RE: one question on matching images (MQC)

From: Salau, Yemi (yemi.salau@siemens.com)
Date: Thu Sep 06 2007 - 05:45:35 ART

Joseph said it all, in the lab, you want to be as specific as possible
with regards to the requirement. People will agree with me that the Lab
is not where you show gimmick/dejavu skills, it's simply an environment
where you give what cisco simply wants.

Having said that, before reading your mssg, I've not been a great fan of
mime implementation as some mime types don't have components you might
need defined, eg. Mime image don't have jpg, but I think you melt my
heart anyways. You know what, I still like to see what is going on under
the roof and have granular control over things.

Many Thanks
 
Yemi Salau

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Joseph Brunner
Sent: Wednesday, September 05, 2007 11:57 PM
To: 'Bit Gossip'; ccielab@groupstudy.com
Subject: RE: one question on matching images (MQC)

This is great.... but read the task... if it says jpg, etc. and you
block
ALL IMAGES, I suspect you would lose points.

I like your lab up though... very nice...block all but one specific
image.

Thank you BG!

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Bit
Gossip
Sent: Wednesday, September 05, 2007 1:58 PM
To: ccielab@groupstudy.com
Subject: Re: one question on matching images (MQC)

Group,
on this subject of matching images I have an alterative proposal to
class-map match-all URL-IMAGES
 match protocol http url "*jpg|*.png|*.gif"

which is:

class-map match-any MIME-IMAGES
 match protocol http mime "image/*"
!
It is much shorter and theoretically should match all image types having
an
official MIME type regardless of the file extension.
I have tested it and works for jpeg and gif but unfortunately not for
png
even if png has an official mime image/png :-(
Maybe a bug? I am using 7200 Software (C7200-IK9S-M), Version 12.4(12)
on a
real Cisco 7206VXR (NPE300)

Any comments? Below may lab
Bit

~~~~~~~~~~~~~~~~~~~~~~~~
My objective is to block all images from server 23.23.23.3 in
/HTTP/Temp/icons/ but NOT box2.gif
and than allow anything else. There are the 2 version of the class-map
to
match all image types.

class-map match-all BOX2.GIF
 match protocol http host "23.23.23.3"
 match protocol http url "/HTTP/Temp/icons/box2.gif"
class-map match-any MIME-IMAGES
 match protocol http mime "image/*"
class-map match-all ICONS
 match protocol http host "23.23.23.3"
 match protocol http url "/HTTP/Temp/icons/*"
class-map match-all URL-IMAGES
 match protocol http url "*jpg|*.png|*.gif"
!
!
policy-map DROP-IMAGES
 class URL-IMAGES
   drop
policy-map P1
 class BOX2.GIF
 class ICONS
  service-policy DROP-IMAGES
!

R1#copy http://23.23.23.3//HTTP/Temp/icons/box2.gif null:
Loading http://23.23.23.3//HTTP/Temp/icons/box2.gif
268 bytes copied in 0.284 secs (944 bytes/sec)
R1#copy http://23.23.23.3//HTTP/Temp/icons/box2.txt null:
Loading http://23.23.23.3//HTTP/Temp/icons/box2.txt
268 bytes copied in 0.344 secs (779 bytes/sec)
R1#copy http://23.23.23.3//HTTP/Temp/icons/apache_pb2.gif null:
%Error opening http://23.23.23.3//HTTP/Temp/icons/apache_pb2.gif (I/O
error)
R1#copy http://23.23.23.3//HTTP/Temp/icons/lgi.jpg null:
%Error opening http://23.23.23.3//HTTP/Temp/icons/lgi.jpg (I/O error)
R1#copy http://23.23.23.3//HTTP/Temp/icons/powered_by_fedora.png null:
%Error opening http://23.23.23.3//HTTP/Temp/icons/powered_by_fedora.png
(I/O

error)
R1#
R1#
R1#copy http://23.23.23.3//HTTP/Temp/powered_by_fedora.png null:
Loading http://23.23.23.3//HTTP/Temp/powered_by_fedora.png !
2243 bytes copied in 4.068 secs (551 bytes/sec)

----- Original Message -----
From: "Ben" <bmunyao@gmail.com>
To: "Henk de Tombe" <henk.de.Tombe@qi.nl>
Cc: "Salau, Yemi" <yemi.salau@siemens.com>; "darth router"
<darklordrouter@gmail.com>; "Joseph Brunner" <joe@affirmedsystems.com>;
<ccielab@groupstudy.com>
Sent: Wednesday, September 05, 2007 7:04 PM
Subject: Re: one question on matching images (MQC)

> Hi
>
> When I labbed this on dynamips using 3640 images, due to a "permission
> error" I had to do the following additional steps to reproduce Yemi's
test
> results:
>
> 1.On server, I verified that the default "ip http authentication"
method
> was
> "enable", and the enable password was "cisco".
> 2.On the client, I then had to add the command "ip http client pass
cisco"
>
> An alternative I also used was:
>
> 1.Server: username anon priv 15 pass cisco
> ip http authentication local
> 2.Client: ip http client user anon
> ip http client pass cisco
>
> My 2c
> Ben
>
> On 9/5/07, Henk de Tombe <henk.de.Tombe@qi.nl> wrote:
>>
>> That's a very nice test you've done. Thanks for sharing this info in
the
>> group,
>>
>> Regards,
>> Henk
>>
>> Met vriendelijke groet,
>>
>> Q&I
>>
>> Henk de Tombe
>> Senior Network Engineer
>> Q&I NEDERLAND BV
>> Delftech Park 35 - 37
>> P.O. Box 402 - 2600 AK DELFT
>> Phone [+31] 15-8880444 - Fax [+31] 15-8880445
>> info@qi.nl - www.qi.nl
>> -----Oorspronkelijk bericht-----
>> Van: Salau, Yemi [mailto:yemi.salau@siemens.com]
>> Verzonden: dinsdag 4 september 2007 15:05
>> Aan: darth router; Henk de Tombe
>> CC: Joseph Brunner; ccielab@groupstudy.com
>> Onderwerp: RE: one question on matching images (MQC)
>>
>> See, I believe this works because I have used it and still use it,
take
>> a loko at this dump from Routers that connects thus:
>> Rack1R3----Rack1R4----Rack1R1; with Rack1R4 in between Rack1R3 and
>> Rack1R1. Rack1R4 is configured with the policy-map, Rack1R3 as a web
>> server, and Rack1R1 for testing the downloads. This certainly works,
>> even with class-map "match-any/match-all" TEST2; I will suggest
looking
>> into configurations/IOS Bug or direction of application of
policy-map. I
>> have applied my own policy map inbound on Rack1R4's interface which
>> connects to Rack1R1.
>>
>> Rack1R4#sh policy-map int s1/0
>>
>> Serial1/0
>>
>> Service-policy input: DROP2
>>
>> Class-map: TEST2 (match-all)
>> 18 packets, 2641 bytes
>> 5 minute offered rate 0 bps, drop rate 0 bps
>> Match: protocol http url "*.gif|*.jpg|*.jpeg"
>> drop
>>
>> Class-map: class-default (match-any)
>> 24 packets, 1675 bytes
>> 5 minute offered rate 0 bps, drop rate 0 bps
>> Match: any
>>
>> Rack1R4#sh run | b class-map match-all
>> !
>> class-map match-all TEST2
>> match protocol http url "*.gif|*.jpg|*.jpeg"
>> !
>> !
>> policy-map DROP
>> class IMAGES
>> drop
>> !
>>
>> Rack1R3#copy start flash:test.gif
>> Rack1R3#copy start flash:test.jpg
>> Rack1R3#copy start flash:test.jpeg
>> Rack1R3#copy start flash:test.txt
>> Rack1R3#sh run | i ip http
>> ip http server
>> no ip http secure-server
>> ip http path flash:
>>
>> Rack1R1#
>> Rack1R1#copy http://10.10.10.3/test.txt null:
>> Loading http://10.10.10.3/test.txt !
>> 2278 bytes copied in 3.218 secs (728 bytes/sec)
>>
>> Rack1R1#copy http://10.10.10.3/test.gif null:
>> %Error opening http://10.10.10.3/test.gif (I/O error)
>>
>> Rack1R1#copy http://10.10.10.3/test.jpg null:
>> %Error opening http://10.10.10.3/test.jpg (I/O error)
>>
>> Rack1R1#copy http://10.10.10.3/test.jpeg null:
>> %Error opening http://10.10.10.3/test.jpeg (I/O error)
>>
>>
>> Also, tried with match-any and it still works!
>> Rack1R4#sh run | b class-map match-any
>> !
>> class-map match-any TEST2
>> match protocol http url "*.gif|*.jpg|*.jpeg"
>> !
>> !
>> policy-map DROP
>> class IMAGES
>> drop
>> !
>>
>>
>> Many Thanks
>>
>> Yemi Salau
>>
>>
>> ________________________________
>>
>> From: darth router [mailto:darklordrouter@gmail.com]
>> Sent: Tuesday, September 04, 2007 7:44 AM
>> To: Henk de Tombe
>> Cc: Salau, Yemi; Joseph Brunner; ccielab@groupstudy.com
>> Subject: Re: one question on matching images (MQC)
>>
>>
>> Yea,
>>
>> I guess the syntax could be key, although I would think the logic of
the
>> one I referenced would have worked as well, but it did not. The pipes
>> are already doing an OR without the parenthesis. I would not leave it
to
>> chance, and lab it up. I know it will work correctly as long as you
>> select only one picture type. So if I download a .gif, the policy
>> matches, but then if I download a jpg, it does not match. I tried
this
>> with all sort of different combos, same effect each time. Maybe the
>> parenthesis will fix it.
>>
>> match-any works, nested under a match-all, which is essentially the
same
>> logic as
>> match protocol http url "*.jpg|*.gif|*.jpeg" Or you can create a
>> separte class-map for each image type, and force the policy on each
>> type. I dunno. I am still curious.
>>
>>
>>
>>
>>
>>
>> On 9/3/07, Henk de Tombe <henk.de.Tombe@qi.nl> wrote:
>>
>> Hi Darth router,
>>
>> I've found the following on docCD:
>>
>>
>>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hq
>>
<http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/h
>> q>
>> os_r/qos_m1h.htm#wp1128712
>>
>>
>> ** snippet of link above **
>>
>> Match one of a choice of characters in a range. For example
>> cisco.(gif |
>> jpg) matches either cisco.gif or cisco.jpg.
>>
>> ** snippet **
>>
>> I've found a previous post which tells the following:
>>
>>
http://www.groupstudy.com/archives/ccielab/200409/msg00813.html
>>
>> "protocol http url" should be used for matching the actual
URL,
>> usually
>> a file name, thus "*jpg" would work.
>>
>> protocol http url "*.(jpg|bmp|gif|jpeg)" can be used instead
of
>> multiple
>> lines.
>>
>>
>> The syntax you're using is different:
>>
>> class-map match-all IMAGES
>> match protocol http url "*.jpg|*.gif|*.jpeg"
>>
>> I didn't lab it up, but it sounds reasonable,
>>
>> Just my 0.02
>>
>>
>>
>> Regards,
>> Henk
>>
>>
>>
>> Met vriendelijke groet,
>>
>> Q&I
>>
>> Henk de Tombe
>> Senior Network Engineer
>> Q&I NEDERLAND BV
>> Delftech Park 35 - 37
>> P.O. Box 402 - 2600 AK DELFT
>> Phone [+31] 15-8880444 - Fax [+31] 15-8880445
>> info@qi.nl - www.qi.nl
>>
>>
>> -----Oorspronkelijk bericht-----
>> Van: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
Namens
>> darth
>> router
>> Verzonden: maandag 3 september 2007 11:02
>> Aan: Salau, Yemi
>> CC: Joseph Brunner; ccielab@groupstudy.com
>> Onderwerp: Re: one question on matching images (MQC)
>>
>> I am not 100% sure of this, but this one does not seem to
work
>> in my
>> tests.
>> I spent hours screwing with both examples, and what I found
with
>> the
>> below
>> is, if I selected a picture of one of the listed types, the
>> policy would
>> match, but if you immediately select another type, it will
not
>> match and
>> break the policy, and traffic does not get policed or dropped
>> (depending
>> what you are trying to do). Maybe some of the training gurus
>> could
>> elaborate. the 1rst one you listed will work as expected.
>>
>> class-map match-all IMAGES
>> match protocol http url "*.jpg|*.gif|*.jpeg"
>>
>>
>>
>>
>>
>>
>> On 9/3/07, Salau, Yemi <yemi.salau@siemens.com> wrote:
>> >
>> > Both will achieve same results, I would use the second
option
>> because
>> it
>> > saves me a hell lot of time, every seconds count in the lab
>> mate!
>> >
>> > Ofcourse provided if you're not streamlined!
>> >
>> > Many Thanks
>> >
>> > Yemi Salau
>> >
>> > -----Original Message-----
>> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
On
>> Behalf
>> Of
>> > Joseph Brunner
>> > Sent: Monday, September 03, 2007 6:44 AM
>> > To: ccielab@groupstudy.com
>> > Subject: one question on matching images (MQC)
>> >
>> > Which would you use and why?
>> >
>> >
>> >
>> > class-map match-any IMAGES
>> >
>> > match protocol http url "*.jpg"
>> >
>> > match protocol http url "*.gif"
>> >
>> > match protocol http url "*.jpeg"
>> >
>> >
>> >
>> > or
>> >
>> >
>> >
>> > class-map match-all IMAGES
>> >
>> > match protocol http url "*.jpg|*.gif|*.jpeg"
>> >
>> >
>> >
>> >
>> >
>> > danke schon!
>> >
>> >
>>
>>

This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:09 ART