From: Huan Pham (Huan.Pham@peopletelecom.com.au)
Date: Sun Sep 07 2008 - 20:33:58 ART
Hi Group,
Command reference for "match protocol http url" states that
http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m1.html#wp
1024534
"When matching by URL, NBAR recognizes the HTTP packets containing the
URL and then matches all packets that are part of the HTTP request."
This further shows that what I have been believing is correct (i.e. this
command is used to match users' HTTP GET requests, and NOT the return
traffic).
Could someone please explains, why IE Solution Guide uses this command
to match the return traffic, and WHY this command seems to be able to
sucessfully match those traffic?
Regards,
Huan
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Huan Pham
Sent: Friday, 5 September 2008 3:55 PM
To: Cisco certification
Subject: Matching image requests using "match protocol http url "*.jpeg"
Hi GS,
I am confused by a solution in one of QoS task in IEWB (IE WB1, Section
Security - Task Using NBAR to Filter Traffic). The tasks is to drop HTTP
IMAGE requests from Client to Server.
HTTP Client ------- R4 ------- Server HTTP
S0/1
Solution create a policy that match images using match http url, but the
policy is applied INBOUND on the WAN interfaces (S0/1) ! I believe that
this policy should be applied OUTBOUND to stop HTTP Requests.
However, that is not my main concern. I used to believe that using "
match protocol http url" can only be used to match HTTP REQUESTS, and
not to match HTTP RESPONSES (IMAGE data) from server. To match IMAGE
data themselves, I thought that match MIME type should be used. But it
seems I may be WRONG!
"match protocol http url" seems to be able to match HTTP RESPONSE from
Servers as well.
I tried snippering (using Wireshark) a real HTTP session. I could see
the reference to URL in the GET request, but I do not see any reference
to that URL in the data response from the server!
Could anyone please comment on the usage of the command "match protocol
http url". Thanks,
Below is config and verification to show that both HTTP requests for
Images and Image return data can be matched by using "match protocol
http url".
Configuration:
R4#
class-map match-any IMAGES
match protocol http url "*.gif"
match protocol http url "*.jpeg|*.jpg"
!
!
! HTTP_REQUEST policy is my additional config for matching illustration
policy-map HTTP_REQUEST class IMAGES
policy-map DROP_IMAGES
class IMAGES
drop
interface Serial0/1
service-policy input DROP_IMAGES
service-policy output HTTP_REQUEST
Verification:
-------------
Try to generate HTTP get request from inside (R1) to outside 150.1.5.5
(HTTP Server)
R1#copy http://150.1.5.5/test.jpg null:
%Error opening http://150.1.5.5/test.jpg (I/O error)
R4#sh policy-map interface s0/1
Serial0/1
Service-policy input: DROP_IMAGES
Class-map: IMAGES (match-any)
8 packets, 1657 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http url "*.gif"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url "*.jpeg|*.jpg"
8 packets, 1657 bytes
5 minute rate 0 bps
drop
Class-map: class-default (match-any)
18 packets, 1530 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Service-policy output: HTTP_REQUEST
Class-map: IMAGES (match-any)
5 packets, 708 bytes
5 minute offered rate 0 bps
Match: protocol http url "*.gif"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url "*.jpeg|*.jpg"
5 packets, 708 bytes
5 minute rate 0 bps
Class-map: class-default (match-any)
27 packets, 1936 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:17 ART
