RE: MCQ from Steve Means on 2009-05-04 (Ccielab archives 05/2009)

From: Steve Means <smeans_at_ccbootcamp.com>
Date: Mon, 4 May 2009 06:48:04 -0700

Correct, I was talking about port-map. Thats why you lab it up right? :)

Steve Means
Security Instructor/Consultant
smeans_at_ccbootcamp.com
CCBOOTCAMP - A Cisco Learning Partner
877.654.2243 Toll Free
+1.702.968.5100 Direct Outside the USA
+1.702.446.0357 Fax
YES! We take Cisco Learning Credits

________________________________

From: Dale Shaw [mailto:dale.shaw_at_gmail.com]
Sent: Fri 5/1/2009 7:43 PM
To: Ryan West
Cc: Steve Means; Mohamed Tandou; ccielab_at_groupstudy.com
Subject: Re: MCQ

Hi Ryan

I don't want to put words in Steve's mouth, but perhaps it was an
assumption based on:

router#sh ip nbar port-map http
port-map http tcp 80

However, I've confirmed that it works as you've described. I thought
IOS might've been clever enough to map this traffic based on the use
of a http:// <http:///> URL in the copy command, but I tested the same
scenario
where an intermediate router is performing the NBAR-based
classification, and it still picks up non-tcp/80 traffic (I used
tcp/3232) as HTTP.

It's what you'd hope for in a packet inspection engine, anyway, right?
:-) Pretty useless otherwise.

cheers,
Dale

On Sat, May 2, 2009 at 12:23 PM, Ryan West <rwest_at_zyedge.com> wrote:
> Steve,
>
> Not sure what you mean, the reference to www was from the ACL, which is
static set at 80 of course. Match protocol http will crack the packet and
match HTTP traffic on any port. No protocol-discovery was enabled on any
interfaces either:
>
> class-map match-all HTTP
> match protocol http
> policy-map QoS
> class HTTP
> set ip dscp af21
> interface Serial1/2
> ip address 10.10.10.3 255.255.255.0
> clock rate 64000
> service-policy output QoS
> ip http server
> ip http port 8085
> no ip http secure-server
> ip http path flash:
>
> Router#copy http://10.10.10.3:8085/lab9 null:
>
> r3#s policy-map int
> Serial1/2
>
> Service-policy output: QoS
>
> Class-map: HTTP (match-all)
> 14 packets, 1750 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: protocol http
> QoS Set
> dscp af21
> Packets marked 14
>
> -ryan

Blogs and organic groups at http://www.ccie.net
Received on Mon May 04 2009 - 06:48:04 ART

This archive was generated by hypermail 2.2.0 : Mon Jun 01 2009 - 07:04:41 ART