From: Narbik Kocharians (narbikk@gmail.com)
Date: Wed Nov 19 2008 - 01:26:42 ARST
I don't remember which versions but in the older IOS version/s it had to be
enabled but NOT the new ones.
On Tue, Nov 18, 2008 at 7:03 PM, Huan Pham
<Huan.Pham@peopletelecom.com.au>wrote:
> Hi Pavel,
>
> Just a quick note:
>
> My understand is that you do not need to enable NBAR protocol discovery
> to do NBAR based classification. I will have a look at the config below,
> and see if anything missing later..
>
> NBAR discovery is used for a different purpose, so that you can quickly
> see what's going on in/out of that interface. You can have a look at the
> QoS configuration guide or command guide for more info.
>
> Here's brief info:
>
> NBAR Protocol Discovery
>
> NBAR includes a feature called Protocol Discovery. Protocol Discovery
> provides an easy way to discover the application protocols that are
> operating on an interface.
>
>
>
> Rack1R1(config-if)#ip nbar protocol-discovery
> Rack1R1(config-if)#
>
>
> You can view what's protocol is going in/out on that interface using
>
> Rack1R1#sh ip nbar protocol-discovery int fa0/0 top-n 5
>
> FastEthernet0/0
> Input Output
>
> ----- ------
>
> Protocol Packet Count Packet Count
>
> Byte Count Byte Count
>
> 5min Bit Rate (bps) 5min Bit Rate (bps)
>
> 5min Max Bit Rate (bps) 5min Max Bit Rate
> (bps)
> ------------------------ ------------------------
> ------------------------
> rip 16 3
>
> 6496 1278
>
> 1000 0
>
> 1000 0
>
> bgp 0 0
>
> 0 0
>
> 0 0
>
> 0 0
>
> citrix 0 0
>
> 0 0
>
> 0 0
>
> 0 0
>
> cuseeme 0 0
>
> 0 0
>
> 0 0
>
> 0 0
>
> custom-01 0 0
>
> 0 0
>
> 0 0
>
> 0 0
>
> unknown 0 0
>
> 0 0
>
> 0 0
>
> 0 0
>
> Total 16 3
>
> 6496 1278
>
> 1000 0
>
> 1000 0
>
>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Pavel Bykov
> Sent: Wednesday, 19 November 2008 1:20 PM
> To: Administrator
> Cc: omar parihuana; ccielab@groupstudy.com
> Subject: Re: CBWFQ to block Youtube
>
> Did you just paste commands right in the email editor? They don't look
> right...
>
> Anyway, steps to enable NBAR are:
> 1. ip cef <- O.K.
> 2. ip nbar protocol-discovery <- on interface to classify traffic! you
> don't have that!!!
>
> Also, support for NBAR on dialer has been introduced in 12.2T, so make
> sure you have not too old IOS.
>
> Recommended change to make sure everything works:
> interface FastEthernet0
> ip nbar protocol-discovery
> service-policy input BLOCK-youtube
>
> and then if
> "show policy-map int fa0 input" shows drops on "youtube" class, then try
> removing service policy from Fast and see if it works on dialer.
>
> That a bit oldish router, isn't it?
>
> On Wed, Nov 19, 2008 at 2:00 AM, Administrator
> <Administrator@subfighter.ca>wrote:
>
> > Here is the config, I have sanitized it a bit ...
> >
> > !
> > hostname WOW_1710
> > memory-size iomem 25
> > aaa new-model
> > !
> > !
> > aaa session-id common
> > ip subnet-zero
> > !
> > !
> > no ip domain lookup
> > !
> > ip cef
> > ip audit notify log
> > ip audit po max-events 100
> > vpdn enable
> > !
> > vpdn-group pppoe
> > request-dialin
> > protocol pppoe
> > !
> > no ftp-server write-enable
> > !
> > !
> > !
> > !
> > !
> > !
> > class-map match-all TELNET
> > match protocol telnet
> > class-map match-all youtube
> > match protocol http host "*youtube.com*"
> > !
> > !
> > policy-map BLOCK-youtube
> > class youtube
> > drop
> > class TELNET
> > drop
> > !
> > !
> > !
> > interface Ethernet0
> > no ip address
> > full-duplex
> > pppoe enable
> > pppoe-client dial-pool-number 1
> > !
> > interface FastEthernet0
> > ip address 192.168.1.1 255.255.255.0 secondary ip address
> > 10.1.200.200 255.255.255.0 ip nat inside speed auto full-duplex !
> > interface Dialer1
> > ip address negotiated
> > ip mtu 1452
> > ip nat outside
> > service-policy output BLOCK-youtube
> > encapsulation ppp
> > ip tcp adjust-mss 1392
> > dialer pool 1
> > dialer-group 1
> > ppp authentication pap callin
> > !
> > ip nat inside source route-map NAT interface Dialer1 overload
> >
> > ip classless
> > ip route 0.0.0.0 0.0.0.0 Dialer1
> > access-list 118 permit ip 192.168.1.0 0.0.0.255 any access-list 118
> > permit ip 10.1.200.0 0.0.0.255 any !
> > route-map NAT permit 10
> > match ip address 118
> > !
> > !
> > line con 0
> > line aux 0
> > line vty 0 4
> > !
> > !
> > end
> > WOW_1710#
> >
> > ------------------------------
> > *From:* Pavel Bykov [mailto:slidersv@gmail.com]
> > *Sent:* Tue 11/18/2008 7:42 PM
> > *To:* Administrator
> > *Cc:* omar parihuana; ccielab@groupstudy.com
> >
> > *Subject:* Re: CBWFQ to block Youtube
> >
> > Please post us your show class-map, show policy-map and show run int
> > x/x to see how your class-maps are defined, policy-maps and how you
> > are applying it.
> >
> > Also, Do you have IP CEF enabled globally? without it it will not
> work.
> >
> > P.S.: Brian, is that monkey talking on the microphone? :) I think
> > everybody gets spam like that at work all the time. we do. I wouldn't
> > quite put it in a time killer though.
> > If someone wanted to waste time, there are whole realms dedicated to
> > progress your boredom. e.g.: bored.com
> >
> >
> > On Wed, Nov 19, 2008 at 1:16 AM, Administrator <
> > Administrator@subfighter.ca> wrote:
> >
> >> I have entered this exactly, and still things hit the default-class
> >> for some reason. Is it because I also have nat on the router ? Does
>
> >> that affect the configuration someway ?
> >>
> >> ________________________________
> >>
> >> From: omar parihuana [mailto:omar.parihuana@gmail.com]
> >> Sent: Tue 11/18/2008 3:43 PM
> >> To: Administrator
> >> Cc: ccielab@groupstudy.com
> >> Subject: Re: CBWFQ to block Youtube
> >>
> >>
> >> Try this:
> >>
> >> Voice_GW_LAB#sh run class-map
> >> Building configuration...
> >>
> >> Current configuration : 81 bytes
> >> !
> >> class-map match-all youtube
> >> match protocol http host "*youtube.com*"
> >> !
> >> end
> >>
> >> Voice_GW_LAB#sh run policy-map
> >> Building configuration...
> >>
> >> Current configuration : 59 bytes
> >> !
> >> policy-map BLOCK-youtube
> >> class youtube
> >> drop
> >> !
> >> end
> >>
> >> Voice_GW_LAB#sh run int f0/1
> >> Building configuration...
> >>
> >> Current configuration : 234 bytes
> >> !
> >> interface FastEthernet0/1
> >> ...
> >> service-policy output BLOCK-youtube
> >> end
> >>
> >> Voice_GW_LAB#
> >>
> >> Voice_GW_LAB#sh policy-map interface f0/1
> >> FastEthernet0/1
> >>
> >> Service-policy output: BLOCK-youtube
> >>
> >> Class-map: youtube (match-all)
> >> 27 packets, 29642 bytes
> >> 5 minute offered rate 0 bps, drop rate 0 bps
> >> Match: protocol http host "*youtube.com*"
> >> drop
> >>
> >> Class-map: class-default (match-any)
> >> 15842 packets, 1412490 bytes
> >> 5 minute offered rate 0 bps, drop rate 0 bps
> >> Match: any
> >> Voice_GW_LAB#
> >>
> >>
> >>
> >>
> >> On Tue, Nov 18, 2008 at 2:59 PM, Administrator <
> >> Administrator@subfighter.ca>
> >> wrote:
> >>
> >>
> >> Hi there, I was just doing a lab and thought I would try
> >> something on my test
> >> DSL connection.
> >>
> >> My intent was to block www.youtube.com with QOS
> >>
> >> Here is what I have ...
> >>
> >> !
> >> class-map match-all YOUTUBE
> >> match protocol http url "www.youtube.com"
> >> !
> >> !
> >> policy-map CBWFQ_SHAPE_OUT
> >> class YOUTUBE
> >> drop
> >> !
> >> !
> >> interface Ethernet0
> >> service-policy output CBWFQ_SHAPE_OUT
> >> !
> >>
> >>
> >>
> >> But for some reason, it doesnt work. I have CEF enabled.
> >> When I do a show
> >> policy-map int e0, it shows everything hitting the default
> >> class-default
> >>
> >> I am sure I am missing something simple, but my QOS skillz are
>
> >> low and am
> >> trying to build them. Thanks !
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >>
> >>
> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> --
> >> Omar E.P.T
> >> -----------------
> >> Certified Networking Professionals make better Connections!
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _____________________________________________________________________
> >> __ Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
> > --
> > Pavel Bykov
> > -------------------------------------------------
> > Stop the braindumps!
> > http://www.stopbraindumps.com/
> >
> >
>
>
> --
> Pavel Bykov
> -------------------------------------------------
> Stop the braindumps!
> http://www.stopbraindumps.com/
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- Narbik Kocharians CCSI#30832, CCIE# 12410 (R&S, SP, Security) www.MicronicsTraining www.Net-Workbooks.com Sr. Technical InstructorBlogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:31 ARST