From: Mujeeb Sarwar (mujeebsarwar@gmail.com)
Date: Wed Nov 19 2008 - 11:44:05 ARST
Hi,
We can use *match protocol http url* to match jpeg or mpeg etc
We can use *match protocol http host* to match www.cisco.com
What could be the best possible configuration to match following url e.g
www.cisco.com/go/univercd
Thanks & Regards,
Mujeeb
On Wed, Nov 19, 2008 at 3:10 PM, Pavel Bykov <slidersv@gmail.com> wrote:
> Wow, that came as a surprise. Now it really is "optional" command.
>
> Administrator, can you please post "show ver" from your router?
>
>
> On Wed, Nov 19, 2008 at 4:26 AM, Narbik Kocharians <narbikk@gmail.com
> >wrote:
>
> > I don't remember which versions but in the older IOS version/s it had to
> be
> > enabled but NOT the new ones.
> >
> > On Tue, Nov 18, 2008 at 7:03 PM, Huan Pham <
> Huan.Pham@peopletelecom.com.au
> > > wrote:
> >
> >> Hi Pavel,
> >>
> >> Just a quick note:
> >>
> >> My understand is that you do not need to enable NBAR protocol discovery
> >> to do NBAR based classification. I will have a look at the config below,
> >> and see if anything missing later..
> >>
> >> NBAR discovery is used for a different purpose, so that you can quickly
> >> see what's going on in/out of that interface. You can have a look at the
> >> QoS configuration guide or command guide for more info.
> >>
> >> Here's brief info:
> >>
> >> NBAR Protocol Discovery
> >>
> >> NBAR includes a feature called Protocol Discovery. Protocol Discovery
> >> provides an easy way to discover the application protocols that are
> >> operating on an interface.
> >>
> >>
> >>
> >> Rack1R1(config-if)#ip nbar protocol-discovery
> >> Rack1R1(config-if)#
> >>
> >>
> >> You can view what's protocol is going in/out on that interface using
> >>
> >> Rack1R1#sh ip nbar protocol-discovery int fa0/0 top-n 5
> >>
> >> FastEthernet0/0
> >> Input Output
> >>
> >> ----- ------
> >>
> >> Protocol Packet Count Packet Count
> >>
> >> Byte Count Byte Count
> >>
> >> 5min Bit Rate (bps) 5min Bit Rate (bps)
> >>
> >> 5min Max Bit Rate (bps) 5min Max Bit Rate
> >> (bps)
> >> ------------------------ ------------------------
> >> ------------------------
> >> rip 16 3
> >>
> >> 6496 1278
> >>
> >> 1000 0
> >>
> >> 1000 0
> >>
> >> bgp 0 0
> >>
> >> 0 0
> >>
> >> 0 0
> >>
> >> 0 0
> >>
> >> citrix 0 0
> >>
> >> 0 0
> >>
> >> 0 0
> >>
> >> 0 0
> >>
> >> cuseeme 0 0
> >>
> >> 0 0
> >>
> >> 0 0
> >>
> >> 0 0
> >>
> >> custom-01 0 0
> >>
> >> 0 0
> >>
> >> 0 0
> >>
> >> 0 0
> >>
> >> unknown 0 0
> >>
> >> 0 0
> >>
> >> 0 0
> >>
> >> 0 0
> >>
> >> Total 16 3
> >>
> >> 6496 1278
> >>
> >> 1000 0
> >>
> >> 1000 0
> >>
> >>
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> >> Pavel Bykov
> >> Sent: Wednesday, 19 November 2008 1:20 PM
> >> To: Administrator
> >> Cc: omar parihuana; ccielab@groupstudy.com
> >> Subject: Re: CBWFQ to block Youtube
> >>
> >> Did you just paste commands right in the email editor? They don't look
> >> right...
> >>
> >> Anyway, steps to enable NBAR are:
> >> 1. ip cef <- O.K.
> >> 2. ip nbar protocol-discovery <- on interface to classify traffic! you
> >> don't have that!!!
> >>
> >> Also, support for NBAR on dialer has been introduced in 12.2T, so make
> >> sure you have not too old IOS.
> >>
> >> Recommended change to make sure everything works:
> >> interface FastEthernet0
> >> ip nbar protocol-discovery
> >> service-policy input BLOCK-youtube
> >>
> >> and then if
> >> "show policy-map int fa0 input" shows drops on "youtube" class, then try
> >> removing service policy from Fast and see if it works on dialer.
> >>
> >> That a bit oldish router, isn't it?
> >>
> >> On Wed, Nov 19, 2008 at 2:00 AM, Administrator
> >> <Administrator@subfighter.ca>wrote:
> >>
> >> > Here is the config, I have sanitized it a bit ...
> >> >
> >> > !
> >> > hostname WOW_1710
> >> > memory-size iomem 25
> >> > aaa new-model
> >> > !
> >> > !
> >> > aaa session-id common
> >> > ip subnet-zero
> >> > !
> >> > !
> >> > no ip domain lookup
> >> > !
> >> > ip cef
> >> > ip audit notify log
> >> > ip audit po max-events 100
> >> > vpdn enable
> >> > !
> >> > vpdn-group pppoe
> >> > request-dialin
> >> > protocol pppoe
> >> > !
> >> > no ftp-server write-enable
> >> > !
> >> > !
> >> > !
> >> > !
> >> > !
> >> > !
> >> > class-map match-all TELNET
> >> > match protocol telnet
> >> > class-map match-all youtube
> >> > match protocol http host "*youtube.com*"
> >> > !
> >> > !
> >> > policy-map BLOCK-youtube
> >> > class youtube
> >> > drop
> >> > class TELNET
> >> > drop
> >> > !
> >> > !
> >> > !
> >> > interface Ethernet0
> >> > no ip address
> >> > full-duplex
> >> > pppoe enable
> >> > pppoe-client dial-pool-number 1
> >> > !
> >> > interface FastEthernet0
> >> > ip address 192.168.1.1 255.255.255.0 secondary ip address
> >> > 10.1.200.200 255.255.255.0 ip nat inside speed auto full-duplex !
> >> > interface Dialer1
> >> > ip address negotiated
> >> > ip mtu 1452
> >> > ip nat outside
> >> > service-policy output BLOCK-youtube
> >> > encapsulation ppp
> >> > ip tcp adjust-mss 1392
> >> > dialer pool 1
> >> > dialer-group 1
> >> > ppp authentication pap callin
> >> > !
> >> > ip nat inside source route-map NAT interface Dialer1 overload
> >> >
> >> > ip classless
> >> > ip route 0.0.0.0 0.0.0.0 Dialer1
> >> > access-list 118 permit ip 192.168.1.0 0.0.0.255 any access-list 118
> >> > permit ip 10.1.200.0 0.0.0.255 any !
> >> > route-map NAT permit 10
> >> > match ip address 118
> >> > !
> >> > !
> >> > line con 0
> >> > line aux 0
> >> > line vty 0 4
> >> > !
> >> > !
> >> > end
> >> > WOW_1710#
> >> >
> >> > ------------------------------
> >> > *From:* Pavel Bykov [mailto:slidersv@gmail.com]
> >> > *Sent:* Tue 11/18/2008 7:42 PM
> >> > *To:* Administrator
> >> > *Cc:* omar parihuana; ccielab@groupstudy.com
> >> >
> >> > *Subject:* Re: CBWFQ to block Youtube
> >> >
> >> > Please post us your show class-map, show policy-map and show run int
> >> > x/x to see how your class-maps are defined, policy-maps and how you
> >> > are applying it.
> >> >
> >> > Also, Do you have IP CEF enabled globally? without it it will not
> >> work.
> >> >
> >> > P.S.: Brian, is that monkey talking on the microphone? :) I think
> >> > everybody gets spam like that at work all the time. we do. I wouldn't
> >> > quite put it in a time killer though.
> >> > If someone wanted to waste time, there are whole realms dedicated to
> >> > progress your boredom. e.g.: bored.com
> >> >
> >> >
> >> > On Wed, Nov 19, 2008 at 1:16 AM, Administrator <
> >> > Administrator@subfighter.ca> wrote:
> >> >
> >> >> I have entered this exactly, and still things hit the default-class
> >> >> for some reason. Is it because I also have nat on the router ? Does
> >>
> >> >> that affect the configuration someway ?
> >> >>
> >> >> ________________________________
> >> >>
> >> >> From: omar parihuana [mailto:omar.parihuana@gmail.com]
> >> >> Sent: Tue 11/18/2008 3:43 PM
> >> >> To: Administrator
> >> >> Cc: ccielab@groupstudy.com
> >> >> Subject: Re: CBWFQ to block Youtube
> >> >>
> >> >>
> >> >> Try this:
> >> >>
> >> >> Voice_GW_LAB#sh run class-map
> >> >> Building configuration...
> >> >>
> >> >> Current configuration : 81 bytes
> >> >> !
> >> >> class-map match-all youtube
> >> >> match protocol http host "*youtube.com*"
> >> >> !
> >> >> end
> >> >>
> >> >> Voice_GW_LAB#sh run policy-map
> >> >> Building configuration...
> >> >>
> >> >> Current configuration : 59 bytes
> >> >> !
> >> >> policy-map BLOCK-youtube
> >> >> class youtube
> >> >> drop
> >> >> !
> >> >> end
> >> >>
> >> >> Voice_GW_LAB#sh run int f0/1
> >> >> Building configuration...
> >> >>
> >> >> Current configuration : 234 bytes
> >> >> !
> >> >> interface FastEthernet0/1
> >> >> ...
> >> >> service-policy output BLOCK-youtube
> >> >> end
> >> >>
> >> >> Voice_GW_LAB#
> >> >>
> >> >> Voice_GW_LAB#sh policy-map interface f0/1
> >> >> FastEthernet0/1
> >> >>
> >> >> Service-policy output: BLOCK-youtube
> >> >>
> >> >> Class-map: youtube (match-all)
> >> >> 27 packets, 29642 bytes
> >> >> 5 minute offered rate 0 bps, drop rate 0 bps
> >> >> Match: protocol http host "*youtube.com*"
> >> >> drop
> >> >>
> >> >> Class-map: class-default (match-any)
> >> >> 15842 packets, 1412490 bytes
> >> >> 5 minute offered rate 0 bps, drop rate 0 bps
> >> >> Match: any
> >> >> Voice_GW_LAB#
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> On Tue, Nov 18, 2008 at 2:59 PM, Administrator <
> >> >> Administrator@subfighter.ca>
> >> >> wrote:
> >> >>
> >> >>
> >> >> Hi there, I was just doing a lab and thought I would try
> >> >> something on my test
> >> >> DSL connection.
> >> >>
> >> >> My intent was to block www.youtube.com with QOS
> >> >>
> >> >> Here is what I have ...
> >> >>
> >> >> !
> >> >> class-map match-all YOUTUBE
> >> >> match protocol http url "www.youtube.com"
> >> >> !
> >> >> !
> >> >> policy-map CBWFQ_SHAPE_OUT
> >> >> class YOUTUBE
> >> >> drop
> >> >> !
> >> >> !
> >> >> interface Ethernet0
> >> >> service-policy output CBWFQ_SHAPE_OUT
> >> >> !
> >> >>
> >> >>
> >> >>
> >> >> But for some reason, it doesnt work. I have CEF enabled.
> >> >> When I do a show
> >> >> policy-map int e0, it shows everything hitting the default
> >> >> class-default
> >> >>
> >> >> I am sure I am missing something simple, but my QOS skillz are
> >>
> >> >> low and am
> >> >> trying to build them. Thanks !
> >> >>
> >> >>
> >> >> Blogs and organic groups at http://www.ccie.net
> >> >>
> >> >>
> >> >>
> >> _______________________________________________________________________
> >> >> Subscription information may be found at:
> >> >> http://www.groupstudy.com/list/CCIELab.html
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Omar E.P.T
> >> >> -----------------
> >> >> Certified Networking Professionals make better Connections!
> >> >>
> >> >>
> >> >> Blogs and organic groups at http://www.ccie.net
> >> >>
> >> >> _____________________________________________________________________
> >> >> __ Subscription information may be found at:
> >> >> http://www.groupstudy.com/list/CCIELab.html
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >
> >> >
> >> > --
> >> > Pavel Bykov
> >> > -------------------------------------------------
> >> > Stop the braindumps!
> >> > http://www.stopbraindumps.com/
> >> >
> >> >
> >>
> >>
> >> --
> >> Pavel Bykov
> >> -------------------------------------------------
> >> Stop the braindumps!
> >> http://www.stopbraindumps.com/
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
> > --
> > Narbik Kocharians
> > CCSI#30832, CCIE# 12410 (R&S, SP, Security)
> > www.MicronicsTraining
> > www.Net-Workbooks.com <http://www.net-workbooks.com/>
> > Sr. Technical Instructor
> >
>
>
>
> --
> Pavel Bykov
> -------------------------------------------------
> Stop the braindumps!
> http://www.stopbraindumps.com/
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:31 ARST