From: Pavel Bykov (slidersv@gmail.com)
Date: Wed Nov 19 2008 - 00:20:02 ARST
Did you just paste commands right in the email editor? They don't look
right...
Anyway, steps to enable NBAR are:
1. ip cef <- O.K.
2. ip nbar protocol-discovery <- on interface to classify traffic! you don't
have that!!!
Also, support for NBAR on dialer has been introduced in 12.2T, so make sure
you have not too old IOS.
Recommended change to make sure everything works:
interface FastEthernet0
ip nbar protocol-discovery
service-policy input BLOCK-youtube
and then if
"show policy-map int fa0 input" shows drops on "youtube" class, then try
removing service policy from Fast and see if it works on dialer.
That a bit oldish router, isn't it?
On Wed, Nov 19, 2008 at 2:00 AM, Administrator
<Administrator@subfighter.ca>wrote:
> Here is the config, I have sanitized it a bit ...
>
> !
> hostname WOW_1710
> memory-size iomem 25
> aaa new-model
> !
> !
> aaa session-id common
> ip subnet-zero
> !
> !
> no ip domain lookup
> !
> ip cef
> ip audit notify log
> ip audit po max-events 100
> vpdn enable
> !
> vpdn-group pppoe
> request-dialin
> protocol pppoe
> !
> no ftp-server write-enable
> !
> !
> !
> !
> !
> !
> class-map match-all TELNET
> match protocol telnet
> class-map match-all youtube
> match protocol http host "*youtube.com*"
> !
> !
> policy-map BLOCK-youtube
> class youtube
> drop
> class TELNET
> drop
> !
> !
> !
> interface Ethernet0
> no ip address
> full-duplex
> pppoe enable
> pppoe-client dial-pool-number 1
> !
> interface FastEthernet0
> ip address 192.168.1.1 255.255.255.0 secondary
> ip address 10.1.200.200 255.255.255.0
> ip nat inside
> speed auto
> full-duplex
> !
> interface Dialer1
> ip address negotiated
> ip mtu 1452
> ip nat outside
> service-policy output BLOCK-youtube
> encapsulation ppp
> ip tcp adjust-mss 1392
> dialer pool 1
> dialer-group 1
> ppp authentication pap callin
> !
> ip nat inside source route-map NAT interface Dialer1 overload
>
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer1
> access-list 118 permit ip 192.168.1.0 0.0.0.255 any
> access-list 118 permit ip 10.1.200.0 0.0.0.255 any
> !
> route-map NAT permit 10
> match ip address 118
> !
> !
> line con 0
> line aux 0
> line vty 0 4
> !
> !
> end
> WOW_1710#
>
> ------------------------------
> *From:* Pavel Bykov [mailto:slidersv@gmail.com]
> *Sent:* Tue 11/18/2008 7:42 PM
> *To:* Administrator
> *Cc:* omar parihuana; ccielab@groupstudy.com
>
> *Subject:* Re: CBWFQ to block Youtube
>
> Please post us your show class-map, show policy-map and show run int x/x
> to see how your class-maps are defined, policy-maps and how you are
> applying it.
>
> Also, Do you have IP CEF enabled globally? without it it will not work.
>
> P.S.: Brian, is that monkey talking on the microphone? :) I think everybody
> gets spam like that at work all the time. we do. I wouldn't quite put it in
> a time killer though.
> If someone wanted to waste time, there are whole realms dedicated to
> progress your boredom. e.g.: bored.com
>
>
> On Wed, Nov 19, 2008 at 1:16 AM, Administrator <
> Administrator@subfighter.ca> wrote:
>
>> I have entered this exactly, and still things hit the default-class for
>> some
>> reason. Is it because I also have nat on the router ? Does that affect
>> the
>> configuration someway ?
>>
>> ________________________________
>>
>> From: omar parihuana [mailto:omar.parihuana@gmail.com]
>> Sent: Tue 11/18/2008 3:43 PM
>> To: Administrator
>> Cc: ccielab@groupstudy.com
>> Subject: Re: CBWFQ to block Youtube
>>
>>
>> Try this:
>>
>> Voice_GW_LAB#sh run class-map
>> Building configuration...
>>
>> Current configuration : 81 bytes
>> !
>> class-map match-all youtube
>> match protocol http host "*youtube.com*"
>> !
>> end
>>
>> Voice_GW_LAB#sh run policy-map
>> Building configuration...
>>
>> Current configuration : 59 bytes
>> !
>> policy-map BLOCK-youtube
>> class youtube
>> drop
>> !
>> end
>>
>> Voice_GW_LAB#sh run int f0/1
>> Building configuration...
>>
>> Current configuration : 234 bytes
>> !
>> interface FastEthernet0/1
>> ...
>> service-policy output BLOCK-youtube
>> end
>>
>> Voice_GW_LAB#
>>
>> Voice_GW_LAB#sh policy-map interface f0/1
>> FastEthernet0/1
>>
>> Service-policy output: BLOCK-youtube
>>
>> Class-map: youtube (match-all)
>> 27 packets, 29642 bytes
>> 5 minute offered rate 0 bps, drop rate 0 bps
>> Match: protocol http host "*youtube.com*"
>> drop
>>
>> Class-map: class-default (match-any)
>> 15842 packets, 1412490 bytes
>> 5 minute offered rate 0 bps, drop rate 0 bps
>> Match: any
>> Voice_GW_LAB#
>>
>>
>>
>>
>> On Tue, Nov 18, 2008 at 2:59 PM, Administrator <
>> Administrator@subfighter.ca>
>> wrote:
>>
>>
>> Hi there, I was just doing a lab and thought I would try something
>> on my
>> test
>> DSL connection.
>>
>> My intent was to block www.youtube.com with QOS
>>
>> Here is what I have ...
>>
>> !
>> class-map match-all YOUTUBE
>> match protocol http url "www.youtube.com"
>> !
>> !
>> policy-map CBWFQ_SHAPE_OUT
>> class YOUTUBE
>> drop
>> !
>> !
>> interface Ethernet0
>> service-policy output CBWFQ_SHAPE_OUT
>> !
>>
>>
>>
>> But for some reason, it doesnt work. I have CEF enabled. When I
>> do a show
>> policy-map int e0, it shows everything hitting the default
>> class-default
>>
>> I am sure I am missing something simple, but my QOS skillz are low
>> and am
>> trying to build them. Thanks !
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> Omar E.P.T
>> -----------------
>> Certified Networking Professionals make better Connections!
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Pavel Bykov
> -------------------------------------------------
> Stop the braindumps!
> http://www.stopbraindumps.com/
>
>
-- Pavel Bykov ------------------------------------------------- Stop the braindumps! http://www.stopbraindumps.com/Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:30 ARST