Re: AW: nbar / http classification question

From: Jason Madsen (madsen.jason@gmail.com)
Date: Sat Jan 24 2009 - 14:52:04 ARST

• Next message: Roger RPF: "AW: AW: nbar / http classification question"
• Previous message: Hobbs: "Re: whats wrong in this switch QoS"
• Maybe in reply to: Roger RPF: "AW: nbar / http classification question"
• Next in thread: Han Solo: "Re: AW: nbar / http classification question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

since in your example you're using "match-all", it should only block "
www.dontcheat.com/ccie.jpg" and "www.dontcheat.com/ccie.gif". They would
NOT block "www.dontcheat.com/ccie/mynumber.jpg" (or .gif) unless you add an
asterisks to the end of your "/ccie" URL match. But yes, your URL without
the ".jpg" or ".gif" extensions should not be blocked because of the
"match-all" class-map type, instead of "match-any".

Jason

On Sat, Jan 24, 2009 at 9:44 AM, Roger RPF <rpf@bluemail.ch> wrote:

> Hey Jason,
>
> Thanks for that, it explains the issue / difference between having the
> .jpg...in an url or having it "somewhere" on that page. Maybe my initial
> example was not specific enough :o(
>
> So to go back to my initial question. To block the url's
>
> www.dontcheat.com/ccie/mynumber.jpg
> www.dontcheat.com/ccie/mynumber.gif
>
> But to still allow access to
>
> www.dontcheat.com/ccie/mynumber
>
> I would have to do the following to block it:
>
> class-map match-all BLOCK
> match protocol http host www.dontcheat.com
> match protocol http url "/ccie"
> match protocol http url "*.jpg|*.gif"
>
> The question is why in the DocCD it is written not to use matching on host?
>
> http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_traffic_nb
> ar_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1051880<http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_traffic_nbar_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1051880>
>
> As I said before, to me, in that case we would also block
> /ccie/mynumber.jpg
> or .gif from another host, isn't it?
>
>
> regards
>
> Roger
>
> Von: Jason Madsen [mailto:madsen.jason@gmail.com]
> Gesendet: Samstag, 24. Januar 2009 17:29
> An: Han Solo
> Cc: Roger RPF; Wouter Prins; Cisco certification
> Betreff: Re: AW: nbar / http classification question
>
> there are definitely jpeg images on that page, as can be verified by
> looking
> at the html source code, but you aren't going to actually type a URL with a
> .jpeg extension to view them. they are downloaded automatically when you
> navigate to that page. that's the reason I recommended using mime for
> your
> jpeg matching.
>
> Jason
> On Sat, Jan 24, 2009 at 9:25 AM, Han Solo <emaillists@me.com> wrote:
> Yea there there use firefox with downloadem all and filter on jpeg's you
> will see them
>
>
>
> On Jan 24, 2009, at 8:24 AM, Jason Madsen wrote:
> actually, are there any images at http://www.cisco.com/go/ccie with a URL
> ending in .jpeg or another jpeg extension? I don't see any. If that's the
> case, than you'd probably want to go with matching mime since it will
> actually be the jpeg image type that you want to block and not a URL with
> "jpeg" at the end of it...hope that makes sense.
>
> On Sat, Jan 24, 2009 at 9:21 AM, Jason Madsen <madsen.jason@gmail.com>
> wrote:
> image querying should be blocked by the JPEG URL statements you made,
> whereas, image downloading should be blocked by a mime statement.
>
> On Sat, Jan 24, 2009 at 9:19 AM, Jason Madsen <madsen.jason@gmail.com>
> wrote:
> I guess URL matching for the JPEG part should be fine too though...either
> way.
>
>
> On Sat, Jan 24, 2009 at 9:15 AM, Jason Madsen <madsen.jason@gmail.com>
> wrote:
> I recommend you guys try just using URL for your URL match, rather than
> host
> and either put the entire URL string in your match statement or else use
> asterisks. For your image matching, I recommend you guys try matching JPEG
> via. http mime, rather than URL.
>
> Jason
>
>
> On Sat, Jan 24, 2009 at 9:08 AM, Han Solo <emaillists@me.com> wrote:
> For some reason I get hit and miss results when matching on various "match
> protocol http host" types but this one works
>
> INTERNET(config-cmap)#do show policy-map int g0/0
>
> GigabitEthernet0/0
>
> Service-policy input: url
>
> Class-map: url (match-all)
> 102 packets, 67994 bytes
> 30 second offered rate 9000 bps, drop rate 9000 bps
> Match: protocol http
> drop
>
>
>
>
>
>
>
>
> On Jan 24, 2009, at 7:52 AM, Han Solo wrote:
>
> lass Map match-all url (id 6)
> Match protocol http url "*.gif|*.jpg|*.jpeg"
> Match protocol http url "*/ccie*"
> Match protocol http host "http://www.cisco.com/"
>
> INTERNET#
> INTERNET#sh policy-map int g0/0
> GigabitEthernet0/0
>
> Service-policy input: url
>
> Class-map: url (match-all)
> 0 packets, 0 bytes
> 30 second offered rate 0 bps, drop rate 0 bps
> Match: protocol http url "*.gif|*.jpg|*.jpeg"
> Match: protocol http url "*/ccie*"
> Match: protocol http host "http://www.cisco.com/"
> drop
>
>
>
>
>
>
> On Jan 24, 2009, at 7:49 AM, Han Solo wrote:
>
> I think it has to do with the "match-all" in the class map I am trying
> different things , bottom line with both of the examples posted so far
> there
> is no match. I have a 2851 as internet router at home to try and test them
> so I block my wife's stuff when I come home from work it really is good
> exercise to get these things down .. Curious why these one's aren't working
> ? If you want to jump on and test with me let me know i will start up a
> webex
>
>
> On Jan 24, 2009, at 7:35 AM, Roger RPF wrote:
>
> Well, I did not try but I guess you would have to use:
>
> match protocol http url "*/ccie"
>
> or
>
> match protocol http url "go/ccie"
>
> if that is the exact url
>
> regards
>
> Roger
>
>
> -----Urspr|ngliche Nachricht-----
> Von: Han Solo [mailto:emaillists@me.com]
> Gesendet: Samstag, 24. Januar 2009 16:30
> An: Wouter Prins
> Cc: Roger RPF; Cisco certification
> Betreff: Re: nbar / http classification question
>
> That doesn't work I tried it
>
> INTERNET#sh policy-map interface g0/0
> GigabitEthernet0/0
>
> Service-policy input: url
>
> Class-map: url (match-all)
> 0 packets, 0 bytes -------> NO MATCHES WHEN GOING TO
> WWW.CISCO.COM/GO/CCIE
> 30 second offered rate 0 bps, drop rate 0 bps
> Match: protocol http host "www.cisco.com"
> Match: protocol http url "/ccie"
> Match: protocol http url "*.gif|*.jpg|*.jpeg"
> drop
>
>
> class-map match-all url
> match protocol http host "www.cisco.com"
> match protocol http url "/ccie"
> match protocol http url "*.gif|*.jpg|*.jpeg"
>
> policy-map url
> class url
> drop
>
>
>
>
> On Jan 24, 2009, at 6:44 AM, Wouter Prins wrote:
>
> I think:
>
> class-map match-all URL
> match protocol http host www.cisco.com
> match protocol http url "/ccie"
> match protocol http url "*.gif|*.jpg|*.jpeg"
>
> Would also work
> Wouter
>
> 2009/1/24 Roger RPF <rpf@bluemail.ch>
>
> Hi group,
>
> Question regarding nbar and the class-maps. If the task tells to
> block all
> .jpeg and .gif from www.cisco.com/ccie how do you create the class
> map? Do
> we need to include the hostname part? If I look at the following
> link on
> the
> doccd, they say no:
>
>
>
>
> http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_traffic_nb
>
> ar_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1051880<
> http://www
> .
> cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_traffic_nb%0Aar_ps63
> 50_TSD_Products_Configuration_Guide_Chapter.html#wp1051880<http://cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_traffic_nb%0Aar_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1051880>
>
>
> But to me, this would mean that we would also block .jpeg and .gif
> for the
> site www.dontcheat.com/ccie or not?
>
> My solution:
>
> class-map match-all URL
> match protocol http host www.cisco.com
> match protocol http url "/ccie"
> match class-map URLCHILD
>
> class-map match-any URLCHILD
> match protocol http url "*.gif*"
> match protocol http url "*.jpg*"
> match protocol http url "*.jpeg*"
>
> What do you think?
>
> thanks
>
> Roger
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
> Han Solo
> May the force be with you
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
> Han Solo
> May the force be with you
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found
> at:http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
> Han Solo
> May the force be with you
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found
> at:http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
> Han Solo
> May the force be with you
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found
> at:http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
>
>
> Han Solo
> May the force be with you

Blogs and organic groups at http://www.ccie.net

• Next message: Roger RPF: "AW: AW: nbar / http classification question"
• Previous message: Hobbs: "Re: whats wrong in this switch QoS"
• Maybe in reply to: Roger RPF: "AW: nbar / http classification question"
• Next in thread: Han Solo: "Re: AW: nbar / http classification question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:39 ARST