From: Pavel Bykov (slidersv@gmail.com)
Date: Wed Nov 19 2008 - 13:03:23 ARST
Artur, Don't forget to match slashes and the whole path.
I think it should have been
class-map match-all DOCCD
match protocol http host "www.cisco.com"
match protocol http url "/go/univercd"
or
class-map match-all DOCCD match protocol http host "www.cisco.com"
match protocol http url "*univercd"
On Wed, Nov 19, 2008 at 3:04 PM, Artur Sant'Anna <artur.lists@gmail.com>wrote:
> Hi,
>
> If I wanted to match exactly this URL and only this one, I would go with:
>
> class-map match-all DOCCD
> match protocol http host "www.cisco.com"
> match protocol http url "univercd <http://www.cisco.com/>"
>
> Regards,
> 2008/11/19 Mujeeb Sarwar <mujeebsarwar@gmail.com>
>
>> Hi,
>>
>> We can use *match protocol http url* to match jpeg or mpeg etc
>>
>> We can use *match protocol http host* to match www.cisco.com
>>
>> What could be the best possible configuration to match following url e.g
>> www.cisco.com/go/univercd
>>
>>
>>
>> Thanks & Regards,
>>
>> Mujeeb
>> On Wed, Nov 19, 2008 at 3:10 PM, Pavel Bykov <slidersv@gmail.com> wrote:
>>
>> > Wow, that came as a surprise. Now it really is "optional" command.
>> >
>> > Administrator, can you please post "show ver" from your router?
>> >
>> >
>> > On Wed, Nov 19, 2008 at 4:26 AM, Narbik Kocharians <narbikk@gmail.com
>> > >wrote:
>> >
>> > > I don't remember which versions but in the older IOS version/s it had
>> to
>> > be
>> > > enabled but NOT the new ones.
>> > >
>> > > On Tue, Nov 18, 2008 at 7:03 PM, Huan Pham <
>> > Huan.Pham@peopletelecom.com.au
>> > > > wrote:
>> > >
>> > >> Hi Pavel,
>> > >>
>> > >> Just a quick note:
>> > >>
>> > >> My understand is that you do not need to enable NBAR protocol
>> discovery
>> > >> to do NBAR based classification. I will have a look at the config
>> below,
>> > >> and see if anything missing later..
>> > >>
>> > >> NBAR discovery is used for a different purpose, so that you can
>> quickly
>> > >> see what's going on in/out of that interface. You can have a look at
>> the
>> > >> QoS configuration guide or command guide for more info.
>> > >>
>> > >> Here's brief info:
>> > >>
>> > >> NBAR Protocol Discovery
>> > >>
>> > >> NBAR includes a feature called Protocol Discovery. Protocol Discovery
>> > >> provides an easy way to discover the application protocols that are
>> > >> operating on an interface.
>> > >>
>> > >>
>> > >>
>> > >> Rack1R1(config-if)#ip nbar protocol-discovery
>> > >> Rack1R1(config-if)#
>> > >>
>> > >>
>> > >> You can view what's protocol is going in/out on that interface using
>> > >>
>> > >> Rack1R1#sh ip nbar protocol-discovery int fa0/0 top-n 5
>> > >>
>> > >> FastEthernet0/0
>> > >> Input Output
>> > >>
>> > >> ----- ------
>> > >>
>> > >> Protocol Packet Count Packet Count
>> > >>
>> > >> Byte Count Byte Count
>> > >>
>> > >> 5min Bit Rate (bps) 5min Bit Rate
>> (bps)
>> > >>
>> > >> 5min Max Bit Rate (bps) 5min Max Bit Rate
>> > >> (bps)
>> > >> ------------------------ ------------------------
>> > >> ------------------------
>> > >> rip 16 3
>> > >>
>> > >> 6496 1278
>> > >>
>> > >> 1000 0
>> > >>
>> > >> 1000 0
>> > >>
>> > >> bgp 0 0
>> > >>
>> > >> 0 0
>> > >>
>> > >> 0 0
>> > >>
>> > >> 0 0
>> > >>
>> > >> citrix 0 0
>> > >>
>> > >> 0 0
>> > >>
>> > >> 0 0
>> > >>
>> > >> 0 0
>> > >>
>> > >> cuseeme 0 0
>> > >>
>> > >> 0 0
>> > >>
>> > >> 0 0
>> > >>
>> > >> 0 0
>> > >>
>> > >> custom-01 0 0
>> > >>
>> > >> 0 0
>> > >>
>> > >> 0 0
>> > >>
>> > >> 0 0
>> > >>
>> > >> unknown 0 0
>> > >>
>> > >> 0 0
>> > >>
>> > >> 0 0
>> > >>
>> > >> 0 0
>> > >>
>> > >> Total 16 3
>> > >>
>> > >> 6496 1278
>> > >>
>> > >> 1000 0
>> > >>
>> > >> 1000 0
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >> -----Original Message-----
>> > >> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
>> Of
>> > >> Pavel Bykov
>> > >> Sent: Wednesday, 19 November 2008 1:20 PM
>> > >> To: Administrator
>> > >> Cc: omar parihuana; ccielab@groupstudy.com
>> > >> Subject: Re: CBWFQ to block Youtube
>> > >>
>> > >> Did you just paste commands right in the email editor? They don't
>> look
>> > >> right...
>> > >>
>> > >> Anyway, steps to enable NBAR are:
>> > >> 1. ip cef <- O.K.
>> > >> 2. ip nbar protocol-discovery <- on interface to classify traffic!
>> you
>> > >> don't have that!!!
>> > >>
>> > >> Also, support for NBAR on dialer has been introduced in 12.2T, so
>> make
>> > >> sure you have not too old IOS.
>> > >>
>> > >> Recommended change to make sure everything works:
>> > >> interface FastEthernet0
>> > >> ip nbar protocol-discovery
>> > >> service-policy input BLOCK-youtube
>> > >>
>> > >> and then if
>> > >> "show policy-map int fa0 input" shows drops on "youtube" class, then
>> try
>> > >> removing service policy from Fast and see if it works on dialer.
>> > >>
>> > >> That a bit oldish router, isn't it?
>> > >>
>> > >> On Wed, Nov 19, 2008 at 2:00 AM, Administrator
>> > >> <Administrator@subfighter.ca>wrote:
>> > >>
>> > >> > Here is the config, I have sanitized it a bit ...
>> > >> >
>> > >> > !
>> > >> > hostname WOW_1710
>> > >> > memory-size iomem 25
>> > >> > aaa new-model
>> > >> > !
>> > >> > !
>> > >> > aaa session-id common
>> > >> > ip subnet-zero
>> > >> > !
>> > >> > !
>> > >> > no ip domain lookup
>> > >> > !
>> > >> > ip cef
>> > >> > ip audit notify log
>> > >> > ip audit po max-events 100
>> > >> > vpdn enable
>> > >> > !
>> > >> > vpdn-group pppoe
>> > >> > request-dialin
>> > >> > protocol pppoe
>> > >> > !
>> > >> > no ftp-server write-enable
>> > >> > !
>> > >> > !
>> > >> > !
>> > >> > !
>> > >> > !
>> > >> > !
>> > >> > class-map match-all TELNET
>> > >> > match protocol telnet
>> > >> > class-map match-all youtube
>> > >> > match protocol http host "*youtube.com*"
>> > >> > !
>> > >> > !
>> > >> > policy-map BLOCK-youtube
>> > >> > class youtube
>> > >> > drop
>> > >> > class TELNET
>> > >> > drop
>> > >> > !
>> > >> > !
>> > >> > !
>> > >> > interface Ethernet0
>> > >> > no ip address
>> > >> > full-duplex
>> > >> > pppoe enable
>> > >> > pppoe-client dial-pool-number 1
>> > >> > !
>> > >> > interface FastEthernet0
>> > >> > ip address 192.168.1.1 255.255.255.0 secondary ip address
>> > >> > 10.1.200.200 255.255.255.0 ip nat inside speed auto full-duplex
>> !
>> > >> > interface Dialer1
>> > >> > ip address negotiated
>> > >> > ip mtu 1452
>> > >> > ip nat outside
>> > >> > service-policy output BLOCK-youtube
>> > >> > encapsulation ppp
>> > >> > ip tcp adjust-mss 1392
>> > >> > dialer pool 1
>> > >> > dialer-group 1
>> > >> > ppp authentication pap callin
>> > >> > !
>> > >> > ip nat inside source route-map NAT interface Dialer1 overload
>> > >> >
>> > >> > ip classless
>> > >> > ip route 0.0.0.0 0.0.0.0 Dialer1
>> > >> > access-list 118 permit ip 192.168.1.0 0.0.0.255 any access-list
>> 118
>> > >> > permit ip 10.1.200.0 0.0.0.255 any !
>> > >> > route-map NAT permit 10
>> > >> > match ip address 118
>> > >> > !
>> > >> > !
>> > >> > line con 0
>> > >> > line aux 0
>> > >> > line vty 0 4
>> > >> > !
>> > >> > !
>> > >> > end
>> > >> > WOW_1710#
>> > >> >
>> > >> > ------------------------------
>> > >> > *From:* Pavel Bykov [mailto:slidersv@gmail.com]
>> > >> > *Sent:* Tue 11/18/2008 7:42 PM
>> > >> > *To:* Administrator
>> > >> > *Cc:* omar parihuana; ccielab@groupstudy.com
>> > >> >
>> > >> > *Subject:* Re: CBWFQ to block Youtube
>> > >> >
>> > >> > Please post us your show class-map, show policy-map and show run
>> int
>> > >> > x/x to see how your class-maps are defined, policy-maps and how you
>> > >> > are applying it.
>> > >> >
>> > >> > Also, Do you have IP CEF enabled globally? without it it will not
>> > >> work.
>> > >> >
>> > >> > P.S.: Brian, is that monkey talking on the microphone? :) I think
>> > >> > everybody gets spam like that at work all the time. we do. I
>> wouldn't
>> > >> > quite put it in a time killer though.
>> > >> > If someone wanted to waste time, there are whole realms dedicated
>> to
>> > >> > progress your boredom. e.g.: bored.com
>> > >> >
>> > >> >
>> > >> > On Wed, Nov 19, 2008 at 1:16 AM, Administrator <
>> > >> > Administrator@subfighter.ca> wrote:
>> > >> >
>> > >> >> I have entered this exactly, and still things hit the
>> default-class
>> > >> >> for some reason. Is it because I also have nat on the router ?
>> Does
>> > >>
>> > >> >> that affect the configuration someway ?
>> > >> >>
>> > >> >> ________________________________
>> > >> >>
>> > >> >> From: omar parihuana [mailto:omar.parihuana@gmail.com]
>> > >> >> Sent: Tue 11/18/2008 3:43 PM
>> > >> >> To: Administrator
>> > >> >> Cc: ccielab@groupstudy.com
>> > >> >> Subject: Re: CBWFQ to block Youtube
>> > >> >>
>> > >> >>
>> > >> >> Try this:
>> > >> >>
>> > >> >> Voice_GW_LAB#sh run class-map
>> > >> >> Building configuration...
>> > >> >>
>> > >> >> Current configuration : 81 bytes
>> > >> >> !
>> > >> >> class-map match-all youtube
>> > >> >> match protocol http host "*youtube.com*"
>> > >> >> !
>> > >> >> end
>> > >> >>
>> > >> >> Voice_GW_LAB#sh run policy-map
>> > >> >> Building configuration...
>> > >> >>
>> > >> >> Current configuration : 59 bytes
>> > >> >> !
>> > >> >> policy-map BLOCK-youtube
>> > >> >> class youtube
>> > >> >> drop
>> > >> >> !
>> > >> >> end
>> > >> >>
>> > >> >> Voice_GW_LAB#sh run int f0/1
>> > >> >> Building configuration...
>> > >> >>
>> > >> >> Current configuration : 234 bytes
>> > >> >> !
>> > >> >> interface FastEthernet0/1
>> > >> >> ...
>> > >> >> service-policy output BLOCK-youtube
>> > >> >> end
>> > >> >>
>> > >> >> Voice_GW_LAB#
>> > >> >>
>> > >> >> Voice_GW_LAB#sh policy-map interface f0/1
>> > >> >> FastEthernet0/1
>> > >> >>
>> > >> >> Service-policy output: BLOCK-youtube
>> > >> >>
>> > >> >> Class-map: youtube (match-all)
>> > >> >> 27 packets, 29642 bytes
>> > >> >> 5 minute offered rate 0 bps, drop rate 0 bps
>> > >> >> Match: protocol http host "*youtube.com*"
>> > >> >> drop
>> > >> >>
>> > >> >> Class-map: class-default (match-any)
>> > >> >> 15842 packets, 1412490 bytes
>> > >> >> 5 minute offered rate 0 bps, drop rate 0 bps
>> > >> >> Match: any
>> > >> >> Voice_GW_LAB#
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >> On Tue, Nov 18, 2008 at 2:59 PM, Administrator <
>> > >> >> Administrator@subfighter.ca>
>> > >> >> wrote:
>> > >> >>
>> > >> >>
>> > >> >> Hi there, I was just doing a lab and thought I would try
>> > >> >> something on my test
>> > >> >> DSL connection.
>> > >> >>
>> > >> >> My intent was to block www.youtube.com with QOS
>> > >> >>
>> > >> >> Here is what I have ...
>> > >> >>
>> > >> >> !
>> > >> >> class-map match-all YOUTUBE
>> > >> >> match protocol http url "www.youtube.com"
>> > >> >> !
>> > >> >> !
>> > >> >> policy-map CBWFQ_SHAPE_OUT
>> > >> >> class YOUTUBE
>> > >> >> drop
>> > >> >> !
>> > >> >> !
>> > >> >> interface Ethernet0
>> > >> >> service-policy output CBWFQ_SHAPE_OUT
>> > >> >> !
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >> But for some reason, it doesnt work. I have CEF enabled.
>> > >> >> When I do a show
>> > >> >> policy-map int e0, it shows everything hitting the default
>> > >> >> class-default
>> > >> >>
>> > >> >> I am sure I am missing something simple, but my QOS skillz
>> are
>> > >>
>> > >> >> low and am
>> > >> >> trying to build them. Thanks !
>> > >> >>
>> > >> >>
>> > >> >> Blogs and organic groups at http://www.ccie.net
>> > >> >>
>> > >> >>
>> > >> >>
>> > >>
>> _______________________________________________________________________
>> > >> >> Subscription information may be found at:
>> > >> >> http://www.groupstudy.com/list/CCIELab.html
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >> --
>> > >> >> Omar E.P.T
>> > >> >> -----------------
>> > >> >> Certified Networking Professionals make better Connections!
>> > >> >>
>> > >> >>
>> > >> >> Blogs and organic groups at http://www.ccie.net
>> > >> >>
>> > >> >>
>> _____________________________________________________________________
>> > >> >> __ Subscription information may be found at:
>> > >> >> http://www.groupstudy.com/list/CCIELab.html
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >
>> > >> >
>> > >> > --
>> > >> > Pavel Bykov
>> > >> > -------------------------------------------------
>> > >> > Stop the braindumps!
>> > >> > http://www.stopbraindumps.com/
>> > >> >
>> > >> >
>> > >>
>> > >>
>> > >> --
>> > >> Pavel Bykov
>> > >> -------------------------------------------------
>> > >> Stop the braindumps!
>> > >> http://www.stopbraindumps.com/
>> > >>
>> > >>
>> > >> Blogs and organic groups at http://www.ccie.net
>> > >>
>> > >>
>> _______________________________________________________________________
>> > >> Subscription information may be found at:
>> > >> http://www.groupstudy.com/list/CCIELab.html
>> > >>
>> > >>
>> > >> Blogs and organic groups at http://www.ccie.net
>> > >>
>> > >>
>> _______________________________________________________________________
>> > >> Subscription information may be found at:
>> > >> http://www.groupstudy.com/list/CCIELab.html
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >
>> > >
>> > > --
>> > > Narbik Kocharians
>> > > CCSI#30832, CCIE# 12410 (R&S, SP, Security)
>> > > www.MicronicsTraining
>> > > www.Net-Workbooks.com <http://www.net-workbooks.com/> <
>> http://www.net-workbooks.com/>
>> > > Sr. Technical Instructor
>> > >
>> >
>> >
>> >
>> > --
>> > Pavel Bykov
>> > -------------------------------------------------
>> > Stop the braindumps!
>> > http://www.stopbraindumps.com/
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
-- Pavel Bykov ------------------------------------------------- Stop the braindumps! http://www.stopbraindumps.com/Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:31 ARST