From: Administrator (Administrator@Subfighter.ca)
Date: Wed Nov 19 2008 - 00:31:38 ARST
So here goes, i gotta say I learned a lot today about qos, still some issues
though ...
!
class-map match-all CRAP
match protocol http host "*youtube.com*"
match protocol http host "*google*"
class-map match-all MAIL
match protocol smtp
class-map match-all TELBET
match protocol telnet
class-map match-all WWW
match protocol http
!
!
policy-map FILTER
class CRAP
set dscp af31
class WWW
set dscp af11
class MAIL
set precedence 3
class TELBET
!
!
!
interface Ethernet0
ip address PUBLIC ADDRESS
ip nat outside
ip virtual-reassembly
half-duplex
service-policy output FILTER
!
!
interface FastEthernet0
ip address PRIVATE ADDRESS
ip nat inside
ip virtual-reassembly
speed auto
!
OK, so I upgraded the IOS I used and connected to a NON DSL link. The unit
now has static pub ip at e0, and private on fa0.
Still running nat. Started to mess with this a bit and made some great
strides in my understanding of QOS.
Still not able to get the youtube or google stuff to hit my class though.
So i created another class called with www in it, that hits the queue just
fine.
So I added smtp and telnet to test this out, they all hit the queue just
fine.
What am I missing, below is an output showing the queue being hit just fine,
all but the url specific stuff
CCIE_LAB(config-pmap-c)#do sh policy-map int e0
Ethernet0
Service-policy output: FILTER
Class-map: CRAP (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http host "*youtube.com*"
Match: protocol http host "*google*"
QoS Set
dscp af31
Packets marked 0
Class-map: WWW (match-all)
269 packets, 143494 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http
QoS Set
dscp af11
Packets marked 269
Class-map: MAIL (match-all)
139 packets, 14881 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol smtp
QoS Set
precedence 3
Packets marked 139
Class-map: TELBET (match-all)
14 packets, 805 bytes
5 minute offered rate 0 bps
Match: protocol telnet
Class-map: class-default (match-any)
37569 packets, 19663891 bytes
5 minute offered rate 266000 bps, drop rate 0 bps
Match: any
CCIE_LAB(config-pmap-c)#
CCIE_LAB(config-pmap-c)#
CCIE_LAB(config-pmap-c)#
________________________________
From: Pavel Bykov [mailto:slidersv@gmail.com]
Sent: Tue 11/18/2008 8:20 PM
To: Administrator
Cc: omar parihuana; ccielab@groupstudy.com
Subject: Re: CBWFQ to block Youtube
Did you just paste commands right in the email editor? They don't look
right...
Anyway, steps to enable NBAR are:
1. ip cef <- O.K.
2. ip nbar protocol-discovery <- on interface to classify traffic! you don't
have that!!!
Also, support for NBAR on dialer has been introduced in 12.2T, so make sure
you have not too old IOS.
Recommended change to make sure everything works:
interface FastEthernet0
ip nbar protocol-discovery
service-policy input BLOCK-youtube
and then if
"show policy-map int fa0 input" shows drops on "youtube" class, then try
removing service policy from Fast and see if it works on dialer.
That a bit oldish router, isn't it?
On Wed, Nov 19, 2008 at 2:00 AM, Administrator <Administrator@subfighter.ca>
wrote:
Here is the config, I have sanitized it a bit ...
!
hostname WOW_1710
memory-size iomem 25
aaa new-model
!
!
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
!
ip cef
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
!
!
!
!
class-map match-all TELNET
match protocol telnet
class-map match-all youtube
match protocol http host "*youtube.com*"
!
!
policy-map BLOCK-youtube
class youtube
drop
class TELNET
drop
!
!
!
interface Ethernet0
no ip address
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0
ip address 192.168.1.1 255.255.255.0 secondary
ip address 10.1.200.200 255.255.255.0
ip nat inside
speed auto
full-duplex
!
interface Dialer1
ip address negotiated
ip mtu 1452
ip nat outside
service-policy output BLOCK-youtube
encapsulation ppp
ip tcp adjust-mss 1392
dialer pool 1
dialer-group 1
ppp authentication pap callin
!
ip nat inside source route-map NAT interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
access-list 118 permit ip 192.168.1.0 0.0.0.255 any
access-list 118 permit ip 10.1.200.0 0.0.0.255 any
!
route-map NAT permit 10
match ip address 118
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
WOW_1710#
________________________________
From: Pavel Bykov [mailto:slidersv@gmail.com]
Sent: Tue 11/18/2008 7:42 PM
To: Administrator
Cc: omar parihuana; ccielab@groupstudy.com
Subject: Re: CBWFQ to block Youtube
Please post us your show class-map, show policy-map and show run int x/x
to see how your class-maps are defined, policy-maps and how you are applying
it.
Also, Do you have IP CEF enabled globally? without it it will not work.
P.S.: Brian, is that monkey talking on the microphone? :) I think everybody
gets spam like that at work all the time. we do. I wouldn't quite put it in a
time killer though.
If someone wanted to waste time, there are whole realms dedicated to progress
your boredom. e.g.: bored.com
On Wed, Nov 19, 2008 at 1:16 AM, Administrator <Administrator@subfighter.ca>
wrote:
I have entered this exactly, and still things hit the default-class for
some
reason. Is it because I also have nat on the router ? Does that affect
the
configuration someway ?
________________________________
From: omar parihuana [mailto:omar.parihuana@gmail.com]
Sent: Tue 11/18/2008 3:43 PM
To: Administrator
Cc: ccielab@groupstudy.com
Subject: Re: CBWFQ to block Youtube
Try this:
Voice_GW_LAB#sh run class-map
Building configuration...
Current configuration : 81 bytes
!
class-map match-all youtube
match protocol http host "*youtube.com*"
!
end
Voice_GW_LAB#sh run policy-map
Building configuration...
Current configuration : 59 bytes
!
policy-map BLOCK-youtube
class youtube
drop
!
end
Voice_GW_LAB#sh run int f0/1
Building configuration...
Current configuration : 234 bytes
!
interface FastEthernet0/1
...
service-policy output BLOCK-youtube
end
Voice_GW_LAB#
Voice_GW_LAB#sh policy-map interface f0/1
FastEthernet0/1
Service-policy output: BLOCK-youtube
Class-map: youtube (match-all)
27 packets, 29642 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http host "*youtube.com*"
drop
Class-map: class-default (match-any)
15842 packets, 1412490 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Voice_GW_LAB#
On Tue, Nov 18, 2008 at 2:59 PM, Administrator
<Administrator@subfighter.ca>
wrote:
Hi there, I was just doing a lab and thought I would try something on
my
test
DSL connection.
My intent was to block www.youtube.com with QOS
Here is what I have ...
!
class-map match-all YOUTUBE
match protocol http url "www.youtube.com"
!
!
policy-map CBWFQ_SHAPE_OUT
class YOUTUBE
drop
!
!
interface Ethernet0
service-policy output CBWFQ_SHAPE_OUT
!
But for some reason, it doesnt work. I have CEF enabled. When I do
a show
policy-map int e0, it shows everything hitting the default
class-default
I am sure I am missing something simple, but my QOS skillz are low
and am
trying to build them. Thanks !
Blogs and organic groups at http://www.ccie.net
____________________________________________________________________
___
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
--
Omar E.P.T
-----------------
Certified Networking Professionals make better Connections!
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
--
Pavel Bykov
-------------------------------------------------
Stop the braindumps!
http://www.stopbraindumps.com/
-- Pavel Bykov ------------------------------------------------- Stop the braindumps! http://www.stopbraindumps.com/Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:31 ARST