From: Dale Shaw (dale.shaw@gmail.com)
Date: Tue Feb 24 2009 - 03:29:37 ARST
OK folks, I've spent a considerable amount of time on this today. It's
a long post, but if you're interested, the results are all there.
Lab Topology:
R1 (HTTP client)
| Fa0/0
|
! Fa0/0
R2 (QoS policy enforcement)
| Se0/0/0.23
|
| S0/0/0.32
R3 (HTTP server)
HTTP Client (R1) config:
ip host www.cisco.com 131.1.3.3
!
interface Loopback0
ip address 131.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 131.1.12.1 255.255.255.0
!
router rip
version 2
network 131.1.0.0
no auto-summary
!
ip http client source-interface Loopback0
NOTE: HTTP client requests invoked using the following example command on R1:
R1#copy cisco@www.cisco.com/directory/fish2.jpg">http://cisco:cisco@www.cisco.com/directory/fish2.jpg null:
QoS Router (R2) base config:
interface Loopback0
ip address 131.1.2.2 255.255.255.0
!
interface FastEthernet0/0
ip address 131.1.12.2 255.255.255.0
!
interface Serial0/0/0
no ip address
encapsulation frame-relay
!
interface Serial0/0/0.23 point-to-point
description *** Server-facing Interface ***
ip address 131.1.23.2 255.255.255.0
frame-relay interface-dlci 203
!
router rip
version 2
network 131.1.0.0
no auto-summary
HTTP Server (R3) config:
username cisco privilege 15 password 0 cisco
!
interface Loopback0
ip address 131.1.3.3 255.255.255.0
!
interface Serial0/0/0
no ip address
encapsulation frame-relay
!
interface Serial0/0/0.32 point-to-point
ip address 131.1.23.3 255.255.255.0
frame-relay interface-dlci 302
!
router rip
version 2
network 131.1.0.0
no auto-summary
!
ip http server
ip http authentication local
ip http path flash:
R3#dir /recursive
Directory of flash:/*
Directory of flash:/
1 -rw- 39857992 Jan 14 2009 02:16:28 +00:00
c2800nm-adventerprisek9-mz.124-23.bin
2 -rw- 114 Jan 21 2009 08:32:58 +00:00 R3.cfg
Directory of flash:/directory/
4 -rw- 114 Feb 24 2009 01:31:34 +00:00 fish1.jpg
5 -rw- 114 Feb 24 2009 01:31:36 +00:00 fish2.jpg
11 -rw- 114 Feb 24 2009 05:08:30 +00:00 doc1.doc
Directory of flash:/anotherdir/
7 -rw- 114 Feb 24 2009 04:43:40 +00:00 fish3.jpg
8 -rw- 114 Feb 24 2009 04:43:42 +00:00 fish4.jpg
9 -rw- 114 Feb 24 2009 04:53:42 +00:00 fish5.jpeg
10 -rw- 114 Feb 24 2009 04:54:24 +00:00 fish6.gif
64012288 bytes total (24113152 bytes free)
OK, I wanted to test the usage of NBAR's HTTP matching features. For
each of "match protocol http host", "match protocol http url" and
"match protocol http mime", I completed the following tests:
- match and drop inbound on client-side interface (Fa0/0)
- match and drop outbound on client-side interface (Fa0/0)
- match and drop inbound on server-side interface (S0/0/0.23)
- match and drop outbound on server-side interface (S0/0/0.23)
- match and police inbound on server-side interface (S0/0/0.23)
- match and police outbound on server-side interface (S0/0/0.23)
In summary:
"match protocol http host" classification works irrespective of the
direction in which the service-policy is applied.
The action (e.g. 'drop') CAN BE directional. Example: 'drop' only
works in the *client -> server* direction, but 'police' works in
either direction.
"match protocol http url" classification works irrespective of the
direction in which the service-policy is applied.
The action (e.g. 'drop') CAN BE directional. Example: 'drop' only
works in the *client -> server* direction, but 'police' works in
either direction.
"match protocol http mime" classification works irrespective of the
direction in which the service-policy is applied.
The action (e.g. 'drop') CAN BE directional. Example: 'drop' only
works in the *server -> client* direction, but 'police' works in
either direction.
The that fact the classification/matching works, even when your
service policy is applied in the opposite direction to the flow that
contains the elements NBAR must match on, was the biggest surprise for
me. That's pretty counter-intuitive and isn't explained in anything
I've read in the last couple of days. This IE blog entry covers it
best, but not enough to gain a deep understanding:
http://blog.internetworkexpert.com/2008/11/04/using-nbar-for-http-url-filtering/
I will include the gory details (test outputs) at the end of this e-mail.
My solution to the original poster's (olumayokun fowowe) scenario is:
"I want to allocate 32kbps for replies from a webserver for address
with the url http://www.abc.com. And I want my router to drop any
image file of type jpeg, jpg and gif."
Config:
class-map match-all SERVER1
match protocol http host www.abc.com
!
class-map match-all IMAGES1
match class-map SERVER1
match protocol http mime "image/(jpeg|gif)"
!
policy-map POLICY1
class IMAGES1
drop
class SERVER1
police 32000
!
interface S0/0/0.23
description *** Server-facing Interface ***
service-policy input POLICY1
Notes: it's not entirely clear from the post whether this should be a
job for ingress policing or CBWFQ/LLQ (on egress to the client). The
words were "I want to allocate 32kbps for replies from a webserver".
Hmmm.
My solution to mahmoud genidy's scenario is:
"We need to POLICE the REPLIES from www.cisco.com/directory to 1000K
and to DROP this traffic if it includes IMAGES (jpeg, jpg, gif)."
Config:
class-map SERVER2
match protocol http host "www.cisco.com"
match protocol http url "/directory/*"
!
class-map IMAGES2
match class-map SERVER2
match protocol http url "*.(jpeg|jpg|gif)"
!
policy-map POLICY-IN
class SERVER2
police 1000000
!
policy-map POLICY-OUT
class IMAGES2
drop
!
interface S0/0/0.23
description *** Server-facing Interface ***
service-policy input POLICY-IN
service-policy output POLICY-OUT
** OR **
class-map SERVER2
match protocol http host "www.cisco.com"
match protocol http url "/directory/*"
!
class-map match-all IMAGES2
match class-map SERVER2
match protocol http mime "image/(jpeg|gif)"
!
policy-map POLICY-IN
class IMAGES2
drop
class SERVER2
police 1000000
!
interface S0/0/0.23
description *** Server-facing Interface ***
service-policy input POLICY-IN
One quirk worth noting, if you attempt this yourself using a router as
the HTTP client, is that the host portion of the URL specified on the
"copy" command line is not necessarily what the HTTP client sends as
the Host: header to the server! I banged my head for a couple of hours
because of this. See:
At one point I had this config on R1:
ip host www.cisco.com 131.1.3.3
..and I was executing commands like:
R1#copy cisco@www.cisco.com/directory/fish2.jpg">http://cisco:cisco@www.cisco.com/directory/fish2.jpg null:
I incorrectly assumed that the IOS HTTP client would resolve the name
to the IP using the local host entry but still send the 'Host:
www.cisco.com' header with the GET request. This is NOT the case; IOS
sends the resolved IP address (131.1.3.3). I'm not sure if this
behaviour can be changed.
This obviously affects the value you need to use in your "match
protocol http host" statement as it's this host header that is matched
by this command. In other words, when testing, use "match protocol
http host 131.1.3.3" or equivalent.
cheers,
Dale
TEST OUTPUTS:
- All QoS config on R2
- All HTTP client requests from R1 (using 'www.cisco.com' in 'copy'
command, with local host entry mapped to R3)
- All HTTP server responses from R3
- policy-map and class-map stanzas removed/re-added between each step
Test 1 -- "match protocol http host" (drop action)
!
! step 1: define class-map and policy-map,
! apply inbound on client-side i/f.
!
class-map FOO1
match protocol http host 131.1.3.3
!
policy-map FOO1
class FOO1
drop
!
int fa0/0
service-policy in FOO1
!
! test result: success (match and drop action effective)
!
! R1#copy cisco@www.cisco.com/directory/fish1.jpg">http://cisco:cisco@www.cisco.com/directory/fish1.jpg null:
! %Error opening cisco@www.cisco.com/directory/fish1.jpg">http://cisco:cisco@www.cisco.com/directory/fish1.jpg
(I/O error)
! R1#
!
! R2#sh policy-map int fa0/0 in class FOO1
! FastEthernet0/0
!
! Service-policy input: FOO1
!
! Class-map: FOO1 (match-all)
! 12 packets, 2380 bytes
! 5 minute offered rate 0 bps, drop rate 0 bps
! Match: protocol http host "131.1.3.3"
! drop
!
cleanup:
!
int fa0/0
no service-policy in FOO1
!
no policy-map FOO1
no class-map FOO1
!
! step 2: define class-map and policy-map,
! apply outbound on client-side i/f.
!
class-map FOO1
match protocol http host 131.1.3.3
!
policy-map FOO1
class FOO1
drop
!
int fa0/0
service-policy out FOO1
!
! test result: partial success (match but drop action not effective!)
!
! R1#copy cisco@www.cisco.com/directory/fish1.jpg">http://cisco:cisco@www.cisco.com/directory/fish1.jpg null:
! Loading http://***********@www.cisco.com/directory/fish1.jpg
! 114 bytes copied in 2.092 secs (54 bytes/sec)
!
! R2#sh policy-map int fa0/0 out class FOO1
! FastEthernet0/0
!
! Service-policy output: FOO1
!
! Class-map: FOO1 (match-all)
! 7 packets, 1620 bytes
! 5 minute offered rate 0 bps, drop rate 0 bps
! Match: protocol http host "131.1.3.3"
! drop
!
! cleanup:
!
int fa0/0
no service-policy out FOO1
!
no policy-map FOO1
no class-map FOO1
!
! step 3: define class-map and policy-map,
! apply inbound on server-side i/f.
!
class-map FOO1
match protocol http host 131.1.3.3
!
policy-map FOO1
class FOO1
drop
!
int s0/0/0.23
service-policy in FOO1
!
! test result: partial success (match but drop action not effective!)
!
! R1#copy cisco@www.cisco.com/directory/fish1.jpg">http://cisco:cisco@www.cisco.com/directory/fish1.jpg null:
! Loading http://***********@www.cisco.com/directory/fish1.jpg
! 114 bytes copied in 2.096 secs (54 bytes/sec)
! R1#
!
! R2#sh policy-map int s0/0/0.23 in class FOO1
!
! Serial0/0/0.23
!
! Service-policy input: FOO1
!
! Class-map: FOO1 (match-all)
! 2 packets, 502 bytes
! 5 minute offered rate 0 bps, drop rate 0 bps
! Match: protocol http host "131.1.3.3"
! drop
!
! cleanup:
!
int s0/0/0.23
no service-policy in FOO1
!
no policy-map FOO1
no class-map FOO1
!
! step 4: define class-map and policy-map,
! apply outbound on server-side i/f.
!
class-map FOO1
match protocol http host 131.1.3.3
!
policy-map FOO1
class FOO1
drop
!
int s0/0/0.23
service-policy out FOO1
!
! test result: success (match and drop action effective)
!
! R1#copy cisco@www.cisco.com/directory/fish1.jpg">http://cisco:cisco@www.cisco.com/directory/fish1.jpg null:
! %Error opening cisco@www.cisco.com/directory/fish1.jpg">http://cisco:cisco@www.cisco.com/directory/fish1.jpg
(I/O error)
! R1#
!
! R2#sh policy-map int s0/0/0.23 out class FOO1
!
! Serial0/0/0.23
!
! Service-policy output: FOO1
!
! Class-map: FOO1 (match-all)
! 6 packets, 1124 bytes
! 5 minute offered rate 0 bps, drop rate 0 bps
! Match: protocol http host "131.1.3.3"
! drop
!
! cleanup:
!
int s0/0/0.23
no service-policy out FOO1
!
no policy-map FOO1
no class-map FOO1
Test 2 -- "match protocol http url" (drop action)
!
! step 1: define class-map and policy-map,
! apply inbound on client-side i/f.
!
class-map FOO2
match protocol http url /directory/*
!
policy-map FOO2
class FOO2
drop
!
int fa0/0
service-policy in FOO2
!
! test result: success (match and drop action effective)
!
! R1#copy cisco@www.cisco.com/directory/fish1.jpg">http://cisco:cisco@www.cisco.com/directory/fish1.jpg null:
! %Error opening cisco@www.cisco.com/directory/fish1.jpg">http://cisco:cisco@www.cisco.com/directory/fish1.jpg
(I/O error)
! R1#
!
! R2#sh policy-map int fa0/0 in class FOO2
! FastEthernet0/0
!
! Service-policy input: FOO2
!
! Class-map: FOO2 (match-all)
! 15 packets, 2560 bytes
! 5 minute offered rate 0 bps, drop rate 0 bps
! Match: protocol http url "/directory/*"
! drop
!
cleanup:
!
int fa0/0
no service-policy in FOO2
!
no policy-map FOO2
no class-map FOO2
!
! step 2: define class-map and policy-map,
! apply outbound on client-side i/f.
!
class-map FOO2
match protocol http url /directory/*
!
policy-map FOO2
class FOO2
drop
!
int fa0/0
service-policy out FOO2
!
! test result: partial success (match but drop action not effective!)
!
! R1#copy cisco@www.cisco.com/directory/fish1.jpg">http://cisco:cisco@www.cisco.com/directory/fish1.jpg null:
! Loading http://***********@www.cisco.com/directory/fish1.jpg
! 114 bytes copied in 2.092 secs (54 bytes/sec)
! R1#
!
! R2#sh policy-map int fa0/0 out class FOO2
! FastEthernet0/0
!
! Service-policy output: FOO2
!
! Class-map: FOO2 (match-all)
! 2 packets, 522 bytes
! 5 minute offered rate 0 bps, drop rate 0 bps
! Match: protocol http url "/directory/*"
! drop
! R2#
!
! cleanup:
!
int fa0/0
no service-policy out FOO2
!
no policy-map FOO2
no class-map FOO2
!
! step 3: define class-map and policy-map,
! apply inbound on server-side i/f.
!
class-map FOO2
match protocol http url /directory/*
!
policy-map FOO2
class FOO2
drop
!
int s0/0/0.23
service-policy in FOO2
!
! test result: partial success (match but drop action not effective!)
!
! R1#copy cisco@www.cisco.com/directory/fish1.jpg">http://cisco:cisco@www.cisco.com/directory/fish1.jpg null:
! Loading http://***********@www.cisco.com/directory/fish1.jpg
! 114 bytes copied in 2.096 secs (54 bytes/sec)
!
! R2#sh policy-map int s0/0/0.23 in class FOO2
!
! Serial0/0/0.23
!
! Service-policy input: FOO2
!
! Class-map: FOO2 (match-all)
! 2 packets, 502 bytes
! 5 minute offered rate 0 bps, drop rate 0 bps
! Match: protocol http url "/directory/*"
! drop
! R2#
!
!
! cleanup:
!
int s0/0/0.23
no service-policy in FOO2
!
no policy-map FOO2
no class-map FOO2
!
! step 4: define class-map and policy-map,
! apply outbound on server-side i/f.
!
class-map FOO2
match protocol http url /directory/*
!
policy-map FOO2
class FOO2
drop
!
int s0/0/0.23
service-policy out FOO2
!
! test result: success (match and drop action effective)
!
! R1#copy cisco@www.cisco.com/directory/fish1.jpg">http://cisco:cisco@www.cisco.com/directory/fish1.jpg null:
! %Error opening cisco@www.cisco.com/directory/fish1.jpg">http://cisco:cisco@www.cisco.com/directory/fish1.jpg
(I/O error)
! R1#
!
! R2#sh policy-map int s0/0/0.23 out class FOO2
!
! Serial0/0/0.23
!
! Service-policy output: FOO2
!
! Class-map: FOO2 (match-all)
! 6 packets, 1124 bytes
! 5 minute offered rate 0 bps, drop rate 0 bps
! Match: protocol http url "/directory/*"
! drop
!
! cleanup:
!
int s0/0/0.23
no service-policy out FOO2
!
no policy-map FOO2
no class-map FOO2
Test 3 -- "match protocol http mime" (drop action)
!
! step 1: define class-map and policy-map,
! apply inbound on client-side i/f.
!
class-map FOO3
match protocol http mime "image/(jpeg|gif)"
!
policy-map FOO3
class FOO3
drop
!
int fa0/0
service-policy in FOO3
!
! test result: partial success (match but drop action not effective!)
!
! R1#copy http://cisco:cisco@131.1.3.3/directory/fish2.jpg null:
! Loading http://***********@131.1.3.3/directory/fish2.jpg
! 114 bytes copied in 0.244 secs (467 bytes/sec)
!
! R2#sh policy-map int fa0/0 in class FOO3
! FastEthernet0/0
!
! Service-policy input: FOO3
!
! Class-map: FOO3 (match-all)
! 4 packets, 240 bytes
! 5 minute offered rate 0 bps, drop rate 0 bps
! Match: protocol http mime "image/(jpeg|gif)"
! drop
! R2#
!
! cleanup:
!
int fa0/0
no service-policy in FOO3
!
no policy-map FOO3
no class-map FOO3
!
! step 2: define class-map and policy-map,
! apply outbound on client-side i/f.
!
class-map FOO3
match protocol http mime "image/(jpeg|gif)"
!
policy-map FOO3
class FOO3
drop
!
int fa0/0
service-policy out FOO3
!
! test result: success (match and drop action effective)
!
! R1#copy http://cisco:cisco@131.1.3.3/directory/fish2.jpg null:
! %Error opening http://cisco:cisco@131.1.3.3/directory/fish2.jpg (I/O error)
! R1#
!
! R2#sh policy-map int fa0/0 out class FOO3
! FastEthernet0/0
!
! Service-policy output: FOO3
!
! Class-map: FOO3 (match-all)
! 7 packets, 2034 bytes
! 5 minute offered rate 0 bps, drop rate 0 bps
! Match: protocol http mime "image/(jpeg|gif)"
! drop
! R2#
!
! cleanup:
!
int fa0/0
no service-policy out FOO3
!
no policy-map FOO3
no class-map FOO3
!
! step 3: define class-map and policy-map,
! apply inbound on server-side i/f.
!
class-map FOO3
match protocol http mime "image/(jpeg|gif)"
!
policy-map FOO3
class FOO3
drop
!
int s0/0/0.23
service-policy in FOO3
!
! test result: success (match and drop action effective)
!
! R1#copy http://cisco:cisco@131.1.3.3/directory/fish2.jpg null:
! %Error opening http://cisco:cisco@131.1.3.3/directory/fish2.jpg (I/O error)
! R1#
!
! R2#sh policy-map int s0/0/0.23 in class FOO3
!
! Serial0/0/0.23
!
! Service-policy input: FOO3
!
! Class-map: FOO3 (match-all)
! 10 packets, 2924 bytes
! 5 minute offered rate 0 bps, drop rate 0 bps
! Match: protocol http mime "image/(jpeg|gif)"
! drop
! R2#
!
! cleanup:
!
int s0/0/0.23
no service-policy in FOO3
!
no policy-map FOO3
no class-map FOO3
!
! step 4: define class-map and policy-map,
! apply outbound on server-side i/f.
!
class-map FOO3
match protocol http mime "image/(jpeg|gif)"
!
policy-map FOO3
class FOO3
drop
!
int s0/0/0.23
service-policy out FOO3
!
! test result: partial success (match but drop action not effective!)
!
! R1#copy http://cisco:cisco@131.1.3.3/directory/fish2.jpg null:
! Loading http://***********@131.1.3.3/directory/fish2.jpg
! 114 bytes copied in 0.244 secs (467 bytes/sec)
!
! R2#sh policy-map int s0/0/0.23 out class FOO3
!
! Serial0/0/0.23
!
! Service-policy output: FOO3
!
! Class-map: FOO3 (match-all)
! 6 packets, 264 bytes
! 5 minute offered rate 0 bps, drop rate 0 bps
! Match: protocol http mime "image/(jpeg|gif)"
! drop
! R2#
!
! cleanup:
!
int s0/0/0.23
no service-policy out FOO3
!
no policy-map FOO3
no class-map FOO3
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:12 ARST
