RE: Match Protocol

From: Joseph Brunner (joe@affirmedsystems.com)
Date: Mon Oct 08 2007 - 05:56:43 ART

• Next message: lalit gupta: "Re: Match Protocol"
• Previous message: Shamin: "Re: Match Protocol"
• Maybe in reply to: Thomas.W.Johnson@chase.com: "Match Protocol"
• Next in thread: lalit gupta: "Re: Match Protocol"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Your policy should work also. You nested a "drop all images" inside an all
http traffic coming from the "directory". Nice.

I'll tell you for certain tomorrow when I'm behind a router with my web
browser and I apply it.

-Joe

  _____

From: Shamin [mailto:ccie.xpert@gmail.com]
Sent: Monday, October 08, 2007 4:51 AM
To: subodh.rawat@wipro.com
Cc: lalit.tech@gmail.com; joe@affirmedsystems.com;
Thomas.W.Johnson@chase.com; ccielab@groupstudy.com
Subject: Re: Match Protocol

Hi,

I did a solution as below. Can anyone comment on this and tell me if I am
wrong.

access-list 100 remark to VLAN_34
access-list 100 permit tcp any eq www 10.1.34.0 <http://10.1.34.0/>
0.0.0.25 <http://0.0.0.25/>

class-map match-all IMAGES
 match protocol http url "*.jpg|*.jpeg|*.gif"

policy-map DROP_IMAGE
 class IMAGES
  drop

class-map match-all POLICE
 match access-group 100
 match protocol http host " www.affirmedsystems.com
<http://www.affirmedsystems.com/> "
 match protocol http url "directory/*"
 

policy-map WEBPOLICY
 class POLICE
   police cir 512000
   service-policy DROP_IMAGE
 
 class class-default

int f0/0
desc facing lan
service-policy output WEBPOLICY

Awaiting feedbacks.

Regards
Shameen

On 10/8/07, subodh.rawat@wipro.com <subodh.rawat@wipro.com> wrote:

You are right. You got the Binary operation correct. "match-all" option
is optional.

But as you asked .............."Dont you think it should be match-any
instead of match all here.. bcoz
it means any of the image matched... if we say match all , it means all
should be there to drop it."..............my understanding is that for
single line statement it can be either "match-all" or "match-any".

HTH
Subodh

________________________________

From: lalit gupta [mailto:lalit.tech@gmail.com]
Sent: Monday, October 08, 2007 11:35 AM
To: Subodh Singh Rawat (WT01 - TELECOM SERVICE PROVIDER)
Cc: joe@affirmedsystems.com; Thomas.W.Johnson@chase.com;
ccielab@groupstudy.com
Subject: Re: Match Protocol

Hi Subodh,
i do agree, but it will match DNS and with either Jpg , jpeg or gif...
Means in single line it will OR and and for both the lines it will AND.

Please correct me if I am wrong or reply if you are agree.

Rgrds
lalit

On 10/8/07, subodh.rawat@wipro.com <subodh.rawat@wipro.com > wrote:

       My understanding says that "match-all" or "match-any" applies
per line.

       E.g
       class-map match-all IMAGES
       match protocol http url "*.jpg|*.jpeg|*.gif"
       match protocol dns

       This will match for AND operation of 1st line and second line.

       Please correct me if I am wrong.

       HTH
       Subodh

       -----Original Message-----
       From: nobody@groupstudy.com [mailto: nobody@groupstudy.com
<mailto:nobody@groupstudy.com> ] On
Behalf Of
       lalit gupta
       Sent: Monday, October 08, 2007 10:52 AM
       To: Joseph Brunner
       Cc: Thomas.W.Johnson@chase.com <mailto:Thomas.W.Johnson@chase.com> ;
ccielab@groupstudy.com
       Subject: Re: Match Protocol

       HI Joseph,

       i do agree with your configuration but i differ on one statement

       class-map match-all IMAGES
       match protocol http url "*.jpg|*.jpeg|*.gif"

       Dont you think it should be match-any instead of match all
here.. bcoz
       it means any of the image matched... if we say match all , it
means all
       should be there to drop it.

       Correct me if i m wrong.,

       rgrds
       lalit

       On 10/6/07, Joseph Brunner <joe@affirmedsystems.com > wrote:
>
> Thomas,
>
> The great Mr. Cappuccio has answered this before... here is my
version

> of his wonderful config. Forget CCO its not much help for
this. Oh,
> and yeah I tested it in my office... it works!
>
>
> access-list 100 remark to VLAN_34
> access-list 100 permit tcp any eq www 10.1.34.0 0.0.0.25
>
> class-map match-all IMAGES
> match protocol http url "*.jpg|*.jpeg|*.gif"
>
> class-map match-all POLICE
> match access-group 100
> match protocol http host "www.affirmedsystems.com"
> match protocol http url "directory/*"
>
> class-map match-all DIE
> match access-group 100
> match protocol http host "www.affirmedsystems.com"
> match protocol http url "directory/*"
> match class-map IMAGES
>
> policy-map WEBPOLICY
> class DIE
> drop
> class POLICE
> police cir 512000
> class class-default
>
>
> int f0/0
> desc facing lan
> service-policy output WEBPOLICY
>
> -Joe
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf
> Of Thomas.W.Johnson@chase.com
> Sent: Friday, October 05, 2007 2:16 PM
> To: ccielab@groupstudy.com
> Subject: Match Protocol
>
> I'm ran across a question that wanted you to limit all return
traffic
> from www.thiswebsite.com/thisdirectory destined for a specific
VLAN to

> whatever, 512k, and drop any image files (jpg, bmp or gif)
from this
> website.
> How do you match the image files? I assume it's with the
match
> protocol http command, however, what parameters do you use?
Do I need

> to use the match protocol http with the mime parameter or do I
use
> match protocol http with url *.jpg | *.bmp | *.gif? I just
don't
> understand how you match image files with the match protocol
command.
>
>
>
> Thanks in advance.
>
>
>
> Thomas
> Johnson
>
> JP Morgan Chase
>
> Global Network Implementation
> -----------------------------------------
> This transmission may contain
> information that is privileged,
> confidential, legally privileged, and/or exempt from
disclosure under
> applicable law. If you are not the intended recipient, you
are hereby

> notified that any disclosure, copying, distribution, or use of
the
> information contained herein (including any reliance
> thereon) is
> STRICTLY PROHIBITED. Although this transmission and any
attachments
> are believed to be free of any virus or other defect that
might affect

> any computer system into which it is received and opened, it
is the
> responsibility of the recipient to ensure that it is virus
free and no

> responsibility is accepted by JPMorgan Chase & Co., its
subsidiaries
> and affiliates, as applicable, for any loss or damage arising
in any
> way from its use.
> If you
> received this transmission in error, please immediately
contact the
> sender and destroy the material in its entirety, whether in
electronic

> or hard copy format. Thank you.
>
>

• Next message: lalit gupta: "Re: Match Protocol"
• Previous message: Shamin: "Re: Match Protocol"
• Maybe in reply to: Thomas.W.Johnson@chase.com: "Match Protocol"
• Next in thread: lalit gupta: "Re: Match Protocol"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:12 ART