Hi Imran, Good point about NBAR. But let me tell you that it does work and
you will get hits because you are actually establishing an http session to
the servers. you can event send an HTTP GET message, for example:
On R2 SERVER
---------
ip http server
ip http secure-server
!
Service-policy input: TRAFFIC-to-WEB-SERVER
Class-map: TRAFFIC-to-WEB-SERVER (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 10
Match: class-map match-any WEB
Match: protocol http
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol secure-http
0 packets, 0 bytes
5 minute rate 0 bps
police:
rate 10000 bps, burst 1500 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
>From R1 Client
--------
R1#telnet 10.2.2.2 80 /source-interface lo10
Trying 10.2.2.2, 80 ... Open
\
HTTP/1.1 400 Bad Request
Date: Fri, 01 Mar 2002 00:07:17 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
[Connection to 10.2.2.2 closed by foreign host]
R1#
R1#
R1#telnet 10.2.2.2 443 /source-interface lo10
Trying 10.2.2.2, 443 ... Open
[Connection to 10.2.2.2 closed by foreign host]
On R2
----
R2#sh policy-map int
FastEthernet0/0
Service-policy input: TRAFFIC-to-WEB-SERVER
Class-map: TRAFFIC-to-WEB-SERVER (match-all)
12 packets, 720 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 10
Match: class-map match-any WEB
Match: protocol http
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol secure-http
0 packets, 0 bytes
5 minute rate 0 bps
police:
rate 10000 bps, burst 1500 bytes
conformed 12 packets, 720 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
Class-map: class-default (match-any)
73 packets, 6042 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
The Child class-maps do not show hits but the parent class-map
TRAFFIC-to-WEB-SERVER (match-all) surely hits.
!
Best Regards,
Saleh Hassan Batouq
[email protected]
Tel: +968 99365607
Fax: +968 2469690
P.O.Box:1083- Postal Code:112
Muscat-Sultanate Of Oman
On Mon, May 27, 2013 at 7:46 PM, Imran Ali <[email protected]> wrote:
> Tony ,
>
> telnetting at port 80 , will not classify packets as web , when you are
> using NBAR , as it goes beyond the layer 3/4 and looks at the format
> also..
>
> it does work with " ip access-list 100 tcp permit any any eq 80 " command
> , because here classifier only looks at port 80..
> only
>
>
>
>
> On Sun, May 26, 2013 at 4:35 AM, max kamali <[email protected]> wrote:
>
> > thank you gents.
> >
> > -max
> >
> > On 5/25/2013 12:09 PM, Tony Singh wrote:
> >
> >>
> >> yes, though you'd need a policy-map & service policy to apply it, I'm
> >> sure you know
> >>
> >> to test enable http server on IOS and then telnet to either port 80/443
> >> from the 10.x source then check the hits, I know this worked with port
> 80
> >>
> >> --
> >> BR
> >>
> >> Tony
> >>
> >> Sent from my iPad
> >>
> >> On 25 May 2013, at 18:58, max kamali <[email protected]> wrote:
> >>
> >> Morning, hope everyone is enjoying their weekend.
> >>>
> >>> Is it correct to assume that the class-map client will match:
> >>> 10.0.0.0/24 to port 80 or 10.0.0.0/24 to port 443 ?
> >>>
> >>> class-map match-all client
> >>> match access-group 1
> >>> match class-map web
> >>>
> >>>
> >>> class-map match-any web
> >>> match protocol http
> >>> match protocol secure-http
> >>>
> >>> access-list 1 permit 10.0.0.0 0.0.0.255
> >>>
> >>>
> >>> thanks
> >>> max
> >>> ______________________________**_________________
> >>> For more information regarding industry leading CCIE Lab training,
> >>> please visit www.ipexpert.com
> >>>
> >>> Are you a CCNP or CCIE and looking for a job? Check out
> >>> www.PlatinumPlacement.com
> >>>
> >>> http://onlinestudylist.com/**mailman/listinfo/ccie_rs<
> http://onlinestudylist.com/mailman/listinfo/ccie_rs>
> >>>
> >>
> > ______________________________**_________________
> > For more information regarding industry leading CCIE Lab training, please
> > visit www.ipexpert.com
> >
> > Are you a CCNP or CCIE and looking for a job? Check out
> > www.PlatinumPlacement.com
> >
> > http://onlinestudylist.com/**mailman/listinfo/ccie_rs<
> http://onlinestudylist.com/mailman/listinfo/ccie_rs>
> >
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
> Are you a CCNP or CCIE and looking for a job? Check out
> www.PlatinumPlacement.com
>
> http://onlinestudylist.com/mailman/listinfo/ccie_rs
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
http://onlinestudylist.com/mailman/listinfo/ccie_rs
