NBAR doesnt work well with traffic going to the router itself (to the router processor) so i it is better to enable the control plane protection subinterfaces (host, transit, cef-exception) feature along the access-list feature and not NBAR.
From: [email protected] [[email protected]] on behalf of Tony Singh [[email protected]] Sent: Tuesday, May 28, 2013 12:36 AM To: Saleh Batouq Cc: [email protected] Subject: Re: [OSL | CCIE_RS] MQC - class map nesting as in my initial statement i.e try telnetting to either 80/443 with IOS http server on, I had the same results - I remember I attempted this before.... R2#show policy-map int s0/0/1 Serial0/0/1 Service-policy input: web Class-map: client (match-all) 3 packets, 136 bytes 5 minute offered rate 0 bps Match: access-group 1 Match: class-map match-any web Match: protocol http 0 packets, 0 bytes 5 minute rate 0 bps Match: protocol secure-http 0 packets, 0 bytes 5 minute rate 0 bps Class-map: class-default (match-any) 5 packets, 359 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any R2#show tcp brief TCB Local Address Foreign Address (state) 49634768 1.1.1.2.*443 * 1.1.1.1.57262 ESTAB On 27 May 2013 21:46, Saleh Batouq <[email protected]> wrote: > I dont understand. What do you mean? > On May 27, 2013 11:48 PM, "Tony Singh" <[email protected]> wrote: > >> Beat me to it ;) >> >> -- >> BR >> >> Sent from my iPhone on 3 >> >> On 27 May 2013, at 19:33, Saleh Batouq <[email protected]> wrote: >> >> > Hi Imran, Good point about NBAR. But let me tell you that it does work >> and >> > you will get hits because you are actually establishing an http session >> to >> > the servers. you can event send an HTTP GET message, for example: >> > >> > >> > On R2 SERVER >> > --------- >> > >> > >> > ip http server >> > ip http secure-server >> > ! >> > Service-policy input: TRAFFIC-to-WEB-SERVER >> > >> > Class-map: TRAFFIC-to-WEB-SERVER (match-all) >> > 0 packets, 0 bytes >> > 5 minute offered rate 0 bps, drop rate 0 bps >> > Match: access-group 10 >> > Match: class-map match-any WEB >> > Match: protocol http >> > 0 packets, 0 bytes >> > 5 minute rate 0 bps >> > Match: protocol secure-http >> > 0 packets, 0 bytes >> > 5 minute rate 0 bps >> > police: >> > rate 10000 bps, burst 1500 bytes >> > conformed 0 packets, 0 bytes; actions: >> > transmit >> > exceeded 0 packets, 0 bytes; actions: >> > drop >> > conformed 0 bps, exceed 0 bps >> > >> > >> > >> > From R1 Client >> > -------- >> > >> > R1#telnet 10.2.2.2 80 /source-interface lo10 >> > Trying 10.2.2.2, 80 ... Open >> > \ >> > HTTP/1.1 400 Bad Request >> > Date: Fri, 01 Mar 2002 00:07:17 GMT >> > Server: cisco-IOS >> > Accept-Ranges: none >> > >> > 400 Bad Request >> > >> > [Connection to 10.2.2.2 closed by foreign host] >> > R1# >> > R1# >> > R1#telnet 10.2.2.2 443 /source-interface lo10 >> > Trying 10.2.2.2, 443 ... Open >> > >> > >> > [Connection to 10.2.2.2 closed by foreign host] >> > >> > >> > >> > On R2 >> > ---- >> > >> > R2#sh policy-map int >> > FastEthernet0/0 >> > >> > Service-policy input: TRAFFIC-to-WEB-SERVER >> > >> > Class-map: TRAFFIC-to-WEB-SERVER (match-all) >> > 12 packets, 720 bytes >> > 5 minute offered rate 0 bps, drop rate 0 bps >> > Match: access-group 10 >> > Match: class-map match-any WEB >> > Match: protocol http >> > 0 packets, 0 bytes >> > 5 minute rate 0 bps >> > Match: protocol secure-http >> > 0 packets, 0 bytes >> > 5 minute rate 0 bps >> > police: >> > rate 10000 bps, burst 1500 bytes >> > conformed 12 packets, 720 bytes; actions: >> > transmit >> > exceeded 0 packets, 0 bytes; actions: >> > drop >> > conformed 0 bps, exceed 0 bps >> > >> > Class-map: class-default (match-any) >> > 73 packets, 6042 bytes >> > 5 minute offered rate 0 bps, drop rate 0 bps >> > Match: any >> > >> > >> > The Child class-maps do not show hits but the parent class-map >> > TRAFFIC-to-WEB-SERVER (match-all) surely hits. >> > ! >> > >> > >> > >> > Best Regards, >> > >> > Saleh Hassan Batouq >> > [email protected] >> > Tel: +968 99365607 >> > Fax: +968 2469690 >> > P.O.Box:1083- Postal Code:112 >> > Muscat-Sultanate Of Oman >> > >> > >> > On Mon, May 27, 2013 at 7:46 PM, Imran Ali <[email protected]> wrote: >> > >> >> Tony , >> >> >> >> telnetting at port 80 , will not classify packets as web , when you >> are >> >> using NBAR , as it goes beyond the layer 3/4 and looks at the format >> >> also.. >> >> >> >> it does work with " ip access-list 100 tcp permit any any eq 80 " >> command >> >> , because here classifier only looks at port 80.. >> >> only >> >> >> >> >> >> >> >> >> >> On Sun, May 26, 2013 at 4:35 AM, max kamali <[email protected]> wrote: >> >> >> >>> thank you gents. >> >>> >> >>> -max >> >>> >> >>> On 5/25/2013 12:09 PM, Tony Singh wrote: >> >>> >> >>>> >> >>>> yes, though you'd need a policy-map & service policy to apply it, I'm >> >>>> sure you know >> >>>> >> >>>> to test enable http server on IOS and then telnet to either port >> 80/443 >> >>>> from the 10.x source then check the hits, I know this worked with >> port >> >> 80 >> >>>> >> >>>> -- >> >>>> BR >> >>>> >> >>>> Tony >> >>>> >> >>>> Sent from my iPad >> >>>> >> >>>> On 25 May 2013, at 18:58, max kamali <[email protected]> wrote: >> >>>> >> >>>> Morning, hope everyone is enjoying their weekend. >> >>>>> >> >>>>> Is it correct to assume that the class-map client will match: >> >>>>> 10.0.0.0/24 to port 80 or 10.0.0.0/24 to port 443 ? >> >>>>> >> >>>>> class-map match-all client >> >>>>> match access-group 1 >> >>>>> match class-map web >> >>>>> >> >>>>> >> >>>>> class-map match-any web >> >>>>> match protocol http >> >>>>> match protocol secure-http >> >>>>> >> >>>>> access-list 1 permit 10.0.0.0 0.0.0.255 >> >>>>> >> >>>>> >> >>>>> thanks >> >>>>> max >> >>>>> ______________________________**_________________ >> >>>>> For more information regarding industry leading CCIE Lab training, >> >>>>> please visit www.ipexpert.com >> >>>>> >> >>>>> Are you a CCNP or CCIE and looking for a job? Check out >> >>>>> www.PlatinumPlacement.com >> >>>>> >> >>>>> http://onlinestudylist.com/**mailman/listinfo/ccie_rs< >> >> http://onlinestudylist.com/mailman/listinfo/ccie_rs> >> >>>>> >> >>>> >> >>> ______________________________**_________________ >> >>> For more information regarding industry leading CCIE Lab training, >> please >> >>> visit www.ipexpert.com >> >>> >> >>> Are you a CCNP or CCIE and looking for a job? Check out >> >>> www.PlatinumPlacement.com >> >>> >> >>> http://onlinestudylist.com/**mailman/listinfo/ccie_rs< >> >> http://onlinestudylist.com/mailman/listinfo/ccie_rs> >> >>> >> >> _______________________________________________ >> >> For more information regarding industry leading CCIE Lab training, >> please >> >> visit www.ipexpert.com >> >> >> >> Are you a CCNP or CCIE and looking for a job? Check out >> >> www.PlatinumPlacement.com >> >> >> >> http://onlinestudylist.com/mailman/listinfo/ccie_rs >> >> >> > _______________________________________________ >> > For more information regarding industry leading CCIE Lab training, >> please visit www.ipexpert.com >> > >> > Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > >> > http://onlinestudylist.com/mailman/listinfo/ccie_rs >> > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
