From: Administrator (Administrator@Subfighter.ca)
Date: Wed Nov 19 2008 - 12:09:54 ARST
CCIE_LAB#sh ver
Cisco IOS Software, C1700 Software (C1710-K9O3SY-M), Version 12.4(23), RELEASE
SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Sat 08-Nov-08 18:52 by prod_rel_team
ROM: System Bootstrap, Version 12.2(1r)XE1, RELEASE SOFTWARE (fc1)
CCIE_LAB uptime is 12 hours, 15 minutes
System returned to ROM by power-on
System image file is "flash:c1710-k9o3sy-mz.124-23.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found
at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 1710 (MPC855T) processor (revision 0x200) with 55706K/9830K bytes of
memory.
Processor board ID JAD06450FV7 (2529985236), with hardware revision 0000
MPC855T processor: part number 5, mask 2
1 Ethernet interface
1 FastEthernet interface
1 Virtual Private Network (VPN) Module
32K bytes of NVRAM.
16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
CCIE_LAB#
________________________________
From: Pavel Bykov [mailto:slidersv@gmail.com]
Sent: Wed 11/19/2008 5:10 AM
To: Narbik Kocharians
Cc: Huan Pham; Administrator; omar parihuana; ccielab@groupstudy.com
Subject: Re: CBWFQ to block Youtube
Wow, that came as a surprise. Now it really is "optional" command.
Administrator, can you please post "show ver" from your router?
On Wed, Nov 19, 2008 at 4:26 AM, Narbik Kocharians <narbikk@gmail.com> wrote:
I don't remember which versions but in the older IOS version/s it had to be
enabled but NOT the new ones.
On Tue, Nov 18, 2008 at 7:03 PM, Huan Pham <Huan.Pham@peopletelecom.com.au>
wrote:
Hi Pavel,
Just a quick note:
My understand is that you do not need to enable NBAR protocol discovery
to do NBAR based classification. I will have a look at the config below,
and see if anything missing later..
NBAR discovery is used for a different purpose, so that you can quickly
see what's going on in/out of that interface. You can have a look at the
QoS configuration guide or command guide for more info.
Here's brief info:
NBAR Protocol Discovery
NBAR includes a feature called Protocol Discovery. Protocol Discovery
provides an easy way to discover the application protocols that are
operating on an interface.
Rack1R1(config-if)#ip nbar protocol-discovery
Rack1R1(config-if)#
You can view what's protocol is going in/out on that interface using
Rack1R1#sh ip nbar protocol-discovery int fa0/0 top-n 5
FastEthernet0/0
Input Output
----- ------
Protocol Packet Count Packet Count
Byte Count Byte Count
5min Bit Rate (bps) 5min Bit Rate (bps)
5min Max Bit Rate (bps) 5min Max Bit Rate
(bps)
------------------------ ------------------------
------------------------
rip 16 3
6496 1278
1000 0
1000 0
bgp 0 0
0 0
0 0
0 0
citrix 0 0
0 0
0 0
0 0
cuseeme 0 0
0 0
0 0
0 0
custom-01 0 0
0 0
0 0
0 0
unknown 0 0
0 0
0 0
0 0
Total 16 3
6496 1278
1000 0
1000 0
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Pavel Bykov
Sent: Wednesday, 19 November 2008 1:20 PM
To: Administrator
Cc: omar parihuana; ccielab@groupstudy.com
Subject: Re: CBWFQ to block Youtube
Did you just paste commands right in the email editor? They don't look
right...
Anyway, steps to enable NBAR are:
1. ip cef <- O.K.
2. ip nbar protocol-discovery <- on interface to classify traffic! you
don't have that!!!
Also, support for NBAR on dialer has been introduced in 12.2T, so make
sure you have not too old IOS.
Recommended change to make sure everything works:
interface FastEthernet0
ip nbar protocol-discovery
service-policy input BLOCK-youtube
and then if
"show policy-map int fa0 input" shows drops on "youtube" class, then try
removing service policy from Fast and see if it works on dialer.
That a bit oldish router, isn't it?
On Wed, Nov 19, 2008 at 2:00 AM, Administrator
<Administrator@subfighter.ca>wrote:
> Here is the config, I have sanitized it a bit ...
>
> !
> hostname WOW_1710
> memory-size iomem 25
> aaa new-model
> !
> !
> aaa session-id common
> ip subnet-zero
> !
> !
> no ip domain lookup
> !
> ip cef
> ip audit notify log
> ip audit po max-events 100
> vpdn enable
> !
> vpdn-group pppoe
> request-dialin
> protocol pppoe
> !
> no ftp-server write-enable
> !
> !
> !
> !
> !
> !
> class-map match-all TELNET
> match protocol telnet
> class-map match-all youtube
> match protocol http host "*youtube.com <http://youtube.com/> *"
> !
> !
> policy-map BLOCK-youtube
> class youtube
> drop
> class TELNET
> drop
> !
> !
> !
> interface Ethernet0
> no ip address
> full-duplex
> pppoe enable
> pppoe-client dial-pool-number 1
> !
> interface FastEthernet0
> ip address 192.168.1.1 <http://192.168.1.1/> 255.255.255.0
<http://255.255.255.0/> secondary ip address
> 10.1.200.200 <http://10.1.200.200/> 255.255.255.0 <http://255.255.255.0/>
ip nat inside speed auto full-duplex !
> interface Dialer1
> ip address negotiated
> ip mtu 1452
> ip nat outside
> service-policy output BLOCK-youtube
> encapsulation ppp
> ip tcp adjust-mss 1392
> dialer pool 1
> dialer-group 1
> ppp authentication pap callin
> !
> ip nat inside source route-map NAT interface Dialer1 overload
>
> ip classless
> ip route 0.0.0.0 <http://0.0.0.0/> 0.0.0.0 <http://0.0.0.0/> Dialer1
> access-list 118 permit ip 192.168.1.0 <http://192.168.1.0/> 0.0.0.255
<http://0.0.0.255/> any access-list 118
> permit ip 10.1.200.0 <http://10.1.200.0/> 0.0.0.255 <http://0.0.0.255/>
any !
> route-map NAT permit 10
> match ip address 118
> !
> !
> line con 0
> line aux 0
> line vty 0 4
> !
> !
> end
> WOW_1710#
>
> ------------------------------
> *From:* Pavel Bykov [mailto:slidersv@gmail.com]
> *Sent:* Tue 11/18/2008 7:42 PM
> *To:* Administrator
> *Cc:* omar parihuana; ccielab@groupstudy.com
>
> *Subject:* Re: CBWFQ to block Youtube
>
> Please post us your show class-map, show policy-map and show run int
> x/x to see how your class-maps are defined, policy-maps and how you
> are applying it.
>
> Also, Do you have IP CEF enabled globally? without it it will not
work.
>
> P.S.: Brian, is that monkey talking on the microphone? :) I think
> everybody gets spam like that at work all the time. we do. I wouldn't
> quite put it in a time killer though.
> If someone wanted to waste time, there are whole realms dedicated to
> progress your boredom. e.g.: bored.com <http://bored.com/>
>
>
> On Wed, Nov 19, 2008 at 1:16 AM, Administrator <
> Administrator@subfighter.ca> wrote:
>
>> I have entered this exactly, and still things hit the default-class
>> for some reason. Is it because I also have nat on the router ? Does
>> that affect the configuration someway ?
>>
>> ________________________________
>>
>> From: omar parihuana [mailto:omar.parihuana@gmail.com]
>> Sent: Tue 11/18/2008 3:43 PM
>> To: Administrator
>> Cc: ccielab@groupstudy.com
>> Subject: Re: CBWFQ to block Youtube
>>
>>
>> Try this:
>>
>> Voice_GW_LAB#sh run class-map
>> Building configuration...
>>
>> Current configuration : 81 bytes
>> !
>> class-map match-all youtube
>> match protocol http host "*youtube.com <http://youtube.com/> *"
>> !
>> end
>>
>> Voice_GW_LAB#sh run policy-map
>> Building configuration...
>>
>> Current configuration : 59 bytes
>> !
>> policy-map BLOCK-youtube
>> class youtube
>> drop
>> !
>> end
>>
>> Voice_GW_LAB#sh run int f0/1
>> Building configuration...
>>
>> Current configuration : 234 bytes
>> !
>> interface FastEthernet0/1
>> ...
>> service-policy output BLOCK-youtube
>> end
>>
>> Voice_GW_LAB#
>>
>> Voice_GW_LAB#sh policy-map interface f0/1
>> FastEthernet0/1
>>
>> Service-policy output: BLOCK-youtube
>>
>> Class-map: youtube (match-all)
>> 27 packets, 29642 bytes
>> 5 minute offered rate 0 bps, drop rate 0 bps
>> Match: protocol http host "*youtube.com <http://youtube.com/> *"
>> drop
>>
>> Class-map: class-default (match-any)
>> 15842 packets, 1412490 bytes
>> 5 minute offered rate 0 bps, drop rate 0 bps
>> Match: any
>> Voice_GW_LAB#
>>
>>
>>
>>
>> On Tue, Nov 18, 2008 at 2:59 PM, Administrator <
>> Administrator@subfighter.ca>
>> wrote:
>>
>>
>> Hi there, I was just doing a lab and thought I would try
>> something on my test
>> DSL connection.
>>
>> My intent was to block www.youtube.com <http://www.youtube.com/>
with QOS
>>
>> Here is what I have ...
>>
>> !
>> class-map match-all YOUTUBE
>> match protocol http url "www.youtube.com
<http://www.youtube.com/> "
>> !
>> !
>> policy-map CBWFQ_SHAPE_OUT
>> class YOUTUBE
>> drop
>> !
>> !
>> interface Ethernet0
>> service-policy output CBWFQ_SHAPE_OUT
>> !
>>
>>
>>
>> But for some reason, it doesnt work. I have CEF enabled.
>> When I do a show
>> policy-map int e0, it shows everything hitting the default
>> class-default
>>
>> I am sure I am missing something simple, but my QOS skillz are
>> low and am
>> trying to build them. Thanks !
>>
>>
>> Blogs and organic groups at http://www.ccie.net
<http://www.ccie.net/>
>>
>>
>>
_______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> Omar E.P.T
>> -----------------
>> Certified Networking Professionals make better Connections!
>>
>>
>> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>>
>> _____________________________________________________________________
>> __ Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Pavel Bykov
> -------------------------------------------------
> Stop the braindumps!
> http://www.stopbraindumps.com/
>
>
--
Pavel Bykov
-------------------------------------------------
Stop the braindumps!
http://www.stopbraindumps.com/
Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
_______________________________________________________________________
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
_______________________________________________________________________
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
--
Narbik Kocharians
CCSI#30832, CCIE# 12410 (R&S, SP, Security)
www.MicronicsTraining
www.Net-Workbooks.com
Sr. Technical Instructor
-- Pavel Bykov ------------------------------------------------- Stop the braindumps! http://www.stopbraindumps.com/Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:31 ARST