From: Chidd (dungchid@gmail.com)
Date: Fri Sep 12 2008 - 11:05:31 ART
Hi,
Just try to test. For matching www.cisco.com, I don't think you can use
"match protocol http url "www.cisco.com", it should be
class-map URL
match protocol http host "www.cisco.com"
match protocol http url "*.jpg|*.jpeg"
policy-map test
class URL
drop
interface serial 0/0/0 (connect to Internet)
service output test
For "GET Request" initiate from client and "GET Response" from Server, I
need only apply in outbound direction because basically what server RESPONSE
are depend on REQUEST from client. Thus, NBAR will check "outbound
direction" only. When I try to apply in "inbound direction", it doesn't
work.
rtr-hn#show policy-map interface dialer 0
Dialer0
Service-policy input: test
Class-map: URL (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http host "www.cisco.com"
Match: protocol http url "*.gif|*.jpeg|*.jpg"
drop
Class-map: class-default (match-any)
78 packets, 27731 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Service-policy output: test
Class-map: URL (match-all)
6 packets, 3846 bytes
5 minute offered rate 2000 bps, drop rate 2000 bps
Match: protocol http host "www.cisco.com"
Match: protocol http url "*.gif|*.jpeg|*.jpg"
drop
Class-map: class-default (match-any)
1644 packets, 837832 bytes
5 minute offered rate 24000 bps, drop rate 0 bps
Match: any
You see that, only OUTBOUND DIRECTION work, INBOUND DIRECTION doesn't work.
R2: copy http://cisco:cisco@150.1.1.1 null
----- Original Message -----
From: "Bill Eyer" <beyer@optonline.net>
To: "Huan Pham" <Huan.Pham@peopletelecom.com.au>
Cc: "Igor M." <imanassypov@rogers.com>; "Cisco certification"
<ccielab@groupstudy.com>
Sent: 12 September, 2008 17:34
Subject: Re: policing based on nbar
> Yes, but when you match on a mime type in a URL are you matching inbound
> or outbound. In other words can
>
> class-map match-all URL
> match protocol http url "www.cisco.com"
>
> Be used in an outbound service policy against packets sent towards that
> URL, inbound against packets from that URL or can it be used in either
> direction?
>
> Bill
>
>
> Huan Pham wrote:
>> Policy can be done both Inbound or Outbound. This is true no matter if
>> you use NBAR or ACL to match traffic.
>> On the other hand, shapping can be done outbound only.
>>
>>
>> For instance, with a topology like below:
>>
>> PC ---- R1 ---------- R2 ----- WWW Server
>> E0 S0 S0 E0
>>
>> If you want to policy image traffic from the WWW server, you can police -
>> inbound on R1 Serial interface, - outbound on R1 Ethernet,
>> - inbound on R2 Ethernet - outbound on R2 Serial.
>>
>> Cheers,
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>> Igor M.
>> Sent: Friday, 12 September 2008 5:07 AM
>> To: Cisco certification
>> Subject: policing based on nbar
>>
>> Hi all,
>>
>> If I want to match on a bunch of mime types in the http request header
>> and police that kind of traffic - would that have to be an inbound or
>> outbound policy, or both?
>> The goal is to limit the rate of downloading the specified image
>> types...
>>
>> Like so:
>>
>> class-map match-all IMAGES
>> match protocol http mime "*.(gif|jpg|jpeg)"
>> policy-map NBAR
>> class IMAGES
>> police 100000
>> int e0/0
>> service-policy input NBAR
>>
>>
>> ----------------------
>>
>> I.M., M.Eng. P.Eng.
>>
>> Network Architect
>>
>> CI Investments
>>
>> ----------------------
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:18 ART