05-13-2007 05:27 AM - edited 03-03-2019 04:57 PM
Hi all,
Here's the problem. I want to drop all traffic except that defined in a policy-map. I'm using the policy map to serve two functions. Firstly to prioritize certain types of traffic and also to drop unwanted traffic by using NBAR.
Ok, here's an example. First the class maps:
!
!
class-map match-any platinum
match protocol rtp
class-map match-any gold
match protocol http
match protocol secure-http
match protocol dns
class-map match-any silver
match protocol smtp
match protocol pop3
match protocol secure-ftp
match protocol secure-pop3
class-map match-any bronze
match protocol ipsec
match protocol ftp
match protocol irc
class-map match-any drop
match any
and here's the policy map:
policy-map qos
class platinum
priority percent 20
set dscp ef
class gold
bandwidth remaining percent 30
set dscp 41
class silver
bandwidth remaining percent 30
set dscp 31
class bronze
bandwidth remaining percent 10
set dscp 21
class drop
drop
I now apply it to my interface going out to the Internet:
interface dialer0
service-policy output qos
But, my problem is that as soon as it is applied, I can't surf the internet. However, as can be seen in the policy map, within the 'gold' class I have the following:
match protocol http
Furthermore, the 'gold' class comes before the 'drop' class. I've checked and every time I surf the internet, my web based packets are getting dropped by the 'drop' class. I don?t understand why this is!
To get around this, I have defined the following ACL:
access-list 150 permit tcp any any eq www
!
and added it to the 'gold' class.
!
class-map match-any gold
match access-group 150
and it works, web traffic is detected by the ACL and output by the "Gold" service.
However, I?m not able to detect the web based traffic using NBAR (via the match protocol http command).
But the basic ACL worked. However, this is not ideal since it is vulnerable to programs like Skype masquerading as web traffic and tunneling out. Therefore, ideally I would like to capture the web traffic via NBAR using the 'match protocol http' command.
Does anyone know why this doesn?t work? or alternatively could suggest another best-practice method.
Any suggestions/help would be much appreciated.
Thanks.
- peter
05-13-2007 08:37 AM
Dear,
First voice signaling is missing in the above classification rules, as soon as all NBAR classification matched on the class-maps (like DNS/POP3...etc) try to edit one of the avilable custome options using "ip nbar port-map protocol-name [tcp | udp] port-number " and test it if that work, try to update ur PDLM database.
Best Regards,
Mounir Mohamed
05-13-2007 10:11 AM
Hi Mounir,
Thanks for you suggestion.
My pdlm I believe should be the latest since, I'm using IOS Version 12.4(13b).
As for the voice signaling, I forgot this but it shouldn't have affected the web based traffic.
I'll try using "ip nbar port-map protocol-name [tcp | udp] port-number".
I just find it strange that the router understands "eq www" in the ACL, but not "match protocol http" which from what 'I understand are the same!
Can anyone comment as to whether it is good practice to configure a 'drop' class in this way to save having to define an ingress ACL on the ethernet port.
oh and also may I ask you to clarify this point "as soon as all NBAR classification matched on the class-maps (like DNS/POP3...etc)". Apologies I dont understand this point.
Thanks very much for your suggestion.
- peter
05-13-2007 10:14 AM
Further, I tried the suggestion. It didnt work:
BBR2(config)#ip nbar port-map custom-01 tcp 80
NBAR Error: Specified port(s) are associated with http
thanks.
05-13-2007 11:52 AM
Dear,
I mean does any class of the policy-map matchs "show policy-map interface x out"!!
Also regarding CEF issue, CEF supported and enabled by default since 12.2, also if CEF disbaled on your interface and you trying to enable policy-map it will return with error declearing that CEF must be enabled on this interface, you may use "show cef interfaces" to check if CEF is enabled or not, also check "show ip int x/x | inc IP CEF"
Waiting your feed back
Best Regards,
Mounir Mohamed
05-13-2007 01:48 PM
here's the output:
BBR2#show ip int dialer 0 | inc IP CEF
IP CEF switching is enabled
IP CEF Feature Fast switching turbo vector
BBR2#
05-13-2007 10:11 AM
Hi,
First I think you should do marking at your LAN interface and QOS on your WAN.
Second, have you verified that nbar is working properly:
sh ip nbar protocol-discovery
HTH
Regards,
Bjornarsb
05-13-2007 10:16 AM
NBAR appears to be working: Here's an output:
Dialer0
Input Output
----- ------
Protocol Packet Count Packet Count
Byte Count Byte Count
5min Bit Rate (bps) 5min Bit Rate (bps)
5min Max Bit Rate (bps) 5min Max Bit Rate (bps)
------------------------ ------------------------ ------------------------
http 1 34375
456 5196612
0 0
0 20000
It detects http, but drops it in the policy map with the drop class.
05-13-2007 11:44 AM
Hi,
It could also be a bug.
"Classmap definitions based on NBAR match
protocol commands are violated"
For example,
match protocol snmp in
a Classmap definition could be come match protocol ssh.
HTH
BR,
Bjornarsb
05-13-2007 11:14 AM
Hi Peter,
Is any of the other match protocol other than match protocol http statement succeeding, can you please make sure that CEF is enabled, finally can you please do "sh ip cef summary", it might be a CEF problem with the dialer interface.
HTH,
Mohammed Mahmoud.
05-13-2007 11:47 AM
Thanks Mohammed,
ok, as per your suggestions:
I cleared all my QOS configs then re-applied.
here's the 'gold' and 'drop' class. All counters are cleared:
I then run the command:
show policy-map interface dialer 0
Ive just included the relevant bits of the output:
Class-map: gold (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol secure-http
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol dns
0 packets, 0 bytes
5 minute rate 0 bps
Queueing
Output Queue: Conversation 73
Bandwidth remaining 30 (%)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
QoS Set
dscp 41
Packets marked 0
Class-map: drop (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
drop
I then try and surf the Internet and also access my email (via pop3).
here's the result of the command:
Class-map: gold (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol secure-http
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol dns
0 packets, 0 bytes
5 minute rate 0 bps
Queueing
Output Queue: Conversation 73
Bandwidth remaining 30 (%)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
QoS Set
dscp 41
Packets marked 0
Class-map: silver (match-any)
8 packets, 427 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol smtp
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol pop3
8 packets, 427 bytes
5 minute rate 0 bps
Match: protocol secure-ftp
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol secure-pop3
0 packets, 0 bytes
5 minute rate 0 bps
Queueing
Output Queue: Conversation 74
Bandwidth remaining 30 (%)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
QoS Set
dscp 31
Packets marked 8
Class-map: drop (match-any)
3 packets, 162 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
drop
As can be seen, the "pop3" traffic is detected and output via the "silver" class, but the Internet traffic is dropped, and not sent out of the "gold" class via the:
match protocol http.
HELP!!!!
I've checked, and CEF is on. Here the result:
BBR2#show ip cef summary
IP CEF with switching (Table Version 125), flags=0x0
12 routes, 0 reresolve, 0 unresolved (0 old, 0 new), peak 0
12 leaves, 17 nodes, 19504 bytes, 97 inserts, 85 invalidations
0 load sharing elements, 0 bytes, 0 references
universal per-destination load sharing algorithm, id 28D228AF
3(0) CEF resets, 19 revisions of existing leaves
Resolution Timer: Exponential (currently 1s, peak 1s)
19 in-place/0 aborted modifications
refcounts: 4633 leaf, 4608 node
Table epoch: 0 (12 entries at this epoch)
Adjacency Table has 2 adjacencies
Any ideas anyone?
Thanks for the help so far.
- peter
05-13-2007 01:34 PM
Hi Peter,
Ok, here is an idea, i have a past full of problems with NBAR :), implement the classification and marking on the input of the LAN interface, and then apply your queuing on the outgoing interface in a separate policy that matches upon your marking, and please do feed us back with the results.
HTH, please do rate all helpful replies,
Mohammed Mahmoud.
05-13-2007 10:54 PM
Hi,
This won't help if nbar match is violated.
Have a look at this bug: CSCdr31111
Have you loaded a PDLM?
Anyway:
Create Classmaps and activate Protocol Discovery after loading
PDLMs.
BR,
Bjornarsb
05-13-2007 11:00 PM
hi Peter,
I hope that you had time to test it in my suggested way, and please can you get the output "debug ip nbar unclassified-port-stats".
HTH,
Mohammed Mahmoud.
05-13-2007 11:47 PM
Hi Mohammed,
ok, I put the original confuration on, (as per my first post), and ran the following command:
BBR2#debug ip nbar unclassified-port-stats
Port Statistics for unclassified packets are already being collected.
I activated "term mon".
Nothing is reported to screen when I try and access the internet using "HTTP".
Am I missing something?
thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide