yeh i'm not sure this worked the way we think it works with the OP's original config...
as when you source the telnet from another address it is also permitted....by the class class-default class-map & not denied by the implicit acl - check it out have not seen any examples on doc cd to match application traffic with HQF policies http://www.cisco.com/en/US/docs/ios-xml/ios/qos_hrhqf/configuration/12-4t/qos-hrhqf.html#GUID-F30BE725-7308-4014-BB92-474752A4060D in this case it's best to just use an extended acl on the data-plane to match protocol and application port to ensure conformance....if anyone can set me straight i'd be happy! On 28 May 2013 08:09, Elie Raad <[email protected]> wrote: > NBAR doesnt work well with traffic going to the router itself (to the > router processor) > so i it is better to enable the control plane protection subinterfaces > (host, transit, cef-exception) feature along the access-list feature and > not NBAR. > > From: [email protected] [ > [email protected]] on behalf of Tony Singh [ > [email protected]] > Sent: Tuesday, May 28, 2013 12:36 AM > To: Saleh Batouq > Cc: [email protected] > Subject: Re: [OSL | CCIE_RS] MQC - class map nesting > > as in my initial statement i.e try telnetting to either 80/443 with IOS > http server on, I had the same results - I remember I attempted this > before.... > > > R2#show policy-map int s0/0/1 > Serial0/0/1 > > Service-policy input: web > > Class-map: client (match-all) > 3 packets, 136 bytes > 5 minute offered rate 0 bps > Match: access-group 1 > Match: class-map match-any web > Match: protocol http > 0 packets, 0 bytes > 5 minute rate 0 bps > Match: protocol secure-http > 0 packets, 0 bytes > 5 minute rate 0 bps > > Class-map: class-default (match-any) > 5 packets, 359 bytes > 5 minute offered rate 0 bps, drop rate 0 bps > Match: any > > > R2#show tcp brief > TCB Local Address Foreign Address (state) > 49634768 1.1.1.2.*443 * 1.1.1.1.57262 ESTAB > > > On 27 May 2013 21:46, Saleh Batouq <[email protected]> wrote: > > > I dont understand. What do you mean? > > On May 27, 2013 11:48 PM, "Tony Singh" <[email protected]> wrote: > > > >> Beat me to it ;) > >> > >> -- > >> BR > >> > >> Sent from my iPhone on 3 > >> > >> On 27 May 2013, at 19:33, Saleh Batouq <[email protected]> wrote: > >> > >> > Hi Imran, Good point about NBAR. But let me tell you that it does work > >> and > >> > you will get hits because you are actually establishing an http > session > >> to > >> > the servers. you can event send an HTTP GET message, for example: > >> > > >> > > >> > On R2 SERVER > >> > --------- > >> > > >> > > >> > ip http server > >> > ip http secure-server > >> > ! > >> > Service-policy input: TRAFFIC-to-WEB-SERVER > >> > > >> > Class-map: TRAFFIC-to-WEB-SERVER (match-all) > >> > 0 packets, 0 bytes > >> > 5 minute offered rate 0 bps, drop rate 0 bps > >> > Match: access-group 10 > >> > Match: class-map match-any WEB > >> > Match: protocol http > >> > 0 packets, 0 bytes > >> > 5 minute rate 0 bps > >> > Match: protocol secure-http > >> > 0 packets, 0 bytes > >> > 5 minute rate 0 bps > >> > police: > >> > rate 10000 bps, burst 1500 bytes > >> > conformed 0 packets, 0 bytes; actions: > >> > transmit > >> > exceeded 0 packets, 0 bytes; actions: > >> > drop > >> > conformed 0 bps, exceed 0 bps > >> > > >> > > >> > > >> > From R1 Client > >> > -------- > >> > > >> > R1#telnet 10.2.2.2 80 /source-interface lo10 > >> > Trying 10.2.2.2, 80 ... Open > >> > \ > >> > HTTP/1.1 400 Bad Request > >> > Date: Fri, 01 Mar 2002 00:07:17 GMT > >> > Server: cisco-IOS > >> > Accept-Ranges: none > >> > > >> > 400 Bad Request > >> > > >> > [Connection to 10.2.2.2 closed by foreign host] > >> > R1# > >> > R1# > >> > R1#telnet 10.2.2.2 443 /source-interface lo10 > >> > Trying 10.2.2.2, 443 ... Open > >> > > >> > > >> > [Connection to 10.2.2.2 closed by foreign host] > >> > > >> > > >> > > >> > On R2 > >> > ---- > >> > > >> > R2#sh policy-map int > >> > FastEthernet0/0 > >> > > >> > Service-policy input: TRAFFIC-to-WEB-SERVER > >> > > >> > Class-map: TRAFFIC-to-WEB-SERVER (match-all) > >> > 12 packets, 720 bytes > >> > 5 minute offered rate 0 bps, drop rate 0 bps > >> > Match: access-group 10 > >> > Match: class-map match-any WEB > >> > Match: protocol http > >> > 0 packets, 0 bytes > >> > 5 minute rate 0 bps > >> > Match: protocol secure-http > >> > 0 packets, 0 bytes > >> > 5 minute rate 0 bps > >> > police: > >> > rate 10000 bps, burst 1500 bytes > >> > conformed 12 packets, 720 bytes; actions: > >> > transmit > >> > exceeded 0 packets, 0 bytes; actions: > >> > drop > >> > conformed 0 bps, exceed 0 bps > >> > > >> > Class-map: class-default (match-any) > >> > 73 packets, 6042 bytes > >> > 5 minute offered rate 0 bps, drop rate 0 bps > >> > Match: any > >> > > >> > > >> > The Child class-maps do not show hits but the parent class-map > >> > TRAFFIC-to-WEB-SERVER (match-all) surely hits. > >> > ! > >> > > >> > > >> > > >> > Best Regards, > >> > > >> > Saleh Hassan Batouq > >> > [email protected] > >> > Tel: +968 99365607 > >> > Fax: +968 2469690 > >> > P.O.Box:1083- Postal Code:112 > >> > Muscat-Sultanate Of Oman > >> > > >> > > >> > On Mon, May 27, 2013 at 7:46 PM, Imran Ali <[email protected]> > wrote: > >> > > >> >> Tony , > >> >> > >> >> telnetting at port 80 , will not classify packets as web , when you > >> are > >> >> using NBAR , as it goes beyond the layer 3/4 and looks at the format > >> >> also.. > >> >> > >> >> it does work with " ip access-list 100 tcp permit any any eq 80 " > >> command > >> >> , because here classifier only looks at port 80.. > >> >> only > >> >> > >> >> > >> >> > >> >> > >> >> On Sun, May 26, 2013 at 4:35 AM, max kamali <[email protected]> wrote: > >> >> > >> >>> thank you gents. > >> >>> > >> >>> -max > >> >>> > >> >>> On 5/25/2013 12:09 PM, Tony Singh wrote: > >> >>> > >> >>>> > >> >>>> yes, though you'd need a policy-map & service policy to apply it, > I'm > >> >>>> sure you know > >> >>>> > >> >>>> to test enable http server on IOS and then telnet to either port > >> 80/443 > >> >>>> from the 10.x source then check the hits, I know this worked with > >> port > >> >> 80 > >> >>>> > >> >>>> -- > >> >>>> BR > >> >>>> > >> >>>> Tony > >> >>>> > >> >>>> Sent from my iPad > >> >>>> > >> >>>> On 25 May 2013, at 18:58, max kamali <[email protected]> wrote: > >> >>>> > >> >>>> Morning, hope everyone is enjoying their weekend. > >> >>>>> > >> >>>>> Is it correct to assume that the class-map client will match: > >> >>>>> 10.0.0.0/24 to port 80 or 10.0.0.0/24 to port 443 ? > >> >>>>> > >> >>>>> class-map match-all client > >> >>>>> match access-group 1 > >> >>>>> match class-map web > >> >>>>> > >> >>>>> > >> >>>>> class-map match-any web > >> >>>>> match protocol http > >> >>>>> match protocol secure-http > >> >>>>> > >> >>>>> access-list 1 permit 10.0.0.0 0.0.0.255 > >> >>>>> > >> >>>>> > >> >>>>> thanks > >> >>>>> max > >> >>>>> ______________________________**_________________ > >> >>>>> For more information regarding industry leading CCIE Lab training, > >> >>>>> please visit www.ipexpert.com > >> >>>>> > >> >>>>> Are you a CCNP or CCIE and looking for a job? Check out > >> >>>>> www.PlatinumPlacement.com > >> >>>>> > >> >>>>> http://onlinestudylist.com/**mailman/listinfo/ccie_rs< > >> >> http://onlinestudylist.com/mailman/listinfo/ccie_rs> > >> >>>>> > >> >>>> > >> >>> ______________________________**_________________ > >> >>> For more information regarding industry leading CCIE Lab training, > >> please > >> >>> visit www.ipexpert.com > >> >>> > >> >>> Are you a CCNP or CCIE and looking for a job? Check out > >> >>> www.PlatinumPlacement.com > >> >>> > >> >>> http://onlinestudylist.com/**mailman/listinfo/ccie_rs< > >> >> http://onlinestudylist.com/mailman/listinfo/ccie_rs> > >> >>> > >> >> _______________________________________________ > >> >> For more information regarding industry leading CCIE Lab training, > >> please > >> >> visit www.ipexpert.com > >> >> > >> >> Are you a CCNP or CCIE and looking for a job? Check out > >> >> www.PlatinumPlacement.com > >> >> > >> >> http://onlinestudylist.com/mailman/listinfo/ccie_rs > >> >> > >> > _______________________________________________ > >> > For more information regarding industry leading CCIE Lab training, > >> please visit www.ipexpert.com > >> > > >> > Are you a CCNP or CCIE and looking for a job? Check out > >> www.PlatinumPlacement.com > >> > > >> > http://onlinestudylist.com/mailman/listinfo/ccie_rs > >> > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > http://onlinestudylist.com/mailman/listinfo/ccie_rs > > > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
