From: omar parihuana (omar.parihuana@gmail.com)
Date: Sun Jul 13 2008 - 22:45:30 ART
Hi Folks,
Thanks you for your suggestions!
I changed the service-policy order from input to output and the filter works
fine now!!! however, I don't understand well, why works with output service
policy but not with input, since that connection is requested from client in
accordance to pic:
(R1) ---- (R4)-s0/1------------------(R5)
R5: HTTP Server (IP Address 150.1.5.5)
R1: Client
In R4 in serial interface
R4#sh run int s0/1
Building configuration...
Current configuration : 158 bytes
!
interface Serial0/1
ip address 155.1.45.4 255.255.255.0
ip nat outside
ip virtual-reassembly
clock rate 2000000
service-policy output DROP_IMAGES
end
R4#
!
! R4
!
class-map match-any IMAGES
match protocol http url "*.gif"
!
!
policy-map DROP_IMAGES
class IMAGES
drop
!
!
!
!
R1#copy http://150.1.5.5/test.gif null:
%Error opening http://150.1.5.5/test.gif (I/O error)
Rgds.
On Sun, Jul 13, 2008 at 7:52 PM, Hobbs <deadheadblues@gmail.com> wrote:
> a good way to test is to copy running-config to something like this on your
> http "server" router:
>
> R4#copy running-config config.jpeg
> Destination filename [config.jpeg]?
> Erase flash: before copying? [confirm]n
> Verifying checksum... OK (0x42CD)
> 1648 bytes copied in 4.180 secs (394 bytes/sec)
> R4#
> R4#conf t
> Enter configuration commands, one per line. End with CNTL/Z.
> R4(config)#ip http server
> R4(config)#ip http path flash://
>
> Then on R6, the client:
>
> R6#copy http://172.14.45.4/config.jpeg flash://config.jpeg
> Destination filename [config.jpeg]?
> Erase flash: before copying? [confirm]
> Erasing the flash filesystem will remove all files! Continue? [confirm]n
> Loading http://172.14.45.4/config.jpeg !
> Verifying checksum... OK (0x42CD)
> 1648 bytes copied in 0.404 secs (4079 bytes/sec)
> R6#
>
> You could have a middle router, say R5 with the NBAR MQC policies that
> filters out jpeg, gif extensions, etc.
>
>
> On Sun, Jul 13, 2008 at 2:21 PM, Ramy Sisy <ramysisy@inspiredmaster.com>
> wrote:
>
>> Hi Omar,
>> How could you test it?
>> Are you requesting any image files with the right path direction to
>> trigger
>> the filter?
>>
>>
>> BEST REGARDS,
>>
>> RAMY SISY, CCIE X 2 (SECURITY, ROUTING/SWITCHING)#17321, CCSI#30417
>> CCIE PROGRAM MANAGER
>>
>> INSPIRED MASTER
>> INSPIRING CREATIVE THINKING ....
>>
>> WWW.INSPIREDMASTER.COM
>> E. RAMYSISY@INSPIREDMASTER.COM
>>
>>
>>
>>
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>> omar
>> parihuana
>> Sent: Sunday, July 13, 2008 12:26 PM
>> To: Cisco certification
>> Subject: NBAR and Dynamips
>>
>> Hi List,
>>
>> I'm using Dynamips for replicate the labs of Internetwork Expert Vol I
>> v4.1.
>> I have an issue with Security part, specifically: Using NBAR to Filter
>> Traffic, the labs is very simple, but is not working with my
>> Dynagen/Dynamips. my questions is NBAR working well with Dynamips??? The
>> configuration part is:
>>
>> class-map match-any IMAGES
>> match protocol http url "*.gif"
>> match protocol http url "*.jpeg|*.jpg"
>> !
>> !
>> policy-map DROP_IMAGES
>> class IMAGES
>> drop
>> !
>>
>> int s0/1
>> service-policy input DROP_IMAGES
>> int s0/0.201
>> service-policy input DROP_IMAGES
>> !
>>
>> But in accordance to tests, the files con extensions .gif, .jpg or jpeg
>> never are blocked. I don't see nothing wrong, so what is the error??
>>
>> R4#sh policy-map interface s0/1
>> drop
>> Serial0/1
>>
>> Service-policy input: DROP_IMAGES
>>
>> Class-map: IMAGES (match-any)
>> 0 packets, 0 bytes
>> 5 minute offered rate 0 bps, drop rate 0 bps
>> Match: protocol http url "*.gif"
>> 0 packets, 0 bytes
>> 5 minute rate 0 bps
>> Match: protocol http url "*.jpeg|*.jpg"
>> 0 packets, 0 bytes
>> 5 minute rate 0 bps
>>
>> Class-map: class-default (match-any)
>> 15 packets, 1260 bytes
>> 5 minute offered rate 0 bps, drop rate 0 bps
>> Match: any
>> R4#sh policy-map interface s0/0.201
>>
>> drop
>> Serial0/0.201
>>
>> Service-policy input: DROP_IMAGES
>>
>> Class-map: IMAGES (match-any)
>> 0 packets, 0 bytes
>> 5 minute offered rate 0 bps, drop rate 0 bps
>> Match: protocol http url "*.gif"
>> 0 packets, 0 bytes
>> 5 minute rate 0 bps
>> Match: protocol http url "*.jpeg|*.jpg"
>> 0 packets, 0 bytes
>> 5 minute rate 0 bps
>>
>> Class-map: class-default (match-any)
>> 25 packets, 3674 bytes
>> 5 minute offered rate 0 bps, drop rate 0 bps
>> Match: any
>> R4#
>>
>> Rgds.
>>
>>
>> --
>> Omar E.P.T
>> -----------------
>> Certified Networking Professionals make better Connections!
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>
-- Omar E.P.T ----------------- Certified Networking Professionals make better Connections!
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:54 ART
