From: Pavel Bykov (slidersv@gmail.com)
Date: Wed Nov 19 2008 - 09:10:21 ARST
Wow, that came as a surprise. Now it really is "optional" command.
Administrator, can you please post "show ver" from your router?
On Wed, Nov 19, 2008 at 4:26 AM, Narbik Kocharians <narbikk@gmail.com>wrote:
> I don't remember which versions but in the older IOS version/s it had to be
> enabled but NOT the new ones.
>
> On Tue, Nov 18, 2008 at 7:03 PM, Huan Pham <Huan.Pham@peopletelecom.com.au
> > wrote:
>
>> Hi Pavel,
>>
>> Just a quick note:
>>
>> My understand is that you do not need to enable NBAR protocol discovery
>> to do NBAR based classification. I will have a look at the config below,
>> and see if anything missing later..
>>
>> NBAR discovery is used for a different purpose, so that you can quickly
>> see what's going on in/out of that interface. You can have a look at the
>> QoS configuration guide or command guide for more info.
>>
>> Here's brief info:
>>
>> NBAR Protocol Discovery
>>
>> NBAR includes a feature called Protocol Discovery. Protocol Discovery
>> provides an easy way to discover the application protocols that are
>> operating on an interface.
>>
>>
>>
>> Rack1R1(config-if)#ip nbar protocol-discovery
>> Rack1R1(config-if)#
>>
>>
>> You can view what's protocol is going in/out on that interface using
>>
>> Rack1R1#sh ip nbar protocol-discovery int fa0/0 top-n 5
>>
>> FastEthernet0/0
>> Input Output
>>
>> ----- ------
>>
>> Protocol Packet Count Packet Count
>>
>> Byte Count Byte Count
>>
>> 5min Bit Rate (bps) 5min Bit Rate (bps)
>>
>> 5min Max Bit Rate (bps) 5min Max Bit Rate
>> (bps)
>> ------------------------ ------------------------
>> ------------------------
>> rip 16 3
>>
>> 6496 1278
>>
>> 1000 0
>>
>> 1000 0
>>
>> bgp 0 0
>>
>> 0 0
>>
>> 0 0
>>
>> 0 0
>>
>> citrix 0 0
>>
>> 0 0
>>
>> 0 0
>>
>> 0 0
>>
>> cuseeme 0 0
>>
>> 0 0
>>
>> 0 0
>>
>> 0 0
>>
>> custom-01 0 0
>>
>> 0 0
>>
>> 0 0
>>
>> 0 0
>>
>> unknown 0 0
>>
>> 0 0
>>
>> 0 0
>>
>> 0 0
>>
>> Total 16 3
>>
>> 6496 1278
>>
>> 1000 0
>>
>> 1000 0
>>
>>
>>
>>
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>> Pavel Bykov
>> Sent: Wednesday, 19 November 2008 1:20 PM
>> To: Administrator
>> Cc: omar parihuana; ccielab@groupstudy.com
>> Subject: Re: CBWFQ to block Youtube
>>
>> Did you just paste commands right in the email editor? They don't look
>> right...
>>
>> Anyway, steps to enable NBAR are:
>> 1. ip cef <- O.K.
>> 2. ip nbar protocol-discovery <- on interface to classify traffic! you
>> don't have that!!!
>>
>> Also, support for NBAR on dialer has been introduced in 12.2T, so make
>> sure you have not too old IOS.
>>
>> Recommended change to make sure everything works:
>> interface FastEthernet0
>> ip nbar protocol-discovery
>> service-policy input BLOCK-youtube
>>
>> and then if
>> "show policy-map int fa0 input" shows drops on "youtube" class, then try
>> removing service policy from Fast and see if it works on dialer.
>>
>> That a bit oldish router, isn't it?
>>
>> On Wed, Nov 19, 2008 at 2:00 AM, Administrator
>> <Administrator@subfighter.ca>wrote:
>>
>> > Here is the config, I have sanitized it a bit ...
>> >
>> > !
>> > hostname WOW_1710
>> > memory-size iomem 25
>> > aaa new-model
>> > !
>> > !
>> > aaa session-id common
>> > ip subnet-zero
>> > !
>> > !
>> > no ip domain lookup
>> > !
>> > ip cef
>> > ip audit notify log
>> > ip audit po max-events 100
>> > vpdn enable
>> > !
>> > vpdn-group pppoe
>> > request-dialin
>> > protocol pppoe
>> > !
>> > no ftp-server write-enable
>> > !
>> > !
>> > !
>> > !
>> > !
>> > !
>> > class-map match-all TELNET
>> > match protocol telnet
>> > class-map match-all youtube
>> > match protocol http host "*youtube.com*"
>> > !
>> > !
>> > policy-map BLOCK-youtube
>> > class youtube
>> > drop
>> > class TELNET
>> > drop
>> > !
>> > !
>> > !
>> > interface Ethernet0
>> > no ip address
>> > full-duplex
>> > pppoe enable
>> > pppoe-client dial-pool-number 1
>> > !
>> > interface FastEthernet0
>> > ip address 192.168.1.1 255.255.255.0 secondary ip address
>> > 10.1.200.200 255.255.255.0 ip nat inside speed auto full-duplex !
>> > interface Dialer1
>> > ip address negotiated
>> > ip mtu 1452
>> > ip nat outside
>> > service-policy output BLOCK-youtube
>> > encapsulation ppp
>> > ip tcp adjust-mss 1392
>> > dialer pool 1
>> > dialer-group 1
>> > ppp authentication pap callin
>> > !
>> > ip nat inside source route-map NAT interface Dialer1 overload
>> >
>> > ip classless
>> > ip route 0.0.0.0 0.0.0.0 Dialer1
>> > access-list 118 permit ip 192.168.1.0 0.0.0.255 any access-list 118
>> > permit ip 10.1.200.0 0.0.0.255 any !
>> > route-map NAT permit 10
>> > match ip address 118
>> > !
>> > !
>> > line con 0
>> > line aux 0
>> > line vty 0 4
>> > !
>> > !
>> > end
>> > WOW_1710#
>> >
>> > ------------------------------
>> > *From:* Pavel Bykov [mailto:slidersv@gmail.com]
>> > *Sent:* Tue 11/18/2008 7:42 PM
>> > *To:* Administrator
>> > *Cc:* omar parihuana; ccielab@groupstudy.com
>> >
>> > *Subject:* Re: CBWFQ to block Youtube
>> >
>> > Please post us your show class-map, show policy-map and show run int
>> > x/x to see how your class-maps are defined, policy-maps and how you
>> > are applying it.
>> >
>> > Also, Do you have IP CEF enabled globally? without it it will not
>> work.
>> >
>> > P.S.: Brian, is that monkey talking on the microphone? :) I think
>> > everybody gets spam like that at work all the time. we do. I wouldn't
>> > quite put it in a time killer though.
>> > If someone wanted to waste time, there are whole realms dedicated to
>> > progress your boredom. e.g.: bored.com
>> >
>> >
>> > On Wed, Nov 19, 2008 at 1:16 AM, Administrator <
>> > Administrator@subfighter.ca> wrote:
>> >
>> >> I have entered this exactly, and still things hit the default-class
>> >> for some reason. Is it because I also have nat on the router ? Does
>>
>> >> that affect the configuration someway ?
>> >>
>> >> ________________________________
>> >>
>> >> From: omar parihuana [mailto:omar.parihuana@gmail.com]
>> >> Sent: Tue 11/18/2008 3:43 PM
>> >> To: Administrator
>> >> Cc: ccielab@groupstudy.com
>> >> Subject: Re: CBWFQ to block Youtube
>> >>
>> >>
>> >> Try this:
>> >>
>> >> Voice_GW_LAB#sh run class-map
>> >> Building configuration...
>> >>
>> >> Current configuration : 81 bytes
>> >> !
>> >> class-map match-all youtube
>> >> match protocol http host "*youtube.com*"
>> >> !
>> >> end
>> >>
>> >> Voice_GW_LAB#sh run policy-map
>> >> Building configuration...
>> >>
>> >> Current configuration : 59 bytes
>> >> !
>> >> policy-map BLOCK-youtube
>> >> class youtube
>> >> drop
>> >> !
>> >> end
>> >>
>> >> Voice_GW_LAB#sh run int f0/1
>> >> Building configuration...
>> >>
>> >> Current configuration : 234 bytes
>> >> !
>> >> interface FastEthernet0/1
>> >> ...
>> >> service-policy output BLOCK-youtube
>> >> end
>> >>
>> >> Voice_GW_LAB#
>> >>
>> >> Voice_GW_LAB#sh policy-map interface f0/1
>> >> FastEthernet0/1
>> >>
>> >> Service-policy output: BLOCK-youtube
>> >>
>> >> Class-map: youtube (match-all)
>> >> 27 packets, 29642 bytes
>> >> 5 minute offered rate 0 bps, drop rate 0 bps
>> >> Match: protocol http host "*youtube.com*"
>> >> drop
>> >>
>> >> Class-map: class-default (match-any)
>> >> 15842 packets, 1412490 bytes
>> >> 5 minute offered rate 0 bps, drop rate 0 bps
>> >> Match: any
>> >> Voice_GW_LAB#
>> >>
>> >>
>> >>
>> >>
>> >> On Tue, Nov 18, 2008 at 2:59 PM, Administrator <
>> >> Administrator@subfighter.ca>
>> >> wrote:
>> >>
>> >>
>> >> Hi there, I was just doing a lab and thought I would try
>> >> something on my test
>> >> DSL connection.
>> >>
>> >> My intent was to block www.youtube.com with QOS
>> >>
>> >> Here is what I have ...
>> >>
>> >> !
>> >> class-map match-all YOUTUBE
>> >> match protocol http url "www.youtube.com"
>> >> !
>> >> !
>> >> policy-map CBWFQ_SHAPE_OUT
>> >> class YOUTUBE
>> >> drop
>> >> !
>> >> !
>> >> interface Ethernet0
>> >> service-policy output CBWFQ_SHAPE_OUT
>> >> !
>> >>
>> >>
>> >>
>> >> But for some reason, it doesnt work. I have CEF enabled.
>> >> When I do a show
>> >> policy-map int e0, it shows everything hitting the default
>> >> class-default
>> >>
>> >> I am sure I am missing something simple, but my QOS skillz are
>>
>> >> low and am
>> >> trying to build them. Thanks !
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net
>> >>
>> >>
>> >>
>> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> Omar E.P.T
>> >> -----------------
>> >> Certified Networking Professionals make better Connections!
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net
>> >>
>> >> _____________________________________________________________________
>> >> __ Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >
>> >
>> > --
>> > Pavel Bykov
>> > -------------------------------------------------
>> > Stop the braindumps!
>> > http://www.stopbraindumps.com/
>> >
>> >
>>
>>
>> --
>> Pavel Bykov
>> -------------------------------------------------
>> Stop the braindumps!
>> http://www.stopbraindumps.com/
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Narbik Kocharians
> CCSI#30832, CCIE# 12410 (R&S, SP, Security)
> www.MicronicsTraining
> www.Net-Workbooks.com
> Sr. Technical Instructor
>
-- Pavel Bykov ------------------------------------------------- Stop the braindumps! http://www.stopbraindumps.com/Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:31 ARST