Re: NBAR

From: Bogdan Sass (bogdan.sass@catc.ro)
Date: Sun Oct 05 2008 - 04:01:14 ART

• Next message: Bogdan Sass: "Re: writing configs in notepad first"
• Previous message: Osamah Shaheen: "RE: NBAR"
• Maybe in reply to: Osamah Shaheen: "NBAR"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Osamah Shaheen wrote:
> Hi,
>
> It is work with me when only use the website to drop. Suppose that I
> need to block the video entire this website, what should I match, I have
> used match rtp video and nothing change....
>
    Two things to check:

    1) the "match protocol http url" matches only the part after the
first slash: "When specifying a URL for classification, include only the
portion of the URL that follows the www./hostname/./domain/ in the
*match* statement." (
http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m1.html#wp1024534
). For the rest, try "match protocol http host"

    2) the videos on youtube are not in .avi format, and they are not
sent over the network using RTP (the only protocol used is http). So you
cannot match them with "match protocol url *.avi" or with "match
protocol rtp video".

> Service-policy output: POLICE
>
>
>
> Class-map: IMAGES (match-all)
>
> 115 packets, 34835 bytes
>
> 30 second offered rate 0 bps, drop rate 0 bps
>
> Match: protocol http url "*youtube.com*"
>
> drop
>
>
>
> Class-map: class-default (match-any)
>
> 81868 packets, 13720861 bytes
>
> 30 second offered rate 132000 bps, drop rate 0 bps
>
> Match: any
>
> ----------------
>
> When I tested with another website it showing nothing match!!!!
>
>
>
> RiyRouter#sh policy-map int
>
> FastEthernet0/1/0
>
>
>
> Service-policy output: POLICE
>
>
>
> Class-map: IMAGES (match-any)
>
> 0 packets, 0 bytes
>
> 30 second offered rate 0 bps, drop rate 0 bps
>
> Match: protocol http url "*youtube.com*"
>
> 0 packets, 0 bytes
>
> 30 second rate 0 bps
>
> Match: protocol http url "*metacafe.com*" <--
>
> 0 packets, 0 bytes
>
> 30 second rate 0 bps
>
> drop
>
>
>
> Class-map: class-default (match-any)
>
> 2592 packets, 371777 bytes
>
> 30 second offered rate 141000 bps, drop rate 0 bps
>
> Match: any
>
> ________________________________
>
> From: Ali Mousawi [mailto:mousawi.ali@gmail.com]
> Sent: 2008-10-04 23:43
> To: Osamah Shaheen
> Cc: femi ogunlana; ccielab@groupstudy.com
> Subject: Re: NBAR
>
>
>
> Hi Osamah,
>
>
>
> the following should be able to drop images
>
>
>
> On R1:
>
>
>
> class-map match-all IMAGES
>
> match protocol http url "*.jpg|*.gif"
>
> match protocol http url "*youtube.com <http://www.youtube.com/> *"
>
> policy-map POLICE
>
> class-map IMAGES
>
> drop
>
>
>
> HTH
>
>
>
> On Sat, Oct 4, 2008 at 1:20 PM, Osamah Shaheen <ShaheenO@maaden.com.sa>
> wrote:
>
> Have a look at the link below for a good example by Brain M
>
> http://blog.internetworkexpert.com/2008/05/08/using-nbar-for-application
> -filtering/
>
>
> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------
> --------
>
>
> This message and any attachments are confidential and intended solely
> for the use of the individual or entity to whom they are addressed. If
> you are NOT the intended recipient you should not use, copy, disclose or
> place any reliance on this e-mail or its contents, and immediately
> notify the sender by return e-mail and delete all copies of this e-mail
> from your system.
>
> Statement and opinions expressed in this e-mail are those of the sender,
> and do not necessarily reflect MA'ADEN.
>
> postmaster@maaden.com.sa
>
>
>
> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
>
>
>
> -----------------------------------------------------------------------------
> ---
>
>
> This message and any attachments are confidential and intended solely for the
> use of the individual or entity to whom they are addressed. If you are NOT the
> intended recipient you should not use, copy, disclose or place any reliance on
> this e-mail or its contents, and immediately notify the sender by return
> e-mail and delete all copies of this e-mail from your system.
>
> Statement and opinions expressed in this e-mail are those of the sender, and
> do not necessarily reflect MA'ADEN.
>
> postmaster@maaden.com.sa
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>

-- 
Bogdan Sass
CCAI,CCSP,JNCIA-ER,CCIE #22221 (RS)
Information Systems Security Professional
"Curiosity was framed - ignorance killed the cat"
Blogs and organic groups at http://www.ccie.net

• Next message: Bogdan Sass: "Re: writing configs in notepad first"
• Previous message: Osamah Shaheen: "RE: NBAR"
• Maybe in reply to: Osamah Shaheen: "NBAR"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Nov 01 2008 - 15:35:19 ARST