match protocol http host "23.23.23.3"
 match protocol http url "/HTTP/Temp/icons/*"
class-map match-all URL-IMAGES
 match protocol http url "*jpg|*.png|*.gif"
!
!
policy-map DROP-IMAGES
 class URL-IMAGES
   drop
policy-map P1
 class BOX2.GIF
 class ICONS
  service-policy DROP-IMAGES
!

R1#copy http://23.23.23.3//HTTP/Temp/icons/box2.gif null:
Loading http://23.23.23.3//HTTP/Temp/icons/box2.gif
268 bytes copied in 0.284 secs (944 bytes/sec)
R1#copy http://23.23.23.3//HTTP/Temp/icons/box2.txt null:
Loading http://23.23.23.3//HTTP/Temp/icons/box2.txt
268 bytes copied in 0.344 secs (779 bytes/sec)
R1#copy http://23.23.23.3//HTTP/Temp/icons/apache_pb2.gif null:
%Error opening http://23.23.23.3//HTTP/Temp/icons/apache_pb2.gif (I/O error)
R1#copy http://23.23.23.3//HTTP/Temp/icons/lgi.jpg null:
%Error opening http://23.23.23.3//HTTP/Temp/icons/lgi.jpg (I/O error)
R1#copy http://23.23.23.3//HTTP/Temp/icons/powered_by_fedora.png null:
%Error opening http://23.23.23.3//HTTP/Temp/icons/powered_by_fedora.png (I/O
error)
R1#
R1#
R1#copy http://23.23.23.3//HTTP/Temp/powered_by_fedora.png null:
Loading http://23.23.23.3//HTTP/Temp/powered_by_fedora.png !
2243 bytes copied in 4.068 secs (551 bytes/sec)

----- Original Message -----
From: "Ben" <bmunyao@gmail.com>
To: "Henk de Tombe" <henk.de.Tombe@qi.nl>
Cc: "Salau, Yemi" <yemi.salau@siemens.com>; "darth router"
<darklordrouter@gmail.com>; "Joseph Brunner" <joe@affirmedsystems.com>;
<ccielab@groupstudy.com>
Sent: Wednesday, September 05, 2007 7:04 PM
Subject: Re: one question on matching images (MQC)

> Hi
>
> When I labbed this on dynamips using 3640 images, due to a "permission
> error" I had to do the following additional steps to reproduce Yemi's test
> results:
>
> 1.On server, I verified that the default "ip http authentication" method
> was
> "enable", and the enable password was "cisco".
> 2.On the client, I then had to add the command "ip http client pass cisco"
>
> An alternative I also used was:
>
> 1.Server: username anon priv 15 pass cisco
> ip http authentication local
> 2.Client: ip http client user anon
> ip http client pass cisco
>
> My 2c
> Ben
>
> On 9/5/07, Henk de Tombe <henk.de.Tombe@qi.nl> wrote:
>>
>> That's a very nice test you've done. Thanks for sharing this info in the
>> group,
>>
>> Regards,
>> Henk
>>
>> Met vriendelijke groet,
>>
>> Q&I
>>
>> Henk de Tombe
>> Senior Network Engineer
>> Q&I NEDERLAND BV
>> Delftech Park 35 - 37
>> P.O. Box 402 - 2600 AK DELFT
>> Phone [+31] 15-8880444 - Fax [+31] 15-8880445
>> info@qi.nl - www.qi.nl
>> -----Oorspronkelijk bericht-----
>> Van: Salau, Yemi [mailto:yemi.salau@siemens.com]
>> Verzonden: dinsdag 4 september 2007 15:05
>> Aan: darth router; Henk de Tombe
>> CC: Joseph Brunner; ccielab@groupstudy.com
>> Onderwerp: RE: one question on matching images (MQC)
>>
>> See, I believe this works because I have used it and still use it, take
>> a loko at this dump from Routers that connects thus:
>> Rack1R3----Rack1R4----Rack1R1; with Rack1R4 in between Rack1R3 and
>> Rack1R1. Rack1R4 is configured with the policy-map, Rack1R3 as a web
>> server, and Rack1R1 for testing the downloads. This certainly works,
>> even with class-map "match-any/match-all" TEST2; I will suggest looking
>> into configurations/IOS Bug or direction of application of policy-map. I
>> have applied my own policy map inbound on Rack1R4's interface which
>> connects to Rack1R1.
>>
>> Rack1R4#sh policy-map int s1/0
>>
>> Serial1/0
>>
>> Service-policy input: DROP2
>>
>> Class-map: TEST2 (match-all)
>> 18 packets, 2641 bytes
>> 5 minute offered rate 0 bps, drop rate 0 bps
>> Match: protocol http url "*.gif|*.jpg|*.jpeg"
>> drop
>>
>> Class-map: class-default (match-any)
>> 24 packets, 1675 bytes
>> 5 minute offered rate 0 bps, drop rate 0 bps
>> Match: any
>>
>> Rack1R4#sh run | b class-map match-all
>> !
>> class-map match-all TEST2
>> match protocol http url "*.gif|*.jpg|*.jpeg"
>> !
>> !
>> policy-map DROP
>> class IMAGES
>> drop
>> !
>>
>> Rack1R3#copy start flash:test.gif
>> Rack1R3#copy start flash:test.jpg
>> Rack1R3#copy start flash:test.jpeg
>> Rack1R3#copy start flash:test.txt
>> Rack1R3#sh run | i ip http
>> ip http server
>> no ip http secure-server
>> ip http path flash:
>>
>> Rack1R1#
>> Rack1R1#copy http://10.10.10.3/test.txt null:
>> Loading http://10.10.10.3/test.txt !
>> 2278 bytes copied in 3.218 secs (728 bytes/sec)
>>
>> Rack1R1#copy http://10.10.10.3/test.gif null:
>> %Error opening http://10.10.10.3/test.gif (I/O error)
>>
>> Rack1R1#copy http://10.10.10.3/test.jpg null:
>> %Error opening http://10.10.10.3/test.jpg (I/O error)
>>
>> Rack1R1#copy http://10.10.10.3/test.jpeg null:
>> %Error opening http://10.10.10.3/test.jpeg (I/O error)
>>
>>
>> Also, tried with match-any and it still works!
>> Rack1R4#sh run | b class-map match-any
>> !
>> class-map match-any TEST2
>> match protocol http url "*.gif|*.jpg|*.jpeg"
>> !
>> !
>> policy-map DROP
>> class IMAGES
>> drop
>> !
>>
>>
>> Many Thanks
>>
>> Yemi Salau
>>
>>
>> ________________________________
>>
>> From: darth router [mailto:darklordrouter@gmail.com]
>> Sent: Tuesday, September 04, 2007 7:44 AM
>> To: Henk de Tombe
>> Cc: Salau, Yemi; Joseph Brunner; ccielab@groupstudy.com
>> Subject: Re: one question on matching images (MQC)
>>
>>
>> Yea,
>>
>> I guess the syntax could be key, although I would think the logic of the
>> one I referenced would have worked as well, but it did not. The pipes
>> are already doing an OR without the parenthesis. I would not leave it to
>> chance, and lab it up. I know it will work correctly as long as you
>> select only one picture type. So if I download a .gif, the policy
>> matches, but then if I download a jpg, it does not match. I tried this
>> with all sort of different combos, same effect each time. Maybe the
>> parenthesis will fix it.
>>
>> match-any works, nested under a match-all, which is essentially the same
>> logic as
>> match protocol http url "*.jpg|*.gif|*.jpeg" Or you can create a
>> separte class-map for each image type, and force the policy on each
>> type. I dunno. I am still curious.
>>
>>
>>
>>
>>
>>
>> On 9/3/07, Henk de Tombe <henk.de.Tombe@qi.nl> wrote:
>>
>> Hi Darth router,
>>
>> I've found the following on docCD:
>>
>>
>> http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hq
>> <http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/h
>> q>
>> os_r/qos_m1h.htm#wp1128712
>>
>>
>> ** snippet of link above **
>>
>> Match one of a choice of characters in a range. For example
>> cisco.(gif |
>> jpg) matches either cisco.gif or cisco.jpg.
>>
>> ** snippet **
>>
>> I've found a previous post which tells the following:
>>
>> http://www.groupstudy.com/archives/ccielab/200409/msg00813.html
>>
>> "protocol http url" should be used for matching the actual URL,
>> usually
>> a file name, thus "*jpg" would work.
>>
>> protocol http url "*.(jpg|bmp|gif|jpeg)" can be used instead of
>> multiple
>> lines.
>>
>>
>> The syntax you're using is different:
>>
>> class-map match-all IMAGES
>> match protocol http url "*.jpg|*.gif|*.jpeg"
>>
>> I didn't lab it up, but it sounds reasonable,
>>
>> Just my 0.02
>>
>>
>>
>> Regards,
>> Henk
>>
>>
>>
>> Met vriendelijke groet,
>>
>> Q&I
>>
>> Henk de Tombe
>> Senior Network Engineer
>> Q&I NEDERLAND BV
>> Delftech Park 35 - 37
>> P.O. Box 402 - 2600 AK DELFT
>> Phone [+31] 15-8880444 - Fax [+31] 15-8880445
>> info@qi.nl - www.qi.nl
>>
>>
>> -----Oorspronkelijk bericht-----
>> Van: nobody@groupstudy.com [mailto:nobody@groupstudy.com] Namens
>> darth
>> router
>> Verzonden: maandag 3 september 2007 11:02
>> Aan: Salau, Yemi
>> CC: Joseph Brunner; ccielab@groupstudy.com
>> Onderwerp: Re: one question on matching images (MQC)
>>
>> I am not 100% sure of this, but this one does not seem to work
>> in my
>> tests.
>> I spent hours screwing with both examples, and what I found with
>> the
>> below
>> is, if I selected a picture of one of the listed types, the
>> policy would
>> match, but if you immediately select another type, it will not
>> match and
>> break the policy, and traffic does not get policed or dropped
>> (depending
>> what you are trying to do). Maybe some of the training gurus
>> could
>> elaborate. the 1rst one you listed will work as expected.
>>
>> class-map match-all IMAGES
>> match protocol http url "*.jpg|*.gif|*.jpeg"
>>
>>
>>
>>
>>
>>
>> On 9/3/07, Salau, Yemi <yemi.salau@siemens.com> wrote:
>> >
>> > Both will achieve same results, I would use the second option
>> because
>> it
>> > saves me a hell lot of time, every seconds count in the lab
>> mate!
>> >
>> > Ofcourse provided if you're not streamlined!
>> >
>> > Many Thanks
>> >
>> > Yemi Salau
>> >
>> > -----Original Message-----
>> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
>> Behalf
>> Of
>> > Joseph Brunner
>> > Sent: Monday, September 03, 2007 6:44 AM
>> > To: ccielab@groupstudy.com
>> > Subject: one question on matching images (MQC)
>> >
>> > Which would you use and why?
>> >
>> >
>> >
>> > class-map match-any IMAGES
>> >
>> > match protocol http url "*.jpg"
>> >
>> > match protocol http url "*.gif"
>> >
>> > match protocol http url "*.jpeg"
>> >
>> >
>> >
>> > or
>> >
>> >
>> >
>> > class-map match-all IMAGES
>> >
>> > match protocol http url "*.jpg|*.gif|*.jpeg"
>> >
>> >
>> >
>> >
>> >
>> > danke schon!
>> >
>> >
>>
>> _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>>
>> _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Cisco Nuts: "RE: SP lab info"
• Previous message: Scott Vermillion: "EBGP AS mispatch - Again"
• Maybe in reply to: Joseph Brunner: "one question on matching images (MQC)"
• Next in thread: Joseph Brunner: "RE: one question on matching images (MQC)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:09 ART