Using a Policy Map to both prioritise traffic and DROP unwanted traffic

petermann · ‎05-13-2007

Hi all,

Here's the problem. I want to drop all traffic except that defined in a policy-map. I'm using the policy map to serve two functions. Firstly to prioritize certain types of traffic and also to drop unwanted traffic by using NBAR.

Ok, here's an example. First the class maps:

!

class-map match-any platinum

match protocol rtp

class-map match-any gold

match protocol http

match protocol secure-http

match protocol dns

class-map match-any silver

match protocol smtp

match protocol pop3

match protocol secure-ftp

match protocol secure-pop3

class-map match-any bronze

match protocol ipsec

match protocol ftp

match protocol irc

class-map match-any drop

match any

and here's the policy map:

policy-map qos

class platinum

priority percent 20

set dscp ef

class gold

bandwidth remaining percent 30

set dscp 41

class silver

bandwidth remaining percent 30

set dscp 31

class bronze

bandwidth remaining percent 10

set dscp 21

class drop

drop

I now apply it to my interface going out to the Internet:

interface dialer0

service-policy output qos

But, my problem is that as soon as it is applied, I can't surf the internet. However, as can be seen in the policy map, within the 'gold' class I have the following:

match protocol http

Furthermore, the 'gold' class comes before the 'drop' class. I've checked and every time I surf the internet, my web based packets are getting dropped by the 'drop' class. I don?t understand why this is!

To get around this, I have defined the following ACL:

access-list 150 permit tcp any any eq www

!

and added it to the 'gold' class.

!

class-map match-any gold

match access-group 150

and it works, web traffic is detected by the ACL and output by the "Gold" service.

However, I?m not able to detect the web based traffic using NBAR (via the match protocol http command).

But the basic ACL worked. However, this is not ideal since it is vulnerable to programs like Skype masquerading as web traffic and tunneling out. Therefore, ideally I would like to capture the web traffic via NBAR using the 'match protocol http' command.

Does anyone know why this doesn?t work? or alternatively could suggest another best-practice method.

Any suggestions/help would be much appreciated.

Thanks.

- peter

mounir.mohamed · ‎05-13-2007

Dear,

First voice signaling is missing in the above classification rules, as soon as all NBAR classification matched on the class-maps (like DNS/POP3...etc) try to edit one of the avilable custome options using "ip nbar port-map protocol-name [tcp | udp] port-number " and test it if that work, try to update ur PDLM database.

Best Regards,

Mounir Mohamed

petermann · ‎05-13-2007

Hi Mounir,

Thanks for you suggestion.

My pdlm I believe should be the latest since, I'm using IOS Version 12.4(13b).

As for the voice signaling, I forgot this but it shouldn't have affected the web based traffic.

I'll try using "ip nbar port-map protocol-name [tcp | udp] port-number".

I just find it strange that the router understands "eq www" in the ACL, but not "match protocol http" which from what 'I understand are the same!

Can anyone comment as to whether it is good practice to configure a 'drop' class in this way to save having to define an ingress ACL on the ethernet port.

oh and also may I ask you to clarify this point "as soon as all NBAR classification matched on the class-maps (like DNS/POP3...etc)". Apologies I dont understand this point.

Thanks very much for your suggestion.

- peter

petermann · ‎05-13-2007

Further, I tried the suggestion. It didnt work:

BBR2(config)#ip nbar port-map custom-01 tcp 80

NBAR Error: Specified port(s) are associated with http

thanks.

mounir.mohamed · ‎05-13-2007

Dear,

I mean does any class of the policy-map matchs "show policy-map interface x out"!!

Also regarding CEF issue, CEF supported and enabled by default since 12.2, also if CEF disbaled on your interface and you trying to enable policy-map it will return with error declearing that CEF must be enabled on this interface, you may use "show cef interfaces" to check if CEF is enabled or not, also check "show ip int x/x | inc IP CEF"

Waiting your feed back

Best Regards,

Mounir Mohamed

petermann · ‎05-13-2007

here's the output:

BBR2#show ip int dialer 0 | inc IP CEF

IP CEF switching is enabled

IP CEF Feature Fast switching turbo vector

BBR2#

bjornarsb · ‎05-13-2007

Hi,

First I think you should do marking at your LAN interface and QOS on your WAN.

Second, have you verified that nbar is working properly:

sh ip nbar protocol-discovery

HTH

Regards,

Bjornarsb

petermann · ‎05-13-2007

NBAR appears to be working: Here's an output:

Dialer0

Input Output

----- ------

Protocol Packet Count Packet Count

Byte Count Byte Count

5min Bit Rate (bps) 5min Bit Rate (bps)

5min Max Bit Rate (bps) 5min Max Bit Rate (bps)

------------------------ ------------------------ ------------------------

http 1 34375

456 5196612

0 0

0 20000

It detects http, but drops it in the policy map with the drop class.

bjornarsb · ‎05-13-2007

Hi,

It could also be a bug.

"Classmap definitions based on NBAR match

protocol commands are violated"

For example,

match protocol snmp in

a Classmap definition could be come match protocol ssh.

HTH

BR,

Bjornarsb

mohammedmahmoud · ‎05-13-2007

Hi Peter,

Is any of the other match protocol other than match protocol http statement succeeding, can you please make sure that CEF is enabled, finally can you please do "sh ip cef summary", it might be a CEF problem with the dialer interface.

HTH,

Mohammed Mahmoud.

petermann · ‎05-13-2007

Thanks Mohammed,

ok, as per your suggestions:

I cleared all my QOS configs then re-applied.

here's the 'gold' and 'drop' class. All counters are cleared:

I then run the command:

show policy-map interface dialer 0

Ive just included the relevant bits of the output:

Class-map: gold (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: protocol http

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol secure-http

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol dns

0 packets, 0 bytes

5 minute rate 0 bps

Queueing

Output Queue: Conversation 73

Bandwidth remaining 30 (%)Max Threshold 64 (packets)

(pkts matched/bytes matched) 0/0

(depth/total drops/no-buffer drops) 0/0/0

QoS Set

dscp 41

Packets marked 0

Class-map: drop (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

drop

I then try and surf the Internet and also access my email (via pop3).

here's the result of the command:

Class-map: gold (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: protocol http

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol secure-http

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol dns

0 packets, 0 bytes

5 minute rate 0 bps

Queueing

Output Queue: Conversation 73

Bandwidth remaining 30 (%)Max Threshold 64 (packets)

(pkts matched/bytes matched) 0/0

(depth/total drops/no-buffer drops) 0/0/0

QoS Set

dscp 41

Packets marked 0

Class-map: silver (match-any)

8 packets, 427 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: protocol smtp

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol pop3

8 packets, 427 bytes

5 minute rate 0 bps

Match: protocol secure-ftp

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol secure-pop3

0 packets, 0 bytes

5 minute rate 0 bps

Queueing

Output Queue: Conversation 74

Bandwidth remaining 30 (%)Max Threshold 64 (packets)

(pkts matched/bytes matched) 0/0

(depth/total drops/no-buffer drops) 0/0/0

QoS Set

dscp 31

Packets marked 8

Class-map: drop (match-any)

3 packets, 162 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

drop

As can be seen, the "pop3" traffic is detected and output via the "silver" class, but the Internet traffic is dropped, and not sent out of the "gold" class via the:

match protocol http.

HELP!!!!

I've checked, and CEF is on. Here the result:

BBR2#show ip cef summary

IP CEF with switching (Table Version 125), flags=0x0

12 routes, 0 reresolve, 0 unresolved (0 old, 0 new), peak 0

12 leaves, 17 nodes, 19504 bytes, 97 inserts, 85 invalidations

0 load sharing elements, 0 bytes, 0 references

universal per-destination load sharing algorithm, id 28D228AF

3(0) CEF resets, 19 revisions of existing leaves

Resolution Timer: Exponential (currently 1s, peak 1s)

19 in-place/0 aborted modifications

refcounts: 4633 leaf, 4608 node

Table epoch: 0 (12 entries at this epoch)

Adjacency Table has 2 adjacencies

Any ideas anyone?

Thanks for the help so far.

- peter

mohammedmahmoud · ‎05-13-2007

Hi Peter,

Ok, here is an idea, i have a past full of problems with NBAR :), implement the classification and marking on the input of the LAN interface, and then apply your queuing on the outgoing interface in a separate policy that matches upon your marking, and please do feed us back with the results.

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

bjornarsb · ‎05-13-2007

Hi,

This won't help if nbar match is violated.

Have a look at this bug: CSCdr31111

Have you loaded a PDLM?

Anyway:

Create Classmaps and activate Protocol Discovery after loading

PDLMs.

BR,

Bjornarsb

mohammedmahmoud · ‎05-13-2007

hi Peter,

I hope that you had time to test it in my suggested way, and please can you get the output "debug ip nbar unclassified-port-stats".

HTH,

Mohammed Mahmoud.

petermann · ‎05-13-2007

Hi Mohammed,

ok, I put the original confuration on, (as per my first post), and ran the following command:

BBR2#debug ip nbar unclassified-port-stats

Port Statistics for unclassified packets are already being collected.

I activated "term mon".

Nothing is reported to screen when I try and access the internet using "HTTP".

Am I missing something?

thanks.