From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Tue Nov 04 2008 - 13:58:40 ARST
Vitaly,
first of all, it's really nostalgic to see "*.arj" in your policy map :)
Secondly, it actually does not matter much which direction you apply the
policy. NBAR classifies all the flow packets, be it ingress or egress part
of the flow. However, this policy better be applied in outbound direction,
for this way it will block GET requests before they even reach the WWW
server. You can read more about NBAR URL matching here:
http://blog.internetworkexpert.com/2008/11/04/using-nbar-for-http-url-filtering/
-- Petr Lapukhov, CCIE #16379 (R&S/Security/SP/Voice) petr@internetworkexpert.comInternetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 Outside US: 775-826-4344
2008/11/4 Braychuck Vitaliy <Vitaliy.Braychuck@incom.ua>
> Hi folks. > > > > Could anyone explain me how http inspection works. My task is suppress to > download files through http from Internet. > > > > It's my topology: > > > > Inside internet > > -----------------(R1)------------------------- > > fa0/0 fa0/1 > > > > I've written class & policy maps: > > > > class-map FILES > > match protocol http url "*.zip|*.arj" > > policy-map DROP_DWNLD > > class FILES > > drop > > > > And at this point I have a question. In what direction should I apply this > policy. I know, what http response from server don't have any requests from > client, so we can't match any filenames. > > Could I apply this policy in output direction? I mean on interface fa0/0 in > output direction? Or I should apply it only in inside direction and match > requests from clients? > > > > WBR, > > Vitalii Braichuk > > > Blogs and organic groups at http://www.ccie.net > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:29 ARST