Re: policing based on nbar

From: jeremy co (jeremy.cool14@gmail.com)
Date: Sun Sep 14 2008 - 17:11:42 ART

• Next message: Julio Carrasco: "little doubt about multicast helper map"
• Previous message: paul cosgrove: "Re: HELP - I locked myself after enabling aaa new-model ..."
• Maybe in reply to: Igor M.: "policing based on nbar"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Chidd,

What if u want to police it to say 115000? u police client request messages
if u apply it outbound!!!!! ;)

Jeremy

On Sat, Sep 13, 2008 at 12:05 AM, Chidd <dungchid@gmail.com> wrote:

> Hi,
>
> Just try to test. For matching www.cisco.com, I don't think you can use
> "match protocol http url "www.cisco.com", it should be
> class-map URL
> match protocol http host "www.cisco.com"
> match protocol http url "*.jpg|*.jpeg"
> policy-map test
> class URL
> drop
> interface serial 0/0/0 (connect to Internet)
> service output test
> For "GET Request" initiate from client and "GET Response" from Server, I
> need only apply in outbound direction because basically what server RESPONSE
> are depend on REQUEST from client. Thus, NBAR will check "outbound
> direction" only. When I try to apply in "inbound direction", it doesn't
> work.
> rtr-hn#show policy-map interface dialer 0
> Dialer0
>
> Service-policy input: test
>
> Class-map: URL (match-all)
> 0 packets, 0 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: protocol http host "www.cisco.com"
> Match: protocol http url "*.gif|*.jpeg|*.jpg"
> drop
>
> Class-map: class-default (match-any)
> 78 packets, 27731 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: any
>
> Service-policy output: test
>
> Class-map: URL (match-all)
> 6 packets, 3846 bytes
> 5 minute offered rate 2000 bps, drop rate 2000 bps
> Match: protocol http host "www.cisco.com"
> Match: protocol http url "*.gif|*.jpeg|*.jpg"
> drop
>
> Class-map: class-default (match-any)
> 1644 packets, 837832 bytes
> 5 minute offered rate 24000 bps, drop rate 0 bps
> Match: any
> You see that, only OUTBOUND DIRECTION work, INBOUND DIRECTION doesn't work.
>
>
>
> R2: copy http://cisco:cisco@150.1.1.1 null
> ----- Original Message ----- From: "Bill Eyer" <beyer@optonline.net>
> To: "Huan Pham" <Huan.Pham@peopletelecom.com.au>
> Cc: "Igor M." <imanassypov@rogers.com>; "Cisco certification" <
> ccielab@groupstudy.com>
> Sent: 12 September, 2008 17:34
> Subject: Re: policing based on nbar
>
>
> Yes, but when you match on a mime type in a URL are you matching inbound
>> or outbound. In other words can
>>
>> class-map match-all URL
>> match protocol http url "www.cisco.com"
>>
>> Be used in an outbound service policy against packets sent towards that
>> URL, inbound against packets from that URL or can it be used in either
>> direction?
>>
>> Bill
>>
>>
>> Huan Pham wrote:
>>
>>> Policy can be done both Inbound or Outbound. This is true no matter if
>>> you use NBAR or ACL to match traffic.
>>> On the other hand, shapping can be done outbound only.
>>>
>>>
>>> For instance, with a topology like below:
>>>
>>> PC ---- R1 ---------- R2 ----- WWW Server
>>> E0 S0 S0 E0
>>>
>>> If you want to policy image traffic from the WWW server, you can police -
>>> inbound on R1 Serial interface, - outbound on R1 Ethernet,
>>> - inbound on R2 Ethernet - outbound on R2 Serial.
>>>
>>> Cheers,
>>>
>>> -----Original Message-----
>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>>> Igor M.
>>> Sent: Friday, 12 September 2008 5:07 AM
>>> To: Cisco certification
>>> Subject: policing based on nbar
>>>
>>> Hi all,
>>>
>>> If I want to match on a bunch of mime types in the http request header
>>> and police that kind of traffic - would that have to be an inbound or
>>> outbound policy, or both?
>>> The goal is to limit the rate of downloading the specified image
>>> types...
>>>
>>> Like so:
>>>
>>> class-map match-all IMAGES
>>> match protocol http mime "*.(gif|jpg|jpeg)"
>>> policy-map NBAR
>>> class IMAGES
>>> police 100000
>>> int e0/0
>>> service-policy input NBAR
>>>
>>>
>>> ----------------------
>>>
>>> I.M., M.Eng. P.Eng.
>>>
>>> Network Architect
>>>
>>> CI Investments
>>>
>>> ----------------------
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Julio Carrasco: "little doubt about multicast helper map"
• Previous message: paul cosgrove: "Re: HELP - I locked myself after enabling aaa new-model ..."
• Maybe in reply to: Igor M.: "policing based on nbar"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:18 ART