From: But Nicky (lyredhair@gmail.com)
Date: Wed Nov 19 2008 - 02:21:36 ARST
Hi Admin,
I think there is prolem with your class-map with key-word "match-all"
!
class-map *match-all* CRAP
match protocol http host "*youtube.com*"
match protocol http host "*google*"
!
Regards,
But Nguyen,
On Wed, Nov 19, 2008 at 9:31 AM, Administrator
<Administrator@subfighter.ca>wrote:
> So here goes, i gotta say I learned a lot today about qos, still some
> issues
> though ...
>
> !
> class-map match-all CRAP
> match protocol http host "*youtube.com*"
> match protocol http host "*google*"
> class-map match-all MAIL
> match protocol smtp
> class-map match-all TELBET
> match protocol telnet
> class-map match-all WWW
> match protocol http
> !
> !
> policy-map FILTER
> class CRAP
> set dscp af31
> class WWW
> set dscp af11
> class MAIL
> set precedence 3
> class TELBET
> !
> !
> !
> interface Ethernet0
> ip address PUBLIC ADDRESS
> ip nat outside
> ip virtual-reassembly
> half-duplex
> service-policy output FILTER
> !
> !
> interface FastEthernet0
> ip address PRIVATE ADDRESS
> ip nat inside
> ip virtual-reassembly
> speed auto
> !
>
> OK, so I upgraded the IOS I used and connected to a NON DSL link. The unit
> now has static pub ip at e0, and private on fa0.
> Still running nat. Started to mess with this a bit and made some great
> strides in my understanding of QOS.
> Still not able to get the youtube or google stuff to hit my class though.
> So i created another class called with www in it, that hits the queue just
> fine.
> So I added smtp and telnet to test this out, they all hit the queue just
> fine.
> What am I missing, below is an output showing the queue being hit just
> fine,
> all but the url specific stuff
>
> CCIE_LAB(config-pmap-c)#do sh policy-map int e0
> Ethernet0
> Service-policy output: FILTER
> Class-map: CRAP (match-all)
> 0 packets, 0 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: protocol http host "*youtube.com*"
> Match: protocol http host "*google*"
> QoS Set
> dscp af31
> Packets marked 0
> Class-map: WWW (match-all)
> 269 packets, 143494 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: protocol http
> QoS Set
> dscp af11
> Packets marked 269
> Class-map: MAIL (match-all)
> 139 packets, 14881 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: protocol smtp
> QoS Set
> precedence 3
> Packets marked 139
> Class-map: TELBET (match-all)
> 14 packets, 805 bytes
> 5 minute offered rate 0 bps
> Match: protocol telnet
> Class-map: class-default (match-any)
> 37569 packets, 19663891 bytes
> 5 minute offered rate 266000 bps, drop rate 0 bps
> Match: any
> CCIE_LAB(config-pmap-c)#
> CCIE_LAB(config-pmap-c)#
> CCIE_LAB(config-pmap-c)#
>
>
>
> ________________________________
>
> From: Pavel Bykov [mailto:slidersv@gmail.com]
> Sent: Tue 11/18/2008 8:20 PM
> To: Administrator
> Cc: omar parihuana; ccielab@groupstudy.com
> Subject: Re: CBWFQ to block Youtube
>
>
> Did you just paste commands right in the email editor? They don't look
> right...
>
> Anyway, steps to enable NBAR are:
> 1. ip cef <- O.K.
> 2. ip nbar protocol-discovery <- on interface to classify traffic! you
> don't
> have that!!!
>
> Also, support for NBAR on dialer has been introduced in 12.2T, so make sure
> you have not too old IOS.
>
> Recommended change to make sure everything works:
> interface FastEthernet0
> ip nbar protocol-discovery
> service-policy input BLOCK-youtube
>
> and then if
> "show policy-map int fa0 input" shows drops on "youtube" class, then try
> removing service policy from Fast and see if it works on dialer.
>
> That a bit oldish router, isn't it?
>
>
> On Wed, Nov 19, 2008 at 2:00 AM, Administrator <
> Administrator@subfighter.ca>
> wrote:
>
>
> Here is the config, I have sanitized it a bit ...
>
> !
> hostname WOW_1710
> memory-size iomem 25
> aaa new-model
> !
> !
> aaa session-id common
> ip subnet-zero
> !
> !
> no ip domain lookup
> !
> ip cef
> ip audit notify log
> ip audit po max-events 100
> vpdn enable
> !
> vpdn-group pppoe
> request-dialin
> protocol pppoe
> !
> no ftp-server write-enable
> !
> !
> !
> !
> !
> !
> class-map match-all TELNET
> match protocol telnet
>
> class-map match-all youtube
> match protocol http host "*youtube.com*"
> !
>
> !
> policy-map BLOCK-youtube
> class youtube
> drop
>
> class TELNET
> drop
> !
> !
> !
> interface Ethernet0
> no ip address
> full-duplex
> pppoe enable
> pppoe-client dial-pool-number 1
> !
> interface FastEthernet0
> ip address 192.168.1.1 255.255.255.0 secondary
> ip address 10.1.200.200 255.255.255.0
> ip nat inside
> speed auto
> full-duplex
> !
> interface Dialer1
> ip address negotiated
> ip mtu 1452
> ip nat outside
>
> service-policy output BLOCK-youtube
>
> encapsulation ppp
> ip tcp adjust-mss 1392
> dialer pool 1
> dialer-group 1
> ppp authentication pap callin
> !
> ip nat inside source route-map NAT interface Dialer1 overload
>
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer1
> access-list 118 permit ip 192.168.1.0 0.0.0.255 any
> access-list 118 permit ip 10.1.200.0 0.0.0.255 any
> !
> route-map NAT permit 10
> match ip address 118
> !
> !
> line con 0
> line aux 0
> line vty 0 4
> !
> !
> end
> WOW_1710#
>
>
> ________________________________
>
> From: Pavel Bykov [mailto:slidersv@gmail.com]
> Sent: Tue 11/18/2008 7:42 PM
> To: Administrator
> Cc: omar parihuana; ccielab@groupstudy.com
>
> Subject: Re: CBWFQ to block Youtube
>
>
> Please post us your show class-map, show policy-map and show run int
> x/x
> to see how your class-maps are defined, policy-maps and how you are
> applying
> it.
>
> Also, Do you have IP CEF enabled globally? without it it will not
> work.
>
> P.S.: Brian, is that monkey talking on the microphone? :) I think
> everybody
> gets spam like that at work all the time. we do. I wouldn't quite put it in
> a
> time killer though.
> If someone wanted to waste time, there are whole realms dedicated to
> progress
> your boredom. e.g.: bored.com
>
>
>
> On Wed, Nov 19, 2008 at 1:16 AM, Administrator <
> Administrator@subfighter.ca>
> wrote:
>
>
> I have entered this exactly, and still things hit the
> default-class for
> some
> reason. Is it because I also have nat on the router ? Does
> that affect
> the
> configuration someway ?
>
> ________________________________
>
> From: omar parihuana [mailto:omar.parihuana@gmail.com]
> Sent: Tue 11/18/2008 3:43 PM
>
> To: Administrator
> Cc: ccielab@groupstudy.com
> Subject: Re: CBWFQ to block Youtube
>
>
>
> Try this:
>
> Voice_GW_LAB#sh run class-map
> Building configuration...
>
> Current configuration : 81 bytes
> !
> class-map match-all youtube
> match protocol http host "*youtube.com*"
> !
> end
>
> Voice_GW_LAB#sh run policy-map
> Building configuration...
>
> Current configuration : 59 bytes
> !
> policy-map BLOCK-youtube
> class youtube
> drop
> !
> end
>
> Voice_GW_LAB#sh run int f0/1
> Building configuration...
>
> Current configuration : 234 bytes
> !
> interface FastEthernet0/1
> ...
> service-policy output BLOCK-youtube
> end
>
> Voice_GW_LAB#
>
> Voice_GW_LAB#sh policy-map interface f0/1
> FastEthernet0/1
>
> Service-policy output: BLOCK-youtube
>
> Class-map: youtube (match-all)
> 27 packets, 29642 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: protocol http host "*youtube.com*"
> drop
>
> Class-map: class-default (match-any)
> 15842 packets, 1412490 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: any
> Voice_GW_LAB#
>
>
>
>
> On Tue, Nov 18, 2008 at 2:59 PM, Administrator
> <Administrator@subfighter.ca>
> wrote:
>
>
>
> Hi there, I was just doing a lab and thought I would
> try something on
> my
> test
> DSL connection.
>
> My intent was to block www.youtube.com with QOS
>
> Here is what I have ...
>
> !
> class-map match-all YOUTUBE
> match protocol http url "www.youtube.com"
> !
> !
> policy-map CBWFQ_SHAPE_OUT
> class YOUTUBE
> drop
> !
> !
> interface Ethernet0
> service-policy output CBWFQ_SHAPE_OUT
> !
>
>
>
> But for some reason, it doesnt work. I have CEF
> enabled. When I do
> a show
> policy-map int e0, it shows everything hitting the
> default
> class-default
>
> I am sure I am missing something simple, but my QOS
> skillz are low
> and am
> trying to build them. Thanks !
>
>
> Blogs and organic groups at http://www.ccie.net
>
>
> ____________________________________________________________________
> ___
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
>
>
>
> --
>
> Omar E.P.T
> -----------------
> Certified Networking Professionals make better Connections!
>
>
>
> Blogs and organic groups at http://www.ccie.net
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
>
>
>
> --
> Pavel Bykov
> -------------------------------------------------
> Stop the braindumps!
> http://www.stopbraindumps.com/
>
>
>
>
>
>
> --
> Pavel Bykov
> -------------------------------------------------
> Stop the braindumps!
> http://www.stopbraindumps.com/
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:31 ARST