From: mahmoud genidy (ccie.mahmoud@gmail.com)
Date: Wed Feb 25 2009 - 22:18:30 ARST
This is very good work. And now the concept is clear.
Thanks Dale for your help.
Thanks Dale, and Ivan for your time to run the tests.
Mahmoud.
On Tue, Feb 24, 2009 at 4:29 PM, Dale Shaw <dale.shaw@gmail.com> wrote:
> OK folks, I've spent a considerable amount of time on this today. It's
> a long post, but if you're interested, the results are all there.
>
> Lab Topology:
>
> R1 (HTTP client)
> | Fa0/0
> |
> ! Fa0/0
> R2 (QoS policy enforcement)
> | Se0/0/0.23
> |
> | S0/0/0.32
> R3 (HTTP server)
>
>
> HTTP Client (R1) config:
>
> ip host www.cisco.com 131.1.3.3
> !
> interface Loopback0
> ip address 131.1.1.1 255.255.255.0
> !
> interface FastEthernet0/0
> ip address 131.1.12.1 255.255.255.0
> !
> router rip
> version 2
> network 131.1.0.0
> no auto-summary
> !
> ip http client source-interface Loopback0
>
> NOTE: HTTP client requests invoked using the following example command on
> R1:
>
> R1#copy cisco@www.cisco.com/directory/fish2.jpg">http://cisco:cisco@www.cisco.com/directory/fish2.jpg null:
>
>
>
> QoS Router (R2) base config:
>
> interface Loopback0
> ip address 131.1.2.2 255.255.255.0
> !
> interface FastEthernet0/0
> ip address 131.1.12.2 255.255.255.0
> !
> interface Serial0/0/0
> no ip address
> encapsulation frame-relay
> !
> interface Serial0/0/0.23 point-to-point
> description *** Server-facing Interface ***
> ip address 131.1.23.2 255.255.255.0
> frame-relay interface-dlci 203
> !
> router rip
> version 2
> network 131.1.0.0
> no auto-summary
>
>
>
> HTTP Server (R3) config:
>
> username cisco privilege 15 password 0 cisco
> !
> interface Loopback0
> ip address 131.1.3.3 255.255.255.0
> !
> interface Serial0/0/0
> no ip address
> encapsulation frame-relay
> !
> interface Serial0/0/0.32 point-to-point
> ip address 131.1.23.3 255.255.255.0
> frame-relay interface-dlci 302
> !
> router rip
> version 2
> network 131.1.0.0
> no auto-summary
> !
> ip http server
> ip http authentication local
> ip http path flash:
>
> R3#dir /recursive
> Directory of flash:/*
>
> Directory of flash:/
>
> 1 -rw- 39857992 Jan 14 2009 02:16:28 +00:00
> c2800nm-adventerprisek9-mz.124-23.bin
> 2 -rw- 114 Jan 21 2009 08:32:58 +00:00 R3.cfg
> Directory of flash:/directory/
>
> 4 -rw- 114 Feb 24 2009 01:31:34 +00:00 fish1.jpg
> 5 -rw- 114 Feb 24 2009 01:31:36 +00:00 fish2.jpg
> 11 -rw- 114 Feb 24 2009 05:08:30 +00:00 doc1.doc
> Directory of flash:/anotherdir/
>
> 7 -rw- 114 Feb 24 2009 04:43:40 +00:00 fish3.jpg
> 8 -rw- 114 Feb 24 2009 04:43:42 +00:00 fish4.jpg
> 9 -rw- 114 Feb 24 2009 04:53:42 +00:00 fish5.jpeg
> 10 -rw- 114 Feb 24 2009 04:54:24 +00:00 fish6.gif
> 64012288 bytes total (24113152 bytes free)
>
>
> OK, I wanted to test the usage of NBAR's HTTP matching features. For
> each of "match protocol http host", "match protocol http url" and
> "match protocol http mime", I completed the following tests:
>
> - match and drop inbound on client-side interface (Fa0/0)
> - match and drop outbound on client-side interface (Fa0/0)
> - match and drop inbound on server-side interface (S0/0/0.23)
> - match and drop outbound on server-side interface (S0/0/0.23)
> - match and police inbound on server-side interface (S0/0/0.23)
> - match and police outbound on server-side interface (S0/0/0.23)
>
> In summary:
>
> "match protocol http host" classification works irrespective of the
> direction in which the service-policy is applied.
> The action (e.g. 'drop') CAN BE directional. Example: 'drop' only
> works in the *client -> server* direction, but 'police' works in
> either direction.
>
> "match protocol http url" classification works irrespective of the
> direction in which the service-policy is applied.
> The action (e.g. 'drop') CAN BE directional. Example: 'drop' only
> works in the *client -> server* direction, but 'police' works in
> either direction.
>
> "match protocol http mime" classification works irrespective of the
> direction in which the service-policy is applied.
> The action (e.g. 'drop') CAN BE directional. Example: 'drop' only
> works in the *server -> client* direction, but 'police' works in
> either direction.
>
> The that fact the classification/matching works, even when your
> service policy is applied in the opposite direction to the flow that
> contains the elements NBAR must match on, was the biggest surprise for
> me. That's pretty counter-intuitive and isn't explained in anything
> I've read in the last couple of days. This IE blog entry covers it
> best, but not enough to gain a deep understanding:
>
>
> http://blog.internetworkexpert.com/2008/11/04/using-nbar-for-http-url-filtering/
>
> I will include the gory details (test outputs) at the end of this e-mail.
>
> My solution to the original poster's (olumayokun fowowe) scenario is:
>
> "I want to allocate 32kbps for replies from a webserver for address
> with the url http://www.abc.com. And I want my router to drop any
> image file of type jpeg, jpg and gif."
>
> Config:
>
> class-map match-all SERVER1
> match protocol http host www.abc.com
> !
> class-map match-all IMAGES1
> match class-map SERVER1
> match protocol http mime "image/(jpeg|gif)"
> !
> policy-map POLICY1
> class IMAGES1
> drop
> class SERVER1
> police 32000
> !
> interface S0/0/0.23
> description *** Server-facing Interface ***
> service-policy input POLICY1
>
> Notes: it's not entirely clear from the post whether this should be a
> job for ingress policing or CBWFQ/LLQ (on egress to the client). The
> words were "I want to allocate 32kbps for replies from a webserver".
> Hmmm.
>
>
> My solution to mahmoud genidy's scenario is:
>
> "We need to POLICE the REPLIES from www.cisco.com/directory to 1000K
> and to DROP this traffic if it includes IMAGES (jpeg, jpg, gif)."
>
> Config:
>
> class-map SERVER2
> match protocol http host "www.cisco.com"
> match protocol http url "/directory/*"
> !
> class-map IMAGES2
> match class-map SERVER2
> match protocol http url "*.(jpeg|jpg|gif)"
> !
> policy-map POLICY-IN
> class SERVER2
> police 1000000
> !
> policy-map POLICY-OUT
> class IMAGES2
> drop
> !
> interface S0/0/0.23
> description *** Server-facing Interface ***
> service-policy input POLICY-IN
> service-policy output POLICY-OUT
>
> ** OR **
>
> class-map SERVER2
> match protocol http host "www.cisco.com"
> match protocol http url "/directory/*"
> !
> class-map match-all IMAGES2
> match class-map SERVER2
> match protocol http mime "image/(jpeg|gif)"
> !
> policy-map POLICY-IN
> class IMAGES2
> drop
> class SERVER2
> police 1000000
> !
> interface S0/0/0.23
> description *** Server-facing Interface ***
> service-policy input POLICY-IN
>
>
> One quirk worth noting, if you attempt this yourself using a router as
> the HTTP client, is that the host portion of the URL specified on the
> "copy" command line is not necessarily what the HTTP client sends as
> the Host: header to the server! I banged my head for a couple of hours
> because of this. See:
>
> At one point I had this config on R1:
>
> ip host www.cisco.com 131.1.3.3
>
> ..and I was executing commands like:
>
> R1#copy cisco@www.cisco.com/directory/fish2.jpg">http://cisco:cisco@www.cisco.com/directory/fish2.jpg null:
>
> I incorrectly assumed that the IOS HTTP client would resolve the name
> to the IP using the local host entry but still send the 'Host:
> www.cisco.com' header with the GET request. This is NOT the case; IOS
> sends the resolved IP address (131.1.3.3). I'm not sure if this
> behaviour can be changed.
>
> This obviously affects the value you need to use in your "match
> protocol http host" statement as it's this host header that is matched
> by this command. In other words, when testing, use "match protocol
> http host 131.1.3.3" or equivalent.
>
> cheers,
> Dale
>
>
> TEST OUTPUTS:
> - All QoS config on R2
> - All HTTP client requests from R1 (using 'www.cisco.com' in 'copy'
> command, with local host entry mapped to R3)
> - All HTTP server responses from R3
> - policy-map and class-map stanzas removed/re-added between each step
>
> Test 1 -- "match protocol http host" (drop action)
>
> !
> ! step 1: define class-map and policy-map,
> ! apply inbound on client-side i/f.
> !
> class-map FOO1
> match protocol http host 131.1.3.3
> !
> policy-map FOO1
> class FOO1
> drop
> !
> int fa0/0
> service-policy in FOO1
> !
> ! test result: success (match and drop action effective)
> !
> ! R1#copy cisco@www.cisco.com/directory/fish1.jpg">http://cisco:cisco@www.cisco.com/directory/fish1.jpg null:
> ! %Error opening cisco@www.cisco.com/directory/fish1.jpg">http://cisco:cisco@www.cisco.com/directory/fish1.jpg
> (I/O error)
> ! R1#
> !
> ! R2#sh policy-map int fa0/0 in class FOO1
> ! FastEthernet0/0
> !
> ! Service-policy input: FOO1
> !
> ! Class-map: FOO1 (match-all)
> ! 12 packets, 2380 bytes
> ! 5 minute offered rate 0 bps, drop rate 0 bps
> ! Match: protocol http host "131.1.3.3"
> ! drop
> !
> cleanup:
> !
> int fa0/0
> no service-policy in FOO1
> !
> no policy-map FOO1
> no class-map FOO1
>
>
>
> !
> ! step 2: define class-map and policy-map,
> ! apply outbound on client-side i/f.
> !
> class-map FOO1
> match protocol http host 131.1.3.3
> !
> policy-map FOO1
> class FOO1
> drop
> !
> int fa0/0
> service-policy out FOO1
> !
> ! test result: partial success (match but drop action not effective!)
> !
> ! R1#copy cisco@www.cisco.com/directory/fish1.jpg">http://cisco:cisco@www.cisco.com/directory/fish1.jpg null:
> ! Loading http://***********@www.cisco.com/directory/fish1.jpg
> ! 114 bytes copied in 2.092 secs (54 bytes/sec)
> !
> ! R2#sh policy-map int fa0/0 out class FOO1
> ! FastEthernet0/0
> !
> ! Service-policy output: FOO1
> !
> ! Class-map: FOO1 (match-all)
> ! 7 packets, 1620 bytes
> ! 5 minute offered rate 0 bps, drop rate 0 bps
> ! Match: protocol http host "131.1.3.3"
> ! drop
> !
> ! cleanup:
> !
> int fa0/0
> no service-policy out FOO1
> !
> no policy-map FOO1
> no class-map FOO1
>
>
>
> !
> ! step 3: define class-map and policy-map,
> ! apply inbound on server-side i/f.
> !
> class-map FOO1
> match protocol http host 131.1.3.3
> !
> policy-map FOO1
> class FOO1
> drop
> !
> int s0/0/0.23
> service-policy in FOO1
> !
> ! test result: partial success (match but drop action not effective!)
> !
> ! R1#copy cisco@www.cisco.com/directory/fish1.jpg">http://cisco:cisco@www.cisco.com/directory/fish1.jpg null:
> ! Loading http://***********@www.cisco.com/directory/fish1.jpg
> ! 114 bytes copied in 2.096 secs (54 bytes/sec)
> ! R1#
> !
> ! R2#sh policy-map int s0/0/0.23 in class FOO1
> !
> ! Serial0/0/0.23
> !
> ! Service-policy input: FOO1
> !
> ! Class-map: FOO1 (match-all)
> ! 2 packets, 502 bytes
> ! 5 minute offered rate 0 bps, drop rate 0 bps
> ! Match: protocol http host "131.1.3.3"
> ! drop
> !
> ! cleanup:
> !
> int s0/0/0.23
> no service-policy in FOO1
> !
> no policy-map FOO1
> no class-map FOO1
>
>
>
> !
> ! step 4: define class-map and policy-map,
> ! apply outbound on server-side i/f.
> !
> class-map FOO1
> match protocol http host 131.1.3.3
> !
> policy-map FOO1
> class FOO1
> drop
> !
> int s0/0/0.23
> service-policy out FOO1
> !
> ! test result: success (match and drop action effective)
> !
> ! R1#copy cisco@www.cisco.com/directory/fish1.jpg">http://cisco:cisco@www.cisco.com/directory/fish1.jpg null:
> ! %Error opening cisco@www.cisco.com/directory/fish1.jpg">http://cisco:cisco@www.cisco.com/directory/fish1.jpg
> (I/O error)
> ! R1#
> !
> ! R2#sh policy-map int s0/0/0.23 out class FOO1
> !
> ! Serial0/0/0.23
> !
> ! Service-policy output: FOO1
> !
> ! Class-map: FOO1 (match-all)
> ! 6 packets, 1124 bytes
> ! 5 minute offered rate 0 bps, drop rate 0 bps
> ! Match: protocol http host "131.1.3.3"
> ! drop
> !
> ! cleanup:
> !
> int s0/0/0.23
> no service-policy out FOO1
> !
> no policy-map FOO1
> no class-map FOO1
>
>
>
> Test 2 -- "match protocol http url" (drop action)
>
> !
> ! step 1: define class-map and policy-map,
> ! apply inbound on client-side i/f.
> !
> class-map FOO2
> match protocol http url /directory/*
> !
> policy-map FOO2
> class FOO2
> drop
> !
> int fa0/0
> service-policy in FOO2
> !
> ! test result: success (match and drop action effective)
> !
> ! R1#copy cisco@www.cisco.com/directory/fish1.jpg">http://cisco:cisco@www.cisco.com/directory/fish1.jpg null:
> ! %Error opening cisco@www.cisco.com/directory/fish1.jpg">http://cisco:cisco@www.cisco.com/directory/fish1.jpg
> (I/O error)
> ! R1#
> !
> ! R2#sh policy-map int fa0/0 in class FOO2
> ! FastEthernet0/0
> !
> ! Service-policy input: FOO2
> !
> ! Class-map: FOO2 (match-all)
> ! 15 packets, 2560 bytes
> ! 5 minute offered rate 0 bps, drop rate 0 bps
> ! Match: protocol http url "/directory/*"
> ! drop
> !
> cleanup:
> !
> int fa0/0
> no service-policy in FOO2
> !
> no policy-map FOO2
> no class-map FOO2
>
>
>
> !
> ! step 2: define class-map and policy-map,
> ! apply outbound on client-side i/f.
> !
> class-map FOO2
> match protocol http url /directory/*
> !
> policy-map FOO2
> class FOO2
> drop
> !
> int fa0/0
> service-policy out FOO2
> !
> ! test result: partial success (match but drop action not effective!)
> !
> ! R1#copy cisco@www.cisco.com/directory/fish1.jpg">http://cisco:cisco@www.cisco.com/directory/fish1.jpg null:
> ! Loading http://***********@www.cisco.com/directory/fish1.jpg
> ! 114 bytes copied in 2.092 secs (54 bytes/sec)
> ! R1#
> !
> ! R2#sh policy-map int fa0/0 out class FOO2
> ! FastEthernet0/0
> !
> ! Service-policy output: FOO2
> !
> ! Class-map: FOO2 (match-all)
> ! 2 packets, 522 bytes
> ! 5 minute offered rate 0 bps, drop rate 0 bps
> ! Match: protocol http url "/directory/*"
> ! drop
> ! R2#
> !
> ! cleanup:
> !
> int fa0/0
> no service-policy out FOO2
> !
> no policy-map FOO2
> no class-map FOO2
>
>
>
> !
> ! step 3: define class-map and policy-map,
> ! apply inbound on server-side i/f.
> !
> class-map FOO2
> match protocol http url /directory/*
> !
> policy-map FOO2
> class FOO2
> drop
> !
> int s0/0/0.23
> service-policy in FOO2
> !
> ! test result: partial success (match but drop action not effective!)
> !
> ! R1#copy cisco@www.cisco.com/directory/fish1.jpg">http://cisco:cisco@www.cisco.com/directory/fish1.jpg null:
> ! Loading http://***********@www.cisco.com/directory/fish1.jpg
> ! 114 bytes copied in 2.096 secs (54 bytes/sec)
> !
> ! R2#sh policy-map int s0/0/0.23 in class FOO2
> !
> ! Serial0/0/0.23
> !
> ! Service-policy input: FOO2
> !
> ! Class-map: FOO2 (match-all)
> ! 2 packets, 502 bytes
> ! 5 minute offered rate 0 bps, drop rate 0 bps
> ! Match: protocol http url "/directory/*"
> ! drop
> ! R2#
> !
> !
> ! cleanup:
> !
> int s0/0/0.23
> no service-policy in FOO2
> !
> no policy-map FOO2
> no class-map FOO2
>
>
>
> !
> ! step 4: define class-map and policy-map,
> ! apply outbound on server-side i/f.
> !
> class-map FOO2
> match protocol http url /directory/*
> !
> policy-map FOO2
> class FOO2
> drop
> !
> int s0/0/0.23
> service-policy out FOO2
> !
> ! test result: success (match and drop action effective)
> !
> ! R1#copy cisco@www.cisco.com/directory/fish1.jpg">http://cisco:cisco@www.cisco.com/directory/fish1.jpg null:
> ! %Error opening cisco@www.cisco.com/directory/fish1.jpg">http://cisco:cisco@www.cisco.com/directory/fish1.jpg
> (I/O error)
> ! R1#
> !
> ! R2#sh policy-map int s0/0/0.23 out class FOO2
> !
> ! Serial0/0/0.23
> !
> ! Service-policy output: FOO2
> !
> ! Class-map: FOO2 (match-all)
> ! 6 packets, 1124 bytes
> ! 5 minute offered rate 0 bps, drop rate 0 bps
> ! Match: protocol http url "/directory/*"
> ! drop
> !
> ! cleanup:
> !
> int s0/0/0.23
> no service-policy out FOO2
> !
> no policy-map FOO2
> no class-map FOO2
>
>
>
> Test 3 -- "match protocol http mime" (drop action)
>
> !
> ! step 1: define class-map and policy-map,
> ! apply inbound on client-side i/f.
> !
> class-map FOO3
> match protocol http mime "image/(jpeg|gif)"
> !
> policy-map FOO3
> class FOO3
> drop
> !
> int fa0/0
> service-policy in FOO3
> !
> ! test result: partial success (match but drop action not effective!)
> !
> ! R1#copy http://cisco:cisco@131.1.3.3/directory/fish2.jpg null:
> ! Loading http://***********@131.1.3.3/directory/fish2.jpg
> ! 114 bytes copied in 0.244 secs (467 bytes/sec)
> !
> ! R2#sh policy-map int fa0/0 in class FOO3
> ! FastEthernet0/0
> !
> ! Service-policy input: FOO3
> !
> ! Class-map: FOO3 (match-all)
> ! 4 packets, 240 bytes
> ! 5 minute offered rate 0 bps, drop rate 0 bps
> ! Match: protocol http mime "image/(jpeg|gif)"
> ! drop
> ! R2#
> !
> ! cleanup:
> !
> int fa0/0
> no service-policy in FOO3
> !
> no policy-map FOO3
> no class-map FOO3
>
>
>
> !
> ! step 2: define class-map and policy-map,
> ! apply outbound on client-side i/f.
> !
> class-map FOO3
> match protocol http mime "image/(jpeg|gif)"
> !
> policy-map FOO3
> class FOO3
> drop
> !
> int fa0/0
> service-policy out FOO3
> !
> ! test result: success (match and drop action effective)
> !
> ! R1#copy http://cisco:cisco@131.1.3.3/directory/fish2.jpg null:
> ! %Error opening http://cisco:cisco@131.1.3.3/directory/fish2.jpg (I/O
> error)
> ! R1#
> !
> ! R2#sh policy-map int fa0/0 out class FOO3
> ! FastEthernet0/0
> !
> ! Service-policy output: FOO3
> !
> ! Class-map: FOO3 (match-all)
> ! 7 packets, 2034 bytes
> ! 5 minute offered rate 0 bps, drop rate 0 bps
> ! Match: protocol http mime "image/(jpeg|gif)"
> ! drop
> ! R2#
> !
> ! cleanup:
> !
> int fa0/0
> no service-policy out FOO3
> !
> no policy-map FOO3
> no class-map FOO3
>
>
>
> !
> ! step 3: define class-map and policy-map,
> ! apply inbound on server-side i/f.
> !
> class-map FOO3
> match protocol http mime "image/(jpeg|gif)"
> !
> policy-map FOO3
> class FOO3
> drop
> !
> int s0/0/0.23
> service-policy in FOO3
> !
> ! test result: success (match and drop action effective)
> !
> ! R1#copy http://cisco:cisco@131.1.3.3/directory/fish2.jpg null:
> ! %Error opening http://cisco:cisco@131.1.3.3/directory/fish2.jpg (I/O
> error)
> ! R1#
> !
> ! R2#sh policy-map int s0/0/0.23 in class FOO3
> !
> ! Serial0/0/0.23
> !
> ! Service-policy input: FOO3
> !
> ! Class-map: FOO3 (match-all)
> ! 10 packets, 2924 bytes
> ! 5 minute offered rate 0 bps, drop rate 0 bps
> ! Match: protocol http mime "image/(jpeg|gif)"
> ! drop
> ! R2#
> !
> ! cleanup:
> !
> int s0/0/0.23
> no service-policy in FOO3
> !
> no policy-map FOO3
> no class-map FOO3
>
>
>
> !
> ! step 4: define class-map and policy-map,
> ! apply outbound on server-side i/f.
> !
> class-map FOO3
> match protocol http mime "image/(jpeg|gif)"
> !
> policy-map FOO3
> class FOO3
> drop
> !
> int s0/0/0.23
> service-policy out FOO3
> !
> ! test result: partial success (match but drop action not effective!)
> !
> ! R1#copy http://cisco:cisco@131.1.3.3/directory/fish2.jpg null:
> ! Loading http://***********@131.1.3.3/directory/fish2.jpg
> ! 114 bytes copied in 0.244 secs (467 bytes/sec)
> !
> ! R2#sh policy-map int s0/0/0.23 out class FOO3
> !
> ! Serial0/0/0.23
> !
> ! Service-policy output: FOO3
> !
> ! Class-map: FOO3 (match-all)
> ! 6 packets, 264 bytes
> ! 5 minute offered rate 0 bps, drop rate 0 bps
> ! Match: protocol http mime "image/(jpeg|gif)"
> ! drop
> ! R2#
> !
> ! cleanup:
> !
> int s0/0/0.23
> no service-policy out FOO3
> !
> no policy-map FOO3
> no class-map FOO3
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:12 ARST
