RE: Match Protocol

From: subodh.rawat@wipro.com
Date: Mon Oct 08 2007 - 06:51:43 ART

Hi Shamim,

What I have understood from your policy is that:

1. Your Lan (VLAN34) has clients 10.1.34.x having IP address either of
1, 8,9,16,17,24,25
2. You want to apply web QoS policy for any Web traffic coming from
outside in response to Web connections originated from your clients.
3. You want to drop all traffic which are having attachments .jpg, .jpeg
or .gif and this web connection was originated from your clients
(VLAN34) to (www.affirmedsystems.com and accessed web directory).
4. You want to rate limit traffic to 512Kbps for these web traffic
originated from your clients (VLAN34) to (www.affirmedsystems.com and
accessed web directory).

Seems OK to me. Correct me if I have understood wrong.

Regards
Subodh

________________________________

From: Shamin [mailto:ccie.xpert@gmail.com]
Sent: Monday, October 08, 2007 2:21 PM
To: Subodh Singh Rawat (WT01 - TELECOM SERVICE PROVIDER)
Cc: lalit.tech@gmail.com; joe@affirmedsystems.com;
Thomas.W.Johnson@chase.com; ccielab@groupstudy.com
Subject: Re: Match Protocol

Hi,

I did a solution as below. Can anyone comment on this and tell me if I
am wrong.

access-list 100 remark to VLAN_34
access-list 100 permit tcp any eq www 10.1.34.0 <http://10.1.34.0/>
0.0.0.25 <http://0.0.0.25/>

class-map match-all IMAGES
 match protocol http url "*.jpg|*.jpeg|*.gif"

policy-map DROP_IMAGE
 class IMAGES
  drop

class-map match-all POLICE
 match access-group 100
 match protocol http host " www.affirmedsystems.com
<http://www.affirmedsystems.com/> "
 match protocol http url "directory/*"

policy-map WEBPOLICY
 class POLICE
   police cir 512000
   service-policy DROP_IMAGE

 class class-default

int f0/0
desc facing lan
service-policy output WEBPOLICY

Awaiting feedbacks.

Regards
Shameen

On 10/8/07, subodh.rawat@wipro.com <subodh.rawat@wipro.com> wrote:

        You are right. You got the Binary operation correct. "match-all"
option
        is optional.

        But as you asked .............."Dont you think it should be
match-any
        instead of match all here.. bcoz
        it means any of the image matched... if we say match all , it
means all
        should be there to drop it."..............my understanding is
that for
        single line statement it can be either "match-all" or
"match-any".

        HTH
        Subodh

        ________________________________

        From: lalit gupta [mailto:lalit.tech@gmail.com]
        Sent: Monday, October 08, 2007 11:35 AM
        To: Subodh Singh Rawat (WT01 - TELECOM SERVICE PROVIDER)
        Cc: joe@affirmedsystems.com; Thomas.W.Johnson@chase.com;
        ccielab@groupstudy.com
        Subject: Re: Match Protocol

        Hi Subodh,
        i do agree, but it will match DNS and with either Jpg , jpeg or
gif...
        Means in single line it will OR and and for both the lines it
will AND.

        Please correct me if I am wrong or reply if you are agree.

        Rgrds
        lalit

        On 10/8/07, subodh.rawat@wipro.com <subodh.rawat@wipro.com >
wrote:

               My understanding says that "match-all" or "match-any"
applies
        per line.

               E.g
               class-map match-all IMAGES
               match protocol http url "*.jpg|*.jpeg|*.gif"
               match protocol dns

               This will match for AND operation of 1st line and second
line.

               Please correct me if I am wrong.

               HTH
               Subodh

               -----Original Message-----
               From: nobody@groupstudy.com [mailto:
nobody@groupstudy.com <mailto:nobody@groupstudy.com> ] On
        Behalf Of
               lalit gupta
               Sent: Monday, October 08, 2007 10:52 AM
               To: Joseph Brunner
               Cc: Thomas.W.Johnson@chase.com ; ccielab@groupstudy.com
               Subject: Re: Match Protocol

               HI Joseph,

               i do agree with your configuration but i differ on one
statement

               class-map match-all IMAGES
               match protocol http url "*.jpg|*.jpeg|*.gif"

               Dont you think it should be match-any instead of match
all
        here.. bcoz
               it means any of the image matched... if we say match all
, it
        means all
               should be there to drop it.

               Correct me if i m wrong.,

               rgrds
               lalit

               On 10/6/07, Joseph Brunner <joe@affirmedsystems.com >
wrote:
>
> Thomas,
>
> The great Mr. Cappuccio has answered this before...
here is my
        version

> of his wonderful config. Forget CCO its not much help
for
        this. Oh,
> and yeah I tested it in my office... it works!
>
>
> access-list 100 remark to VLAN_34
> access-list 100 permit tcp any eq www 10.1.34.0
0.0.0.25
>
> class-map match-all IMAGES
> match protocol http url "*.jpg|*.jpeg|*.gif"
>
> class-map match-all POLICE
> match access-group 100
> match protocol http host "www.affirmedsystems.com"
> match protocol http url "directory/*"
>
> class-map match-all DIE
> match access-group 100
> match protocol http host "www.affirmedsystems.com"
> match protocol http url "directory/*"
> match class-map IMAGES
>
> policy-map WEBPOLICY
> class DIE
> drop
> class POLICE
> police cir 512000
> class class-default
>
>
> int f0/0
> desc facing lan
> service-policy output WEBPOLICY
>
> -Joe
>
> -----Original Message-----
> From: nobody@groupstudy.com
[mailto:nobody@groupstudy.com] On
        Behalf
> Of Thomas.W.Johnson@chase.com
> Sent: Friday, October 05, 2007 2:16 PM
> To: ccielab@groupstudy.com
> Subject: Match Protocol
>
> I'm ran across a question that wanted you to limit all
return
        traffic
> from www.thiswebsite.com/thisdirectory destined for a
specific
        VLAN to

> whatever, 512k, and drop any image files (jpg, bmp or
gif)
        from this
> website.
> How do you match the image files? I assume it's with
the
        match
> protocol http command, however, what parameters do you
use?
        Do I need

> to use the match protocol http with the mime parameter
or do I
        use
> match protocol http with url *.jpg | *.bmp | *.gif? I
just
        don't
> understand how you match image files with the match
protocol
        command.
>
>
>
> Thanks in advance.
>
>
>
> Thomas
> Johnson
>
> JP Morgan Chase
>
> Global Network Implementation
> -----------------------------------------
> This transmission may contain
> information that is privileged,
> confidential, legally privileged, and/or exempt from
        disclosure under
> applicable law. If you are not the intended recipient,
you
        are hereby

> notified that any disclosure, copying, distribution, or
use of
        the
> information contained herein (including any reliance
> thereon) is
> STRICTLY PROHIBITED. Although this transmission and
any
        attachments
> are believed to be free of any virus or other defect
that
        might affect

> any computer system into which it is received and
opened, it
        is the
> responsibility of the recipient to ensure that it is
virus
        free and no

> responsibility is accepted by JPMorgan Chase & Co., its
        subsidiaries
> and affiliates, as applicable, for any loss or damage
arising
        in any
> way from its use.
> If you
> received this transmission in error, please immediately
        contact the
> sender and destroy the material in its entirety,
whether in
        electronic

> or hard copy format. Thank you.
>
>

This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:12 ART