From: Artur Sant'Anna (artur.lists@gmail.com)
Date: Wed Nov 19 2008 - 12:04:17 ARST
Hi,
If I wanted to match exactly this URL and only this one, I would go with:
class-map match-all DOCCD
match protocol http host "www.cisco.com"
match protocol http url "univercd <http://www.cisco.com/>"
Regards,
2008/11/19 Mujeeb Sarwar <mujeebsarwar@gmail.com>
> Hi,
>
> We can use *match protocol http url* to match jpeg or mpeg etc
>
> We can use *match protocol http host* to match www.cisco.com
>
> What could be the best possible configuration to match following url e.g
> www.cisco.com/go/univercd
>
>
>
> Thanks & Regards,
>
> Mujeeb
> On Wed, Nov 19, 2008 at 3:10 PM, Pavel Bykov <slidersv@gmail.com> wrote:
>
> > Wow, that came as a surprise. Now it really is "optional" command.
> >
> > Administrator, can you please post "show ver" from your router?
> >
> >
> > On Wed, Nov 19, 2008 at 4:26 AM, Narbik Kocharians <narbikk@gmail.com
> > >wrote:
> >
> > > I don't remember which versions but in the older IOS version/s it had
> to
> > be
> > > enabled but NOT the new ones.
> > >
> > > On Tue, Nov 18, 2008 at 7:03 PM, Huan Pham <
> > Huan.Pham@peopletelecom.com.au
> > > > wrote:
> > >
> > >> Hi Pavel,
> > >>
> > >> Just a quick note:
> > >>
> > >> My understand is that you do not need to enable NBAR protocol
> discovery
> > >> to do NBAR based classification. I will have a look at the config
> below,
> > >> and see if anything missing later..
> > >>
> > >> NBAR discovery is used for a different purpose, so that you can
> quickly
> > >> see what's going on in/out of that interface. You can have a look at
> the
> > >> QoS configuration guide or command guide for more info.
> > >>
> > >> Here's brief info:
> > >>
> > >> NBAR Protocol Discovery
> > >>
> > >> NBAR includes a feature called Protocol Discovery. Protocol Discovery
> > >> provides an easy way to discover the application protocols that are
> > >> operating on an interface.
> > >>
> > >>
> > >>
> > >> Rack1R1(config-if)#ip nbar protocol-discovery
> > >> Rack1R1(config-if)#
> > >>
> > >>
> > >> You can view what's protocol is going in/out on that interface using
> > >>
> > >> Rack1R1#sh ip nbar protocol-discovery int fa0/0 top-n 5
> > >>
> > >> FastEthernet0/0
> > >> Input Output
> > >>
> > >> ----- ------
> > >>
> > >> Protocol Packet Count Packet Count
> > >>
> > >> Byte Count Byte Count
> > >>
> > >> 5min Bit Rate (bps) 5min Bit Rate
> (bps)
> > >>
> > >> 5min Max Bit Rate (bps) 5min Max Bit Rate
> > >> (bps)
> > >> ------------------------ ------------------------
> > >> ------------------------
> > >> rip 16 3
> > >>
> > >> 6496 1278
> > >>
> > >> 1000 0
> > >>
> > >> 1000 0
> > >>
> > >> bgp 0 0
> > >>
> > >> 0 0
> > >>
> > >> 0 0
> > >>
> > >> 0 0
> > >>
> > >> citrix 0 0
> > >>
> > >> 0 0
> > >>
> > >> 0 0
> > >>
> > >> 0 0
> > >>
> > >> cuseeme 0 0
> > >>
> > >> 0 0
> > >>
> > >> 0 0
> > >>
> > >> 0 0
> > >>
> > >> custom-01 0 0
> > >>
> > >> 0 0
> > >>
> > >> 0 0
> > >>
> > >> 0 0
> > >>
> > >> unknown 0 0
> > >>
> > >> 0 0
> > >>
> > >> 0 0
> > >>
> > >> 0 0
> > >>
> > >> Total 16 3
> > >>
> > >> 6496 1278
> > >>
> > >> 1000 0
> > >>
> > >> 1000 0
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> -----Original Message-----
> > >> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > >> Pavel Bykov
> > >> Sent: Wednesday, 19 November 2008 1:20 PM
> > >> To: Administrator
> > >> Cc: omar parihuana; ccielab@groupstudy.com
> > >> Subject: Re: CBWFQ to block Youtube
> > >>
> > >> Did you just paste commands right in the email editor? They don't look
> > >> right...
> > >>
> > >> Anyway, steps to enable NBAR are:
> > >> 1. ip cef <- O.K.
> > >> 2. ip nbar protocol-discovery <- on interface to classify traffic! you
> > >> don't have that!!!
> > >>
> > >> Also, support for NBAR on dialer has been introduced in 12.2T, so make
> > >> sure you have not too old IOS.
> > >>
> > >> Recommended change to make sure everything works:
> > >> interface FastEthernet0
> > >> ip nbar protocol-discovery
> > >> service-policy input BLOCK-youtube
> > >>
> > >> and then if
> > >> "show policy-map int fa0 input" shows drops on "youtube" class, then
> try
> > >> removing service policy from Fast and see if it works on dialer.
> > >>
> > >> That a bit oldish router, isn't it?
> > >>
> > >> On Wed, Nov 19, 2008 at 2:00 AM, Administrator
> > >> <Administrator@subfighter.ca>wrote:
> > >>
> > >> > Here is the config, I have sanitized it a bit ...
> > >> >
> > >> > !
> > >> > hostname WOW_1710
> > >> > memory-size iomem 25
> > >> > aaa new-model
> > >> > !
> > >> > !
> > >> > aaa session-id common
> > >> > ip subnet-zero
> > >> > !
> > >> > !
> > >> > no ip domain lookup
> > >> > !
> > >> > ip cef
> > >> > ip audit notify log
> > >> > ip audit po max-events 100
> > >> > vpdn enable
> > >> > !
> > >> > vpdn-group pppoe
> > >> > request-dialin
> > >> > protocol pppoe
> > >> > !
> > >> > no ftp-server write-enable
> > >> > !
> > >> > !
> > >> > !
> > >> > !
> > >> > !
> > >> > !
> > >> > class-map match-all TELNET
> > >> > match protocol telnet
> > >> > class-map match-all youtube
> > >> > match protocol http host "*youtube.com*"
> > >> > !
> > >> > !
> > >> > policy-map BLOCK-youtube
> > >> > class youtube
> > >> > drop
> > >> > class TELNET
> > >> > drop
> > >> > !
> > >> > !
> > >> > !
> > >> > interface Ethernet0
> > >> > no ip address
> > >> > full-duplex
> > >> > pppoe enable
> > >> > pppoe-client dial-pool-number 1
> > >> > !
> > >> > interface FastEthernet0
> > >> > ip address 192.168.1.1 255.255.255.0 secondary ip address
> > >> > 10.1.200.200 255.255.255.0 ip nat inside speed auto full-duplex
> !
> > >> > interface Dialer1
> > >> > ip address negotiated
> > >> > ip mtu 1452
> > >> > ip nat outside
> > >> > service-policy output BLOCK-youtube
> > >> > encapsulation ppp
> > >> > ip tcp adjust-mss 1392
> > >> > dialer pool 1
> > >> > dialer-group 1
> > >> > ppp authentication pap callin
> > >> > !
> > >> > ip nat inside source route-map NAT interface Dialer1 overload
> > >> >
> > >> > ip classless
> > >> > ip route 0.0.0.0 0.0.0.0 Dialer1
> > >> > access-list 118 permit ip 192.168.1.0 0.0.0.255 any access-list 118
> > >> > permit ip 10.1.200.0 0.0.0.255 any !
> > >> > route-map NAT permit 10
> > >> > match ip address 118
> > >> > !
> > >> > !
> > >> > line con 0
> > >> > line aux 0
> > >> > line vty 0 4
> > >> > !
> > >> > !
> > >> > end
> > >> > WOW_1710#
> > >> >
> > >> > ------------------------------
> > >> > *From:* Pavel Bykov [mailto:slidersv@gmail.com]
> > >> > *Sent:* Tue 11/18/2008 7:42 PM
> > >> > *To:* Administrator
> > >> > *Cc:* omar parihuana; ccielab@groupstudy.com
> > >> >
> > >> > *Subject:* Re: CBWFQ to block Youtube
> > >> >
> > >> > Please post us your show class-map, show policy-map and show run int
> > >> > x/x to see how your class-maps are defined, policy-maps and how you
> > >> > are applying it.
> > >> >
> > >> > Also, Do you have IP CEF enabled globally? without it it will not
> > >> work.
> > >> >
> > >> > P.S.: Brian, is that monkey talking on the microphone? :) I think
> > >> > everybody gets spam like that at work all the time. we do. I
> wouldn't
> > >> > quite put it in a time killer though.
> > >> > If someone wanted to waste time, there are whole realms dedicated to
> > >> > progress your boredom. e.g.: bored.com
> > >> >
> > >> >
> > >> > On Wed, Nov 19, 2008 at 1:16 AM, Administrator <
> > >> > Administrator@subfighter.ca> wrote:
> > >> >
> > >> >> I have entered this exactly, and still things hit the default-class
> > >> >> for some reason. Is it because I also have nat on the router ?
> Does
> > >>
> > >> >> that affect the configuration someway ?
> > >> >>
> > >> >> ________________________________
> > >> >>
> > >> >> From: omar parihuana [mailto:omar.parihuana@gmail.com]
> > >> >> Sent: Tue 11/18/2008 3:43 PM
> > >> >> To: Administrator
> > >> >> Cc: ccielab@groupstudy.com
> > >> >> Subject: Re: CBWFQ to block Youtube
> > >> >>
> > >> >>
> > >> >> Try this:
> > >> >>
> > >> >> Voice_GW_LAB#sh run class-map
> > >> >> Building configuration...
> > >> >>
> > >> >> Current configuration : 81 bytes
> > >> >> !
> > >> >> class-map match-all youtube
> > >> >> match protocol http host "*youtube.com*"
> > >> >> !
> > >> >> end
> > >> >>
> > >> >> Voice_GW_LAB#sh run policy-map
> > >> >> Building configuration...
> > >> >>
> > >> >> Current configuration : 59 bytes
> > >> >> !
> > >> >> policy-map BLOCK-youtube
> > >> >> class youtube
> > >> >> drop
> > >> >> !
> > >> >> end
> > >> >>
> > >> >> Voice_GW_LAB#sh run int f0/1
> > >> >> Building configuration...
> > >> >>
> > >> >> Current configuration : 234 bytes
> > >> >> !
> > >> >> interface FastEthernet0/1
> > >> >> ...
> > >> >> service-policy output BLOCK-youtube
> > >> >> end
> > >> >>
> > >> >> Voice_GW_LAB#
> > >> >>
> > >> >> Voice_GW_LAB#sh policy-map interface f0/1
> > >> >> FastEthernet0/1
> > >> >>
> > >> >> Service-policy output: BLOCK-youtube
> > >> >>
> > >> >> Class-map: youtube (match-all)
> > >> >> 27 packets, 29642 bytes
> > >> >> 5 minute offered rate 0 bps, drop rate 0 bps
> > >> >> Match: protocol http host "*youtube.com*"
> > >> >> drop
> > >> >>
> > >> >> Class-map: class-default (match-any)
> > >> >> 15842 packets, 1412490 bytes
> > >> >> 5 minute offered rate 0 bps, drop rate 0 bps
> > >> >> Match: any
> > >> >> Voice_GW_LAB#
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >> On Tue, Nov 18, 2008 at 2:59 PM, Administrator <
> > >> >> Administrator@subfighter.ca>
> > >> >> wrote:
> > >> >>
> > >> >>
> > >> >> Hi there, I was just doing a lab and thought I would try
> > >> >> something on my test
> > >> >> DSL connection.
> > >> >>
> > >> >> My intent was to block www.youtube.com with QOS
> > >> >>
> > >> >> Here is what I have ...
> > >> >>
> > >> >> !
> > >> >> class-map match-all YOUTUBE
> > >> >> match protocol http url "www.youtube.com"
> > >> >> !
> > >> >> !
> > >> >> policy-map CBWFQ_SHAPE_OUT
> > >> >> class YOUTUBE
> > >> >> drop
> > >> >> !
> > >> >> !
> > >> >> interface Ethernet0
> > >> >> service-policy output CBWFQ_SHAPE_OUT
> > >> >> !
> > >> >>
> > >> >>
> > >> >>
> > >> >> But for some reason, it doesnt work. I have CEF enabled.
> > >> >> When I do a show
> > >> >> policy-map int e0, it shows everything hitting the default
> > >> >> class-default
> > >> >>
> > >> >> I am sure I am missing something simple, but my QOS skillz
> are
> > >>
> > >> >> low and am
> > >> >> trying to build them. Thanks !
> > >> >>
> > >> >>
> > >> >> Blogs and organic groups at http://www.ccie.net
> > >> >>
> > >> >>
> > >> >>
> > >>
> _______________________________________________________________________
> > >> >> Subscription information may be found at:
> > >> >> http://www.groupstudy.com/list/CCIELab.html
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >> --
> > >> >> Omar E.P.T
> > >> >> -----------------
> > >> >> Certified Networking Professionals make better Connections!
> > >> >>
> > >> >>
> > >> >> Blogs and organic groups at http://www.ccie.net
> > >> >>
> > >> >>
> _____________________________________________________________________
> > >> >> __ Subscription information may be found at:
> > >> >> http://www.groupstudy.com/list/CCIELab.html
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >
> > >> >
> > >> > --
> > >> > Pavel Bykov
> > >> > -------------------------------------------------
> > >> > Stop the braindumps!
> > >> > http://www.stopbraindumps.com/
> > >> >
> > >> >
> > >>
> > >>
> > >> --
> > >> Pavel Bykov
> > >> -------------------------------------------------
> > >> Stop the braindumps!
> > >> http://www.stopbraindumps.com/
> > >>
> > >>
> > >> Blogs and organic groups at http://www.ccie.net
> > >>
> > >>
> _______________________________________________________________________
> > >> Subscription information may be found at:
> > >> http://www.groupstudy.com/list/CCIELab.html
> > >>
> > >>
> > >> Blogs and organic groups at http://www.ccie.net
> > >>
> > >>
> _______________________________________________________________________
> > >> Subscription information may be found at:
> > >> http://www.groupstudy.com/list/CCIELab.html
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >
> > >
> > > --
> > > Narbik Kocharians
> > > CCSI#30832, CCIE# 12410 (R&S, SP, Security)
> > > www.MicronicsTraining
> > > www.Net-Workbooks.com <http://www.net-workbooks.com/> <
> http://www.net-workbooks.com/>
> > > Sr. Technical Instructor
> > >
> >
> >
> >
> > --
> > Pavel Bykov
> > -------------------------------------------------
> > Stop the braindumps!
> > http://www.stopbraindumps.com/
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:31 ARST