Re: NBAR and Dynamips // SOLVED but is strange!

From: Arden Packeer (contactme@ardenpackeer.com)
Date: Mon Jul 14 2008 - 00:40:02 ART

• Next message: Adam Elghafri: "FRF.12 bug?!"
• Previous message: omar parihuana: "Re: NBAR and Dynamips // SOLVED but is strange!"
• Maybe in reply to: omar parihuana: "Re: NBAR and Dynamips // SOLVED but is strange!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I use:

R1#copy http://10.0.23.3/image.gif null:

to test NBAR with http pattern matching etc.

This might help:
http://ardenpackeer.com/qos-voip/tutorial-how-to-use-cisco-mqc-nbar-to-filter-websites-like-youtube/

---
Arden Packeer
Cisco Certified Internetwork Expert (CCIE #20716 R&S)
Cisco Systems Instructor (CCSI #31090)
contactme@ardenpackeer.com
http://ardenpackeer.com
On 7/14/08, omar parihuana <omar.parihuana@gmail.com> wrote:
> Hi Luca,
>
> Thanks for the explanation!!! Great!! now I can continue with next task...
>
> Rgds.
>
> On Sun, Jul 13, 2008 at 9:31 PM, Luca Hall <lhall@setnine.com> wrote:
>
> >
> > it works on out because it matches the http get request
> > from the client to the server, if you watch the http headers
> > you can see the match - there's no way it could match on the
> > way back because the string (*.gif) you're matching isn't there.
> >
> > you can test (ex. image is http://www.someserver.com/image.gif):
> >
> > lhall@pathogen:~$ telnet www.someserver.com 80
> > Connected to www.someserver.com.
> > Escape character is '^]'.
> >
> > /*
> >  * type this GET ... to simulate http client request
> >  * this is the match of string image.gif
> >  */
> >
> > GET /image.gif HTTP/1.0<hit enter twice>
> >
> > /*
> >  * these are the headers you get back from the server
> >  * that cannot match because theres no *.gif string returned
> >  */
> >
> > HTTP/1.1 200 OK
> > Date: Mon, 14 Jul 2008 01:57:38 GMT
> > Server: Apache
> > Last-Modified: Mon, 02 Apr 2007 13:36:44 GMT
> > ETag: "649b310e65a61217f40064b17751d1177a9a43da"
> > Accept-Ranges: bytes
> > Content-Length: 8385
> > Connection: close
> > Content-Type: image/gif
> >
> >
> > <image data>
> >
> >
> >
> > ----- Original Message -----
> > From: omar parihuana <omar.parihuana@gmail.com>
> > To: Hobbs <deadheadblues@gmail.com>
> > Cc: Ramy Sisy <ramysisy@inspiredmaster.com>, Cisco certification <
> > ccielab@groupstudy.com>
> > Sent: Sun, 13 Jul 2008 21:45:30 -0400 (EDT)
> > Subject: Re: NBAR and Dynamips // SOLVED but is strange!
> >
> > Hi Folks,
> >
> > Thanks you for your suggestions!
> >
> > I changed the service-policy order from input to output and the filter
> > works
> > fine now!!! however, I don't understand well, why works with output service
> > policy but not with input, since that connection is requested from client
> > in
> > accordance to pic:
> >
> > (R1) ---- (R4)-s0/1------------------(R5)
> >
> > R5: HTTP Server (IP Address 150.1.5.5)
> > R1: Client
> > In R4 in serial interface
> > R4#sh run int s0/1
> > Building configuration...
> >
> > Current configuration : 158 bytes
> > !
> > interface Serial0/1
> >  ip address 155.1.45.4 255.255.255.0
> >  ip nat outside
> >  ip virtual-reassembly
> >  clock rate 2000000
> >  service-policy output DROP_IMAGES
> > end
> >
> > R4#
> >
> > !
> > ! R4
> > !
> > class-map match-any IMAGES
> >  match protocol http url "*.gif"
> > !
> > !
> > policy-map DROP_IMAGES
> >  class IMAGES
> >   drop
> > !
> > !
> > !
> > !
> >
> > R1#copy http://150.1.5.5/test.gif null:
> > %Error opening http://150.1.5.5/test.gif (I/O error)
> >
> >
> >  Rgds.
> >
> > On Sun, Jul 13, 2008 at 7:52 PM, Hobbs <deadheadblues@gmail.com> wrote:
> >
> > > a good way to test is to copy running-config to something like this on
> > your
> > > http "server" router:
> > >
> > > R4#copy running-config config.jpeg
> > > Destination filename [config.jpeg]?
> > > Erase flash: before copying? [confirm]n
> > > Verifying checksum...  OK (0x42CD)
> > > 1648 bytes copied in 4.180 secs (394 bytes/sec)
> > > R4#
> > > R4#conf t
> > > Enter configuration commands, one per line.  End with CNTL/Z.
> > > R4(config)#ip http server
> > > R4(config)#ip http path flash://
> > >
> > > Then on R6, the client:
> > >
> > > R6#copy http://172.14.45.4/config.jpeg flash://config.jpeg
> > > Destination filename [config.jpeg]?
> > > Erase flash: before copying? [confirm]
> > > Erasing the flash filesystem will remove all files! Continue? [confirm]n
> > > Loading http://172.14.45.4/config.jpeg !
> > > Verifying checksum...  OK (0x42CD)
> > > 1648 bytes copied in 0.404 secs (4079 bytes/sec)
> > > R6#
> > >
> > > You could have a middle router, say R5 with the NBAR MQC policies that
> > > filters out jpeg, gif extensions, etc.
> > >
> > >
> > > On Sun, Jul 13, 2008 at 2:21 PM, Ramy Sisy <ramysisy@inspiredmaster.com>
> > > wrote:
> > >
> > >> Hi Omar,
> > >> How could you test it?
> > >> Are you requesting any image files with the right path direction to
> > >> trigger
> > >> the filter?
> > >>
> > >>
> > >> BEST REGARDS,
> > >>
> > >> RAMY SISY, CCIE X 2 (SECURITY, ROUTING/SWITCHING)#17321, CCSI#30417
> > >> CCIE PROGRAM MANAGER
> > >>
> > >> INSPIRED MASTER
> > >>                        INSPIRING CREATIVE THINKING ....
> > >>
> > >> WWW.INSPIREDMASTER.COM
> > >> E. RAMYSISY@INSPIREDMASTER.COM
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> -----Original Message-----
> > >> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > >> omar
> > >> parihuana
> > >> Sent: Sunday, July 13, 2008 12:26 PM
> > >> To: Cisco certification
> > >> Subject: NBAR and Dynamips
> > >>
> > >> Hi List,
> > >>
> > >> I'm using Dynamips for replicate the labs of Internetwork Expert Vol I
> > >> v4.1.
> > >> I have an issue with Security part, specifically: Using NBAR to Filter
> > >> Traffic, the labs is very simple, but is not working with my
> > >> Dynagen/Dynamips. my questions is NBAR working well with Dynamips??? The
> > >> configuration part is:
> > >>
> > >> class-map match-any IMAGES
> > >>  match protocol http url "*.gif"
> > >>  match protocol http url "*.jpeg|*.jpg"
> > >> !
> > >> !
> > >> policy-map DROP_IMAGES
> > >>  class IMAGES
> > >>   drop
> > >> !
> > >>
> > >> int s0/1
> > >> service-policy input DROP_IMAGES
> > >> int s0/0.201
> > >> service-policy input DROP_IMAGES
> > >> !
> > >>
> > >> But in accordance to tests, the files con extensions .gif, .jpg or jpeg
> > >> never are blocked. I don't see nothing wrong, so what is the error??
> > >>
> > >> R4#sh policy-map interface s0/1
> > >>      drop
> > >>  Serial0/1
> > >>
> > >>  Service-policy input: DROP_IMAGES
> > >>
> > >>    Class-map: IMAGES (match-any)
> > >>      0 packets, 0 bytes
> > >>      5 minute offered rate 0 bps, drop rate 0 bps
> > >>      Match: protocol http url "*.gif"
> > >>        0 packets, 0 bytes
> > >>        5 minute rate 0 bps
> > >>      Match: protocol http url "*.jpeg|*.jpg"
> > >>        0 packets, 0 bytes
> > >>        5 minute rate 0 bps
> > >>
> > >>    Class-map: class-default (match-any)
> > >>      15 packets, 1260 bytes
> > >>      5 minute offered rate 0 bps, drop rate 0 bps
> > >>      Match: any
> > >> R4#sh policy-map interface s0/0.201
> > >>
> > >>      drop
> > >>  Serial0/0.201
> > >>
> > >>  Service-policy input: DROP_IMAGES
> > >>
> > >>    Class-map: IMAGES (match-any)
> > >>      0 packets, 0 bytes
> > >>      5 minute offered rate 0 bps, drop rate 0 bps
> > >>      Match: protocol http url "*.gif"
> > >>        0 packets, 0 bytes
> > >>        5 minute rate 0 bps
> > >>      Match: protocol http url "*.jpeg|*.jpg"
> > >>        0 packets, 0 bytes
> > >>        5 minute rate 0 bps
> > >>
> > >>    Class-map: class-default (match-any)
> > >>      25 packets, 3674 bytes
> > >>      5 minute offered rate 0 bps, drop rate 0 bps
> > >>      Match: any
> > >> R4#
> > >>
> > >> Rgds.
> > >>
> > >>
> > >> --
> > >> Omar E.P.T
> > >> -----------------
> > >> Certified Networking Professionals make better Connections!
> > >>
> > >>
> > >> _______________________________________________________________________
> > >> Subscription information may be found at:
> > >> http://www.groupstudy.com/list/CCIELab.html
> > >>
> > >>
> > >> _______________________________________________________________________
> > >> Subscription information may be found at:
> > >> http://www.groupstudy.com/list/CCIELab.html
> > >>
> > >>
> > >>
> > >>
> > >>
> > >
> >
> >
> > --
> > Omar E.P.T
> > -----------------
> > Certified Networking Professionals make better Connections!
> >
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> Omar E.P.T
> -----------------
> Certified Networking Professionals make better Connections!
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
--

• Next message: Adam Elghafri: "FRF.12 bug?!"
• Previous message: omar parihuana: "Re: NBAR and Dynamips // SOLVED but is strange!"
• Maybe in reply to: omar parihuana: "Re: NBAR and Dynamips // SOLVED but is strange!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:54 ART