Using a Policy Map to both prioritise traffic and DROP unwanted traffic

Unanswered Question
May 13th, 2007

Hi all,

Here's the problem. I want to drop all traffic except that defined in a policy-map. I'm using the policy map to serve two functions. Firstly to prioritize certain types of traffic and also to drop unwanted traffic by using NBAR.

Ok, here's an example. First the class maps:

!

!

class-map match-any platinum

match protocol rtp

class-map match-any gold

match protocol http

match protocol secure-http

match protocol dns

class-map match-any silver

match protocol smtp

match protocol pop3

match protocol secure-ftp

match protocol secure-pop3

class-map match-any bronze

match protocol ipsec

match protocol ftp

match protocol irc

class-map match-any drop

match any

and here's the policy map:

policy-map qos

class platinum

priority percent 20

set dscp ef

class gold

bandwidth remaining percent 30

set dscp 41

class silver

bandwidth remaining percent 30

set dscp 31

class bronze

bandwidth remaining percent 10

set dscp 21

class drop

drop

I now apply it to my interface going out to the Internet:

interface dialer0

service-policy output qos

But, my problem is that as soon as it is applied, I can't surf the internet. However, as can be seen in the policy map, within the 'gold' class I have the following:

match protocol http

Furthermore, the 'gold' class comes before the 'drop' class. I've checked and every time I surf the internet, my web based packets are getting dropped by the 'drop' class. I don?t understand why this is!

To get around this, I have defined the following ACL:

access-list 150 permit tcp any any eq www

!

and added it to the 'gold' class.

!

class-map match-any gold

match access-group 150

and it works, web traffic is detected by the ACL and output by the "Gold" service.

However, I?m not able to detect the web based traffic using NBAR (via the match protocol http command).

But the basic ACL worked. However, this is not ideal since it is vulnerable to programs like Skype masquerading as web traffic and tunneling out. Therefore, ideally I would like to capture the web traffic via NBAR using the 'match protocol http' command.

Does anyone know why this doesn?t work? or alternatively could suggest another best-practice method.

Any suggestions/help would be much appreciated.

Thanks.

- peter

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.8 (8 ratings)
Loading.
mounir.mohamed Sun, 05/13/2007 - 08:37

Dear,

First voice signaling is missing in the above classification rules, as soon as all NBAR classification matched on the class-maps (like DNS/POP3...etc) try to edit one of the avilable custome options using "ip nbar port-map protocol-name [tcp | udp] port-number " and test it if that work, try to update ur PDLM database.

Best Regards,

Mounir Mohamed

petermann Sun, 05/13/2007 - 10:11

Hi Mounir,

Thanks for you suggestion.

My pdlm I believe should be the latest since, I'm using IOS Version 12.4(13b).

As for the voice signaling, I forgot this but it shouldn't have affected the web based traffic.

I'll try using "ip nbar port-map protocol-name [tcp | udp] port-number".

I just find it strange that the router understands "eq www" in the ACL, but not "match protocol http" which from what 'I understand are the same!

Can anyone comment as to whether it is good practice to configure a 'drop' class in this way to save having to define an ingress ACL on the ethernet port.

oh and also may I ask you to clarify this point "as soon as all NBAR classification matched on the class-maps (like DNS/POP3...etc)". Apologies I dont understand this point.

Thanks very much for your suggestion.

- peter

petermann Sun, 05/13/2007 - 10:14

Further, I tried the suggestion. It didnt work:

BBR2(config)#ip nbar port-map custom-01 tcp 80

NBAR Error: Specified port(s) are associated with http

thanks.

mounir.mohamed Sun, 05/13/2007 - 11:52

Dear,

I mean does any class of the policy-map matchs "show policy-map interface x out"!!

Also regarding CEF issue, CEF supported and enabled by default since 12.2, also if CEF disbaled on your interface and you trying to enable policy-map it will return with error declearing that CEF must be enabled on this interface, you may use "show cef interfaces" to check if CEF is enabled or not, also check "show ip int x/x | inc IP CEF"

Waiting your feed back

Best Regards,

Mounir Mohamed

petermann Sun, 05/13/2007 - 13:48

here's the output:

BBR2#show ip int dialer 0 | inc IP CEF

IP CEF switching is enabled

IP CEF Feature Fast switching turbo vector

BBR2#

bjornarsb Sun, 05/13/2007 - 10:11

Hi,

First I think you should do marking at your LAN interface and QOS on your WAN.

Second, have you verified that nbar is working properly:

sh ip nbar protocol-discovery

HTH

Regards,

Bjornarsb

petermann Sun, 05/13/2007 - 10:16

NBAR appears to be working: Here's an output:

Dialer0

Input Output

----- ------

Protocol Packet Count Packet Count

Byte Count Byte Count

5min Bit Rate (bps) 5min Bit Rate (bps)

5min Max Bit Rate (bps) 5min Max Bit Rate (bps)

------------------------ ------------------------ ------------------------

http 1 34375

456 5196612

0 0

0 20000

It detects http, but drops it in the policy map with the drop class.

bjornarsb Sun, 05/13/2007 - 11:44

Hi,

It could also be a bug.

"Classmap definitions based on NBAR match

protocol commands are violated"

For example,

match protocol snmp in

a Classmap definition could be come match protocol ssh.

HTH

BR,

Bjornarsb

mohammedmahmoud Sun, 05/13/2007 - 11:14

Hi Peter,

Is any of the other match protocol other than match protocol http statement succeeding, can you please make sure that CEF is enabled, finally can you please do "sh ip cef summary", it might be a CEF problem with the dialer interface.

HTH,

Mohammed Mahmoud.

petermann Sun, 05/13/2007 - 11:47

Thanks Mohammed,

ok, as per your suggestions:

I cleared all my QOS configs then re-applied.

here's the 'gold' and 'drop' class. All counters are cleared:

I then run the command:

show policy-map interface dialer 0

Ive just included the relevant bits of the output:

Class-map: gold (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: protocol http

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol secure-http

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol dns

0 packets, 0 bytes

5 minute rate 0 bps

Queueing

Output Queue: Conversation 73

Bandwidth remaining 30 (%)Max Threshold 64 (packets)

(pkts matched/bytes matched) 0/0

(depth/total drops/no-buffer drops) 0/0/0

QoS Set

dscp 41

Packets marked 0

Class-map: drop (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

drop

I then try and surf the Internet and also access my email (via pop3).

here's the result of the command:

Class-map: gold (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: protocol http

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol secure-http

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol dns

0 packets, 0 bytes

5 minute rate 0 bps

Queueing

Output Queue: Conversation 73

Bandwidth remaining 30 (%)Max Threshold 64 (packets)

(pkts matched/bytes matched) 0/0

(depth/total drops/no-buffer drops) 0/0/0

QoS Set

dscp 41

Packets marked 0

Class-map: silver (match-any)

8 packets, 427 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: protocol smtp

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol pop3

8 packets, 427 bytes

5 minute rate 0 bps

Match: protocol secure-ftp

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol secure-pop3

0 packets, 0 bytes

5 minute rate 0 bps

Queueing

Output Queue: Conversation 74

Bandwidth remaining 30 (%)Max Threshold 64 (packets)

(pkts matched/bytes matched) 0/0

(depth/total drops/no-buffer drops) 0/0/0

QoS Set

dscp 31

Packets marked 8

Class-map: drop (match-any)

3 packets, 162 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

drop

As can be seen, the "pop3" traffic is detected and output via the "silver" class, but the Internet traffic is dropped, and not sent out of the "gold" class via the:

match protocol http.

HELP!!!!

I've checked, and CEF is on. Here the result:

BBR2#show ip cef summary

IP CEF with switching (Table Version 125), flags=0x0

12 routes, 0 reresolve, 0 unresolved (0 old, 0 new), peak 0

12 leaves, 17 nodes, 19504 bytes, 97 inserts, 85 invalidations

0 load sharing elements, 0 bytes, 0 references

universal per-destination load sharing algorithm, id 28D228AF

3(0) CEF resets, 19 revisions of existing leaves

Resolution Timer: Exponential (currently 1s, peak 1s)

19 in-place/0 aborted modifications

refcounts: 4633 leaf, 4608 node

Table epoch: 0 (12 entries at this epoch)

Adjacency Table has 2 adjacencies

Any ideas anyone?

Thanks for the help so far.

- peter

mohammedmahmoud Sun, 05/13/2007 - 13:34

Hi Peter,

Ok, here is an idea, i have a past full of problems with NBAR :), implement the classification and marking on the input of the LAN interface, and then apply your queuing on the outgoing interface in a separate policy that matches upon your marking, and please do feed us back with the results.

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

bjornarsb Sun, 05/13/2007 - 22:54

Hi,

This won't help if nbar match is violated.

Have a look at this bug: CSCdr31111

Have you loaded a PDLM?

Anyway:

Create Classmaps and activate Protocol Discovery after loading

PDLMs.

BR,

Bjornarsb

mohammedmahmoud Sun, 05/13/2007 - 23:00

hi Peter,

I hope that you had time to test it in my suggested way, and please can you get the output "debug ip nbar unclassified-port-stats".

HTH,

Mohammed Mahmoud.

petermann Sun, 05/13/2007 - 23:47

Hi Mohammed,

ok, I put the original confuration on, (as per my first post), and ran the following command:

BBR2#debug ip nbar unclassified-port-stats

Port Statistics for unclassified packets are already being collected.

I activated "term mon".

Nothing is reported to screen when I try and access the internet using "HTTP".

Am I missing something?

thanks.

petermann Sun, 05/13/2007 - 23:30

Hi Mohammed,

That was very helpful thanks. As per you suggestion, I configured the following:

class-map match-any platinum

match protocol rtp

match protocol telnet

class-map match-any gold

match protocol http

match protocol secure-http

match protocol dns

class-map match-any silver

match protocol smtp

match protocol pop3

match protocol secure-ftp

match protocol secure-pop3

class-map match-any bronze

match protocol ipsec

match protocol ftp

match protocol irc

class-map match-any drop

match any

!

!

policy-map classify_mark

class platinum

set dscp ef

class gold

set dscp 41

class silver

set dscp 31

class bronze

set dscp 21

class drop

set dscp 10

!

!

exit

!

!

interface fastethernet0

service-policy input classify_mark

end

!

Now when I do a "show policy-map inter fa0" I get "http" traffic being matched.

for example:

Class-map: gold (match-any)

1792 packets, 280523 bytes

5 minute offered rate 13000 bps, drop rate 0 bps

Match: protocol http

1409 packets, 193834 bytes

5 minute rate 2000 bps

Match: protocol secure-http

358 packets, 84753 bytes

5 minute rate 10000 bps

Match: protocol dns

25 packets, 1936 bytes

5 minute rate 0 bps

QoS Set

dscp 41

Packets marked 1792

So, the problem has been very much narrowed down. So I guess now the quesiton is why doesn't NBAR match the HTTP protocol on egress but does on ingress. Anyone got any ideas??

THANKYOU ALL VERY MUCH!

- pete

mohammedmahmoud Mon, 05/14/2007 - 00:07

Hi,

You are welcomed :) thats the solution i did to work around it, and i am in the process of searching for a reason.

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

petermann Mon, 05/14/2007 - 00:40

Hi Mohammed,

The thing is, whilst it works I don't really want 2 policy-maps on the router.

Whilst my first example illustrated marking the packets with a DSCP value, this was just for the example.

What I really want to do is us the policy-map as an advanced traffic filter, which gives me fine control (using NBAR) on what protocols are allowed on egress, and dropping the rest.

A simple ACL on the fa0 ingress (only working up to L4) would be vulnerable to programs like Skype and P2P which will tunnel out of other allowed ports (like 80).

The added advantage of course is that I can also priorities traffic with a policy map. - Two benefits for the price of one!

If you do find a solution, please let me know.

Thanks again. All the best.

bjornarsb Mon, 05/14/2007 - 00:51

Hi,

What type of router is this?

You are in the situation that QOS features in the ingress direction is not supported in the egress direction.

So you should set ip precendence input and do

match ip precendence on output.

HTH

Regards,

Bjornarsb

petermann Mon, 05/14/2007 - 01:06

Hi Bjornarsb,

I have tried this and classification of traffic on ingress works (even http), as illustrated in the previous post.

I realise best practice when applying QoS is to mark as close to source as possible, but in this scenario it is just a 1721 for a small office. I ideally do not want ?two? policy maps on a single router, one classifying and marking on ingress and other other applying scheduling on the egress.

I just want to drop traffic which doesn't match a "match protocol" statement using a policy-map applied to Egress. ? Essentially, a traffic filter using NBAR.

All the other protocols work, except "http".

All the very best.

- peter

bjornarsb Mon, 05/14/2007 - 01:18

OK, then I realy don't know. :)

By the way have you tried this:

hostname(config)# class-map http_traffic

hostname(config-cmap)# match port tcp eq 80

BR,

Bjornarsb

petermann Mon, 05/14/2007 - 01:42

hi Bjornarsb,

I very much apprciate your comments.

I will try what you have suggested this evening.

However, we are just matching on port, and therefore I suspect Skype and other P2P apps will take advantage and tunnel out.

thanks though.

pete

bjornarsb Mon, 05/14/2007 - 01:02

Or you could try just to do this, just call the class and do what you want without a new match.

ip cef

!

class-map match-any dscp46

match ip dscp 46

class-map match-all telnet_ping_snmp

match access-group 150

class-map match-all http

match access-group 154

class-map match-all pop3_smtp

match access-group 153

!

!

policy-map voice_traffic

class dscp46

shape average 30000 10000

class telnet_ping_snmp

shape average 20000 15440

class pop3_smtp

shape average 20000 15440

class http

shape average 20000 15440

!

interface FastEthernet0/0

ip address 10.10.247.2 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/0.1

encapsulation dot1Q 1 native

ip address 10.1.1.1 255.255.255.0

service-policy output voice_traffic

HTH

Regards,

Bjornarsb

petermann Mon, 05/14/2007 - 01:14

Thanks Bjornarsb,

But your example doesn't have a class drop. for example:

class-map match-any drop

drop

!

policy-map voice_traffic

class dscp46

shape average 30000 10000

class telnet_ping_snmp

shape average 20000 15440

class pop3_smtp

shape average 20000 15440

class http

shape average 20000 15440

class drop

drop

!

you would need this to capture the rogue traffic. From my experiences, when you have the drop class at the end, your http traffic will stop working, despite matching http traffic BEFORE the drop class in the policy-map.

thanks anyway.

Actions

This Discussion