Confusion Regarding NBAR - HELP

From: Emran (muhammadimranmemon@yahoo.com)
Date: Tue Feb 03 2009 - 14:37:56 ARST

• Next message: Sadiq Yakasai: "Re: Trunking question 'switchport trunk allowed vlan'"
• Previous message: Ronnie Angello: "Re: Trunking question 'switchport trunk allowed vlan'"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dear Experts,
I have some confusion regarding NBAR
matching http url. For example: if I have to match the traffic of
http://www.google.com.pk/intl/en/ directory. The class will be as following.
 
Question 1: is following class is
correct to match directory http://www.google.com.pk/intl/en/
Question 2: Can I apply this class at
outbound at R2 s0/0/0 interface. (classify the response packet of http, keep
in
mind that we do not have host or url field in response of http.)

 
 
 
Clint ------------
R1--------------------S0/0/0 ( R2 ) Fa0/1
 ------------httpServer
 
 
Step 1: Make a Class (Correct me if I
am wrong, in making this class.)

Class-map match-all httpDir
Match
protocol http host www.google.com.pk
Match
protocol http url /intl/en/*
 
 
Step 2: Make a Policy

Policy-map httpLimit
                Class
httpDir
                               
Policy 10000
 
Step 3: apply it to
interface.

Interface Fa0/1
               
Service-policy input httpLimit
 
 
 
Sample of http packet capture for URL:
http://www.google.com.pk/intl/en/about.html
 
Request header:

GET /intl/en/about.html
HTTP/1.1
Accept: image/gif, image/jpeg,
image/pjpeg, image/pjpeg, application/x-shockwave-flash,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
*/*
Referer:
http://www.google.com.pk/
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible;
MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727;
InfoPath.2)
Accept-Encoding: gzip,
deflate
Host: www.google.com.pk
Proxy-Connection:
Keep-Alive
Cookie:
PREF=ID=6e5b0076ce52da06:TM=1233665342:LM=1233665342:S=HuY2G-TYClqEOe3z
 
 
Response header:

HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Wed, 07 Jan 2009
04:10:03 GMT
Date: Tue, 03 Feb 2009 12:49:38
GMT
Server: gws
Cache-Control: private,
x-gzip-ok=""
Content-Length: 7821
 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD
HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
I remove some http code
hare.
 

Thanks & RegardsMuhammad Imran

Blogs and organic groups at http://www.ccie.net

• Next message: Sadiq Yakasai: "Re: Trunking question 'switchport trunk allowed vlan'"
• Previous message: Ronnie Angello: "Re: Trunking question 'switchport trunk allowed vlan'"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:09 ARST