AW: AW: nbar / http classification question

From: Roger RPF (rpf@bluemail.ch)
Date: Sat Jan 24 2009 - 14:44:56 ARST

• Next message: Han Solo: "Re: AW: nbar / http classification question"
• Previous message: Jason Madsen: "Re: AW: nbar / http classification question"
• Next in thread: Han Solo: "Re: AW: AW: nbar / http classification question"
• Maybe reply: Han Solo: "Re: AW: AW: nbar / http classification question"
• Maybe reply: Jason Madsen: "Re: AW: AW: nbar / http classification question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hey Jason,

Thanks for that, it explains the issue / difference between having the
.jpg...in an url or having it "somewhere" on that page. Maybe my initial
example was not specific enough :o(

So to go back to my initial question. To block the url's
 
www.dontcheat.com/ccie/mynumber.jpg
www.dontcheat.com/ccie/mynumber.gif

But to still allow access to

www.dontcheat.com/ccie/mynumber

I would have to do the following to block it:

class-map match-all BLOCK
 match protocol http host www.dontcheat.com
 match protocol http url "/ccie"
 match protocol http url "*.jpg|*.gif"

The question is why in the DocCD it is written not to use matching on host?
http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_traffic_nb
ar_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1051880

As I said before, to me, in that case we would also block /ccie/mynumber.jpg
or .gif from another host, isn't it?

regards

Roger

Von: Jason Madsen [mailto:madsen.jason@gmail.com]
Gesendet: Samstag, 24. Januar 2009 17:29
An: Han Solo
Cc: Roger RPF; Wouter Prins; Cisco certification
Betreff: Re: AW: nbar / http classification question

there are definitely jpeg images on that page, as can be verified by looking
at the html source code, but you aren't going to actually type a URL with a
.jpeg extension to view them. they are downloaded automatically when you
navigate to that page. that's the reason I recommended using mime for your
jpeg matching.

Jason
On Sat, Jan 24, 2009 at 9:25 AM, Han Solo <emaillists@me.com> wrote:
Yea there there use firefox with downloadem all and filter on jpeg's you
will see them

On Jan 24, 2009, at 8:24 AM, Jason Madsen wrote:
actually, are there any images at http://www.cisco.com/go/ccie with a URL
ending in .jpeg or another jpeg extension? I don't see any. If that's the
case, than you'd probably want to go with matching mime since it will
actually be the jpeg image type that you want to block and not a URL with
"jpeg" at the end of it...hope that makes sense.

On Sat, Jan 24, 2009 at 9:21 AM, Jason Madsen <madsen.jason@gmail.com>
wrote:
image querying should be blocked by the JPEG URL statements you made,
whereas, image downloading should be blocked by a mime statement.

On Sat, Jan 24, 2009 at 9:19 AM, Jason Madsen <madsen.jason@gmail.com>
wrote:
I guess URL matching for the JPEG part should be fine too though...either
way.

On Sat, Jan 24, 2009 at 9:15 AM, Jason Madsen <madsen.jason@gmail.com>
wrote:
I recommend you guys try just using URL for your URL match, rather than host
and either put the entire URL string in your match statement or else use
asterisks. For your image matching, I recommend you guys try matching JPEG
via. http mime, rather than URL.

Jason

On Sat, Jan 24, 2009 at 9:08 AM, Han Solo <emaillists@me.com> wrote:
For some reason I get hit and miss results when matching on various "match
protocol http host" types but this one works

INTERNET(config-cmap)#do show policy-map int g0/0

 GigabitEthernet0/0

 Service-policy input: url

  Class-map: url (match-all)
    102 packets, 67994 bytes
    30 second offered rate 9000 bps, drop rate 9000 bps
    Match: protocol http
    drop

On Jan 24, 2009, at 7:52 AM, Han Solo wrote:

lass Map match-all url (id 6)
 Match protocol http url "*.gif|*.jpg|*.jpeg"
 Match protocol http url "*/ccie*"
 Match protocol http host "http://www.cisco.com/"

INTERNET#
INTERNET#sh policy-map int g0/0
GigabitEthernet0/0

 Service-policy input: url

 Class-map: url (match-all)
   0 packets, 0 bytes
   30 second offered rate 0 bps, drop rate 0 bps
   Match: protocol http url "*.gif|*.jpg|*.jpeg"
   Match: protocol http url "*/ccie*"
   Match: protocol http host "http://www.cisco.com/"
   drop

On Jan 24, 2009, at 7:49 AM, Han Solo wrote:

I think it has to do with the "match-all" in the class map I am trying
different things , bottom line with both of the examples posted so far there
is no match. I have a 2851 as internet router at home to try and test them
so I block my wife's stuff when I come home from work it really is good
exercise to get these things down .. Curious why these one's aren't working
? If you want to jump on and test with me let me know i will start up a
webex

On Jan 24, 2009, at 7:35 AM, Roger RPF wrote:

Well, I did not try but I guess you would have to use:

match protocol http url "*/ccie"

or

match protocol http url "go/ccie"

if that is the exact url

regards

Roger

-----Urspr|ngliche Nachricht-----
Von: Han Solo [mailto:emaillists@me.com]
Gesendet: Samstag, 24. Januar 2009 16:30
An: Wouter Prins
Cc: Roger RPF; Cisco certification
Betreff: Re: nbar / http classification question

That doesn't work I tried it

INTERNET#sh policy-map interface g0/0
GigabitEthernet0/0

Service-policy input: url

 Class-map: url (match-all)
  0 packets, 0 bytes -------> NO MATCHES WHEN GOING TO
WWW.CISCO.COM/GO/CCIE
  30 second offered rate 0 bps, drop rate 0 bps
  Match: protocol http host "www.cisco.com"
  Match: protocol http url "/ccie"
  Match: protocol http url "*.gif|*.jpg|*.jpeg"
  drop

class-map match-all url
match protocol http host "www.cisco.com"
match protocol http url "/ccie"
match protocol http url "*.gif|*.jpg|*.jpeg"

policy-map url
class url
 drop

On Jan 24, 2009, at 6:44 AM, Wouter Prins wrote:

I think:

class-map match-all URL
match protocol http host www.cisco.com
match protocol http url "/ccie"
match protocol http url "*.gif|*.jpg|*.jpeg"

Would also work
Wouter

2009/1/24 Roger RPF <rpf@bluemail.ch>

Hi group,

Question regarding nbar and the class-maps. If the task tells to
block all
.jpeg and .gif from www.cisco.com/ccie how do you create the class
map? Do
we need to include the hostname part? If I look at the following
link on
the
doccd, they say no:

http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_traffic_nb

ar_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1051880<http://www
.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_traffic_nb%0Aar_ps63
50_TSD_Products_Configuration_Guide_Chapter.html#wp1051880

But to me, this would mean that we would also block .jpeg and .gif
for the
site www.dontcheat.com/ccie or not?

My solution:

class-map match-all URL
match protocol http host www.cisco.com
match protocol http url "/ccie"
match class-map URLCHILD

class-map match-any URLCHILD
match protocol http url "*.gif*"
match protocol http url "*.jpg*"
match protocol http url "*.jpeg*"

What do you think?

thanks

Roger

Blogs and organic groups at http://www.ccie.net

• Next message: Han Solo: "Re: AW: nbar / http classification question"
• Previous message: Jason Madsen: "Re: AW: nbar / http classification question"
• Next in thread: Han Solo: "Re: AW: AW: nbar / http classification question"
• Maybe reply: Han Solo: "Re: AW: AW: nbar / http classification question"
• Maybe reply: Jason Madsen: "Re: AW: AW: nbar / http classification question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:39 ARST