as in my initial statement i.e try telnetting to either 80/443 with IOS
http server on, I had the same results - I remember I attempted this
before....
R2#show policy-map int s0/0/1
Serial0/0/1
Service-policy input: web
Class-map: client (match-all)
3 packets, 136 bytes
5 minute offered rate 0 bps
Match: access-group 1
Match: class-map match-any web
Match: protocol http
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol secure-http
0 packets, 0 bytes
5 minute rate 0 bps
Class-map: class-default (match-any)
5 packets, 359 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
R2#show tcp brief
TCB Local Address Foreign Address (state)
49634768 1.1.1.2.*443 * 1.1.1.1.57262 ESTAB
On 27 May 2013 21:46, Saleh Batouq <[email protected]> wrote:
> I dont understand. What do you mean?
> On May 27, 2013 11:48 PM, "Tony Singh" <[email protected]> wrote:
>
>> Beat me to it ;)
>>
>> --
>> BR
>>
>> Sent from my iPhone on 3
>>
>> On 27 May 2013, at 19:33, Saleh Batouq <[email protected]> wrote:
>>
>> > Hi Imran, Good point about NBAR. But let me tell you that it does work
>> and
>> > you will get hits because you are actually establishing an http session
>> to
>> > the servers. you can event send an HTTP GET message, for example:
>> >
>> >
>> > On R2 SERVER
>> > ---------
>> >
>> >
>> > ip http server
>> > ip http secure-server
>> > !
>> > Service-policy input: TRAFFIC-to-WEB-SERVER
>> >
>> > Class-map: TRAFFIC-to-WEB-SERVER (match-all)
>> > 0 packets, 0 bytes
>> > 5 minute offered rate 0 bps, drop rate 0 bps
>> > Match: access-group 10
>> > Match: class-map match-any WEB
>> > Match: protocol http
>> > 0 packets, 0 bytes
>> > 5 minute rate 0 bps
>> > Match: protocol secure-http
>> > 0 packets, 0 bytes
>> > 5 minute rate 0 bps
>> > police:
>> > rate 10000 bps, burst 1500 bytes
>> > conformed 0 packets, 0 bytes; actions:
>> > transmit
>> > exceeded 0 packets, 0 bytes; actions:
>> > drop
>> > conformed 0 bps, exceed 0 bps
>> >
>> >
>> >
>> > From R1 Client
>> > --------
>> >
>> > R1#telnet 10.2.2.2 80 /source-interface lo10
>> > Trying 10.2.2.2, 80 ... Open
>> > \
>> > HTTP/1.1 400 Bad Request
>> > Date: Fri, 01 Mar 2002 00:07:17 GMT
>> > Server: cisco-IOS
>> > Accept-Ranges: none
>> >
>> > 400 Bad Request
>> >
>> > [Connection to 10.2.2.2 closed by foreign host]
>> > R1#
>> > R1#
>> > R1#telnet 10.2.2.2 443 /source-interface lo10
>> > Trying 10.2.2.2, 443 ... Open
>> >
>> >
>> > [Connection to 10.2.2.2 closed by foreign host]
>> >
>> >
>> >
>> > On R2
>> > ----
>> >
>> > R2#sh policy-map int
>> > FastEthernet0/0
>> >
>> > Service-policy input: TRAFFIC-to-WEB-SERVER
>> >
>> > Class-map: TRAFFIC-to-WEB-SERVER (match-all)
>> > 12 packets, 720 bytes
>> > 5 minute offered rate 0 bps, drop rate 0 bps
>> > Match: access-group 10
>> > Match: class-map match-any WEB
>> > Match: protocol http
>> > 0 packets, 0 bytes
>> > 5 minute rate 0 bps
>> > Match: protocol secure-http
>> > 0 packets, 0 bytes
>> > 5 minute rate 0 bps
>> > police:
>> > rate 10000 bps, burst 1500 bytes
>> > conformed 12 packets, 720 bytes; actions:
>> > transmit
>> > exceeded 0 packets, 0 bytes; actions:
>> > drop
>> > conformed 0 bps, exceed 0 bps
>> >
>> > Class-map: class-default (match-any)
>> > 73 packets, 6042 bytes
>> > 5 minute offered rate 0 bps, drop rate 0 bps
>> > Match: any
>> >
>> >
>> > The Child class-maps do not show hits but the parent class-map
>> > TRAFFIC-to-WEB-SERVER (match-all) surely hits.
>> > !
>> >
>> >
>> >
>> > Best Regards,
>> >
>> > Saleh Hassan Batouq
>> > [email protected]
>> > Tel: +968 99365607
>> > Fax: +968 2469690
>> > P.O.Box:1083- Postal Code:112
>> > Muscat-Sultanate Of Oman
>> >
>> >
>> > On Mon, May 27, 2013 at 7:46 PM, Imran Ali <[email protected]> wrote:
>> >
>> >> Tony ,
>> >>
>> >> telnetting at port 80 , will not classify packets as web , when you
>> are
>> >> using NBAR , as it goes beyond the layer 3/4 and looks at the format
>> >> also..
>> >>
>> >> it does work with " ip access-list 100 tcp permit any any eq 80 "
>> command
>> >> , because here classifier only looks at port 80..
>> >> only
>> >>
>> >>
>> >>
>> >>
>> >> On Sun, May 26, 2013 at 4:35 AM, max kamali <[email protected]> wrote:
>> >>
>> >>> thank you gents.
>> >>>
>> >>> -max
>> >>>
>> >>> On 5/25/2013 12:09 PM, Tony Singh wrote:
>> >>>
>> >>>>
>> >>>> yes, though you'd need a policy-map & service policy to apply it, I'm
>> >>>> sure you know
>> >>>>
>> >>>> to test enable http server on IOS and then telnet to either port
>> 80/443
>> >>>> from the 10.x source then check the hits, I know this worked with
>> port
>> >> 80
>> >>>>
>> >>>> --
>> >>>> BR
>> >>>>
>> >>>> Tony
>> >>>>
>> >>>> Sent from my iPad
>> >>>>
>> >>>> On 25 May 2013, at 18:58, max kamali <[email protected]> wrote:
>> >>>>
>> >>>> Morning, hope everyone is enjoying their weekend.
>> >>>>>
>> >>>>> Is it correct to assume that the class-map client will match:
>> >>>>> 10.0.0.0/24 to port 80 or 10.0.0.0/24 to port 443 ?
>> >>>>>
>> >>>>> class-map match-all client
>> >>>>> match access-group 1
>> >>>>> match class-map web
>> >>>>>
>> >>>>>
>> >>>>> class-map match-any web
>> >>>>> match protocol http
>> >>>>> match protocol secure-http
>> >>>>>
>> >>>>> access-list 1 permit 10.0.0.0 0.0.0.255
>> >>>>>
>> >>>>>
>> >>>>> thanks
>> >>>>> max
>> >>>>> ______________________________**_________________
>> >>>>> For more information regarding industry leading CCIE Lab training,
>> >>>>> please visit www.ipexpert.com
>> >>>>>
>> >>>>> Are you a CCNP or CCIE and looking for a job? Check out
>> >>>>> www.PlatinumPlacement.com
>> >>>>>
>> >>>>> http://onlinestudylist.com/**mailman/listinfo/ccie_rs<
>> >> http://onlinestudylist.com/mailman/listinfo/ccie_rs>
>> >>>>>
>> >>>>
>> >>> ______________________________**_________________
>> >>> For more information regarding industry leading CCIE Lab training,
>> please
>> >>> visit www.ipexpert.com
>> >>>
>> >>> Are you a CCNP or CCIE and looking for a job? Check out
>> >>> www.PlatinumPlacement.com
>> >>>
>> >>> http://onlinestudylist.com/**mailman/listinfo/ccie_rs<
>> >> http://onlinestudylist.com/mailman/listinfo/ccie_rs>
>> >>>
>> >> _______________________________________________
>> >> For more information regarding industry leading CCIE Lab training,
>> please
>> >> visit www.ipexpert.com
>> >>
>> >> Are you a CCNP or CCIE and looking for a job? Check out
>> >> www.PlatinumPlacement.com
>> >>
>> >> http://onlinestudylist.com/mailman/listinfo/ccie_rs
>> >>
>> > _______________________________________________
>> > For more information regarding industry leading CCIE Lab training,
>> please visit www.ipexpert.com
>> >
>> > Are you a CCNP or CCIE and looking for a job? Check out
>> www.PlatinumPlacement.com
>> >
>> > http://onlinestudylist.com/mailman/listinfo/ccie_rs
>>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
http://onlinestudylist.com/mailman/listinfo/ccie_rs
