Re: CBWFQ to block Youtube

From: Pavel Bykov (slidersv@gmail.com)
Date: Wed Nov 19 2008 - 14:25:50 ARST

• Next message: Administrator: "RE: CBWFQ to block Youtube - GOT IT"
• Previous message: Haroon: "Re: Input Requested: Connection consolidation and network"
• Maybe in reply to: Administrator: "CBWFQ to block Youtube"
• Next in thread: Braychuck Vitaliy: "RE: CBWFQ to block Youtube"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Although i don't like the process i checked feature navigator.
So it all looks as if it was supposed to work.

can you please check "show ip nbar resources" ?

This is all I can think of now - maybe you're out of memory...

On Wed, Nov 19, 2008 at 3:09 PM, Administrator
<Administrator@subfighter.ca>wrote:

> CCIE_LAB#sh ver
> Cisco IOS Software, C1700 Software (C1710-K9O3SY-M), Version 12.4(23),
> RELEASE SOFTWARE (fc1)
> Technical Support: http://www.cisco.com/techsupport
> Copyright (c) 1986-2008 by Cisco Systems, Inc.
> Compiled Sat 08-Nov-08 18:52 by prod_rel_team
> ROM: System Bootstrap, Version 12.2(1r)XE1, RELEASE SOFTWARE (fc1)
> CCIE_LAB uptime is 12 hours, 15 minutes
> System returned to ROM by power-on
> System image file is "flash:c1710-k9o3sy-mz.124-23.bin"
>
> This product contains cryptographic features and is subject to United
> States and local country laws governing import, export, transfer and
> use. Delivery of Cisco cryptographic products does not imply
> third-party authority to import, export, distribute or use encryption.
> Importers, exporters, distributors and users are responsible for
> compliance with U.S. and local country laws. By using this product you
> agree to comply with applicable laws and regulations. If you are unable
> to comply with U.S. and local laws, return this product immediately.
> A summary of U.S. laws governing Cisco cryptographic products may be found
> at:
> http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
> If you require further assistance please contact us by sending email to
> export@cisco.com.
> Cisco 1710 (MPC855T) processor (revision 0x200) with 55706K/9830K bytes of
> memory.
> Processor board ID JAD06450FV7 (2529985236), with hardware revision 0000
> MPC855T processor: part number 5, mask 2
> 1 Ethernet interface
> 1 FastEthernet interface
> 1 Virtual Private Network (VPN) Module
> 32K bytes of NVRAM.
> 16384K bytes of processor board System flash (Read/Write)
> Configuration register is 0x2102
> CCIE_LAB#
>
> ------------------------------
> *From:* Pavel Bykov [mailto:slidersv@gmail.com]
> *Sent:* Wed 11/19/2008 5:10 AM
> *To:* Narbik Kocharians
> *Cc:* Huan Pham; Administrator; omar parihuana; ccielab@groupstudy.com
>
> *Subject:* Re: CBWFQ to block Youtube
>
> Wow, that came as a surprise. Now it really is "optional" command.
>
> Administrator, can you please post "show ver" from your router?
>
>
> On Wed, Nov 19, 2008 at 4:26 AM, Narbik Kocharians <narbikk@gmail.com>wrote:
>
>> I don't remember which versions but in the older IOS version/s it had to
>> be enabled but NOT the new ones.
>>
>> On Tue, Nov 18, 2008 at 7:03 PM, Huan Pham <
>> Huan.Pham@peopletelecom.com.au> wrote:
>>
>>> Hi Pavel,
>>>
>>> Just a quick note:
>>>
>>> My understand is that you do not need to enable NBAR protocol discovery
>>> to do NBAR based classification. I will have a look at the config below,
>>> and see if anything missing later..
>>>
>>> NBAR discovery is used for a different purpose, so that you can quickly
>>> see what's going on in/out of that interface. You can have a look at the
>>> QoS configuration guide or command guide for more info.
>>>
>>> Here's brief info:
>>>
>>> NBAR Protocol Discovery
>>>
>>> NBAR includes a feature called Protocol Discovery. Protocol Discovery
>>> provides an easy way to discover the application protocols that are
>>> operating on an interface.
>>>
>>>
>>>
>>> Rack1R1(config-if)#ip nbar protocol-discovery
>>> Rack1R1(config-if)#
>>>
>>>
>>> You can view what's protocol is going in/out on that interface using
>>>
>>> Rack1R1#sh ip nbar protocol-discovery int fa0/0 top-n 5
>>>
>>> FastEthernet0/0
>>> Input Output
>>>
>>> ----- ------
>>>
>>> Protocol Packet Count Packet Count
>>>
>>> Byte Count Byte Count
>>>
>>> 5min Bit Rate (bps) 5min Bit Rate (bps)
>>>
>>> 5min Max Bit Rate (bps) 5min Max Bit Rate
>>> (bps)
>>> ------------------------ ------------------------
>>> ------------------------
>>> rip 16 3
>>>
>>> 6496 1278
>>>
>>> 1000 0
>>>
>>> 1000 0
>>>
>>> bgp 0 0
>>>
>>> 0 0
>>>
>>> 0 0
>>>
>>> 0 0
>>>
>>> citrix 0 0
>>>
>>> 0 0
>>>
>>> 0 0
>>>
>>> 0 0
>>>
>>> cuseeme 0 0
>>>
>>> 0 0
>>>
>>> 0 0
>>>
>>> 0 0
>>>
>>> custom-01 0 0
>>>
>>> 0 0
>>>
>>> 0 0
>>>
>>> 0 0
>>>
>>> unknown 0 0
>>>
>>> 0 0
>>>
>>> 0 0
>>>
>>> 0 0
>>>
>>> Total 16 3
>>>
>>> 6496 1278
>>>
>>> 1000 0
>>>
>>> 1000 0
>>>
>>>
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>>> Pavel Bykov
>>> Sent: Wednesday, 19 November 2008 1:20 PM
>>> To: Administrator
>>> Cc: omar parihuana; ccielab@groupstudy.com
>>> Subject: Re: CBWFQ to block Youtube
>>>
>>> Did you just paste commands right in the email editor? They don't look
>>> right...
>>>
>>> Anyway, steps to enable NBAR are:
>>> 1. ip cef <- O.K.
>>> 2. ip nbar protocol-discovery <- on interface to classify traffic! you
>>> don't have that!!!
>>>
>>> Also, support for NBAR on dialer has been introduced in 12.2T, so make
>>> sure you have not too old IOS.
>>>
>>> Recommended change to make sure everything works:
>>> interface FastEthernet0
>>> ip nbar protocol-discovery
>>> service-policy input BLOCK-youtube
>>>
>>> and then if
>>> "show policy-map int fa0 input" shows drops on "youtube" class, then try
>>> removing service policy from Fast and see if it works on dialer.
>>>
>>> That a bit oldish router, isn't it?
>>>
>>> On Wed, Nov 19, 2008 at 2:00 AM, Administrator
>>> <Administrator@subfighter.ca>wrote:
>>>
>>> > Here is the config, I have sanitized it a bit ...
>>> >
>>> > !
>>> > hostname WOW_1710
>>> > memory-size iomem 25
>>> > aaa new-model
>>> > !
>>> > !
>>> > aaa session-id common
>>> > ip subnet-zero
>>> > !
>>> > !
>>> > no ip domain lookup
>>> > !
>>> > ip cef
>>> > ip audit notify log
>>> > ip audit po max-events 100
>>> > vpdn enable
>>> > !
>>> > vpdn-group pppoe
>>> > request-dialin
>>> > protocol pppoe
>>> > !
>>> > no ftp-server write-enable
>>> > !
>>> > !
>>> > !
>>> > !
>>> > !
>>> > !
>>> > class-map match-all TELNET
>>> > match protocol telnet
>>> > class-map match-all youtube
>>> > match protocol http host "*youtube.com*"
>>> > !
>>> > !
>>> > policy-map BLOCK-youtube
>>> > class youtube
>>> > drop
>>> > class TELNET
>>> > drop
>>> > !
>>> > !
>>> > !
>>> > interface Ethernet0
>>> > no ip address
>>> > full-duplex
>>> > pppoe enable
>>> > pppoe-client dial-pool-number 1
>>> > !
>>> > interface FastEthernet0
>>> > ip address 192.168.1.1 255.255.255.0 secondary ip address
>>> > 10.1.200.200 255.255.255.0 ip nat inside speed auto full-duplex !
>>> > interface Dialer1
>>> > ip address negotiated
>>> > ip mtu 1452
>>> > ip nat outside
>>> > service-policy output BLOCK-youtube
>>> > encapsulation ppp
>>> > ip tcp adjust-mss 1392
>>> > dialer pool 1
>>> > dialer-group 1
>>> > ppp authentication pap callin
>>> > !
>>> > ip nat inside source route-map NAT interface Dialer1 overload
>>> >
>>> > ip classless
>>> > ip route 0.0.0.0 0.0.0.0 Dialer1
>>> > access-list 118 permit ip 192.168.1.0 0.0.0.255 any access-list 118
>>> > permit ip 10.1.200.0 0.0.0.255 any !
>>> > route-map NAT permit 10
>>> > match ip address 118
>>> > !
>>> > !
>>> > line con 0
>>> > line aux 0
>>> > line vty 0 4
>>> > !
>>> > !
>>> > end
>>> > WOW_1710#
>>> >
>>> > ------------------------------
>>> > *From:* Pavel Bykov [mailto:slidersv@gmail.com]
>>> > *Sent:* Tue 11/18/2008 7:42 PM
>>> > *To:* Administrator
>>> > *Cc:* omar parihuana; ccielab@groupstudy.com
>>> >
>>> > *Subject:* Re: CBWFQ to block Youtube
>>> >
>>> > Please post us your show class-map, show policy-map and show run int
>>> > x/x to see how your class-maps are defined, policy-maps and how you
>>> > are applying it.
>>> >
>>> > Also, Do you have IP CEF enabled globally? without it it will not
>>> work.
>>> >
>>> > P.S.: Brian, is that monkey talking on the microphone? :) I think
>>> > everybody gets spam like that at work all the time. we do. I wouldn't
>>> > quite put it in a time killer though.
>>> > If someone wanted to waste time, there are whole realms dedicated to
>>> > progress your boredom. e.g.: bored.com
>>> >
>>> >
>>> > On Wed, Nov 19, 2008 at 1:16 AM, Administrator <
>>> > Administrator@subfighter.ca> wrote:
>>> >
>>> >> I have entered this exactly, and still things hit the default-class
>>> >> for some reason. Is it because I also have nat on the router ? Does
>>>
>>> >> that affect the configuration someway ?
>>> >>
>>> >> ________________________________
>>> >>
>>> >> From: omar parihuana [mailto:omar.parihuana@gmail.com]
>>> >> Sent: Tue 11/18/2008 3:43 PM
>>> >> To: Administrator
>>> >> Cc: ccielab@groupstudy.com
>>> >> Subject: Re: CBWFQ to block Youtube
>>> >>
>>> >>
>>> >> Try this:
>>> >>
>>> >> Voice_GW_LAB#sh run class-map
>>> >> Building configuration...
>>> >>
>>> >> Current configuration : 81 bytes
>>> >> !
>>> >> class-map match-all youtube
>>> >> match protocol http host "*youtube.com*"
>>> >> !
>>> >> end
>>> >>
>>> >> Voice_GW_LAB#sh run policy-map
>>> >> Building configuration...
>>> >>
>>> >> Current configuration : 59 bytes
>>> >> !
>>> >> policy-map BLOCK-youtube
>>> >> class youtube
>>> >> drop
>>> >> !
>>> >> end
>>> >>
>>> >> Voice_GW_LAB#sh run int f0/1
>>> >> Building configuration...
>>> >>
>>> >> Current configuration : 234 bytes
>>> >> !
>>> >> interface FastEthernet0/1
>>> >> ...
>>> >> service-policy output BLOCK-youtube
>>> >> end
>>> >>
>>> >> Voice_GW_LAB#
>>> >>
>>> >> Voice_GW_LAB#sh policy-map interface f0/1
>>> >> FastEthernet0/1
>>> >>
>>> >> Service-policy output: BLOCK-youtube
>>> >>
>>> >> Class-map: youtube (match-all)
>>> >> 27 packets, 29642 bytes
>>> >> 5 minute offered rate 0 bps, drop rate 0 bps
>>> >> Match: protocol http host "*youtube.com*"
>>> >> drop
>>> >>
>>> >> Class-map: class-default (match-any)
>>> >> 15842 packets, 1412490 bytes
>>> >> 5 minute offered rate 0 bps, drop rate 0 bps
>>> >> Match: any
>>> >> Voice_GW_LAB#
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> On Tue, Nov 18, 2008 at 2:59 PM, Administrator <
>>> >> Administrator@subfighter.ca>
>>> >> wrote:
>>> >>
>>> >>
>>> >> Hi there, I was just doing a lab and thought I would try
>>> >> something on my test
>>> >> DSL connection.
>>> >>
>>> >> My intent was to block www.youtube.com with QOS
>>> >>
>>> >> Here is what I have ...
>>> >>
>>> >> !
>>> >> class-map match-all YOUTUBE
>>> >> match protocol http url "www.youtube.com"
>>> >> !
>>> >> !
>>> >> policy-map CBWFQ_SHAPE_OUT
>>> >> class YOUTUBE
>>> >> drop
>>> >> !
>>> >> !
>>> >> interface Ethernet0
>>> >> service-policy output CBWFQ_SHAPE_OUT
>>> >> !
>>> >>
>>> >>
>>> >>
>>> >> But for some reason, it doesnt work. I have CEF enabled.
>>> >> When I do a show
>>> >> policy-map int e0, it shows everything hitting the default
>>> >> class-default
>>> >>
>>> >> I am sure I am missing something simple, but my QOS skillz are
>>>
>>> >> low and am
>>> >> trying to build them. Thanks !
>>> >>
>>> >>
>>> >> Blogs and organic groups at http://www.ccie.net
>>> >>
>>> >>
>>> >>
>>> _______________________________________________________________________
>>> >> Subscription information may be found at:
>>> >> http://www.groupstudy.com/list/CCIELab.html
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> Omar E.P.T
>>> >> -----------------
>>> >> Certified Networking Professionals make better Connections!
>>> >>
>>> >>
>>> >> Blogs and organic groups at http://www.ccie.net
>>> >>
>>> >> _____________________________________________________________________
>>> >> __ Subscription information may be found at:
>>> >> http://www.groupstudy.com/list/CCIELab.html
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >
>>> >
>>> > --
>>> > Pavel Bykov
>>> > -------------------------------------------------
>>> > Stop the braindumps!
>>> > http://www.stopbraindumps.com/
>>> >
>>> >
>>>
>>>
>>> --
>>> Pavel Bykov
>>> -------------------------------------------------
>>> Stop the braindumps!
>>> http://www.stopbraindumps.com/
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Narbik Kocharians
>> CCSI#30832, CCIE# 12410 (R&S, SP, Security)
>> www.MicronicsTraining
>> www.Net-Workbooks.com
>> Sr. Technical Instructor
>>
>
>
>
> --
> Pavel Bykov
> -------------------------------------------------
> Stop the braindumps!
> http://www.stopbraindumps.com/
>
>

-- 
Pavel Bykov
-------------------------------------------------
Stop the braindumps!
http://www.stopbraindumps.com/
Blogs and organic groups at http://www.ccie.net

• Next message: Administrator: "RE: CBWFQ to block Youtube - GOT IT"
• Previous message: Haroon: "Re: Input Requested: Connection consolidation and network"
• Maybe in reply to: Administrator: "CBWFQ to block Youtube"
• Next in thread: Braychuck Vitaliy: "RE: CBWFQ to block Youtube"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:31 ARST