NBAR and http download

Unanswered Question
Aug 31st, 2007
User Badges:

Hi all,

I want to limit http download for urls like

youtube.com for example

How can I do this ,

I make it for entire protocol http

but for only this url I don't see .

Can You help me please

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Mohamed Sobair Fri, 08/31/2007 - 12:45
User Badges:
  • Gold, 750 points or more

Hi,


I am afraid you cant limit traffic for specific URLS using NBAR. rather than using HTTP.


NBAR is most offenly used for peer-to-peer applications using PDLM (Packet description language Module).


You can installs every new application and you can copy and install in into your router flash using the command (ip nbar pdlm flash://xxx.pdlm) and apply the policy which defines the matching class.


In your case, There is another ption, just figure the source IP of the website & create 2 class-maps , One matches traffic from your source IP's to the destination URL & limit its bandwidth accordingly.

The other Class matches any any, then apply the policy to the interface.



example:


class-map match-any tube.com

match access-group 100


class-map match-any normal-traffic

match access-group 101



access-list 100 permit ip (your source IP's) (destination URL IP) eq www

access-list 101 permit ip any any


policy-map policing-tube

class tube.com

police (bit per second) conform-action drop -- Bandwidthe limited for Tube.com traffic


class normal-traffic

police (bits per second)



int x

service-policy output/input policing-tube



let us know if it works with you,



Regards,

Mohamed Sobair

fd_case17 Fri, 09/07/2007 - 08:17
User Badges:

hi all

In fact the pb is: a router (3745) with 2 interfaces: 1 for LAN f0/0

1 for WAN f0/1

I want to limit bandwith in download for url like youtube...

so my config is:


class-map youtube

match protocol http url "*youtube.com*"

policy-map youtube

class youtube

police 100000


nbar is applied on 2 interfaces fastethernet.


So if I want to limit download (100Kbits) ,I put the policy-map in INPUT on F0/1

But It doesn't work .

nbar match for the get request but it doesn't match for the reponse.

How can I do that?

Nbar doesn't seem to be stateful for me.

Thanks for your answer.


Edison Ortiz Fri, 09/07/2007 - 14:39
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Can you post the output from:


show policy-map interface



fd_case17 Sun, 09/09/2007 - 00:28
User Badges:

Hi, my conf:


class-map match-all youtube

match protocol http url "*youtube.com*"


policy-map youtube

class youtube

police 100000 conform-action transmit exceed-action drop


interface FastEthernet0/0

description To WAN

ip address dhcp

ip nbar protocol-discovery

ip nat outside

ip virtual-reassembly

speed 100

full-duplex

service-policy input youtube


interface FastEthernet0/1

description To LAN

ip address 10.0.0.2 255.255.255.240

ip nbar protocol-discovery

ip nat inside

ip virtual-reassembly

speed 100

full-duplex



Output of sh policy-map interface


FastEthernet0/0


Service-policy input: youtube


Class-map: youtube (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: protocol http url "*youtube.com*"

police:

cir 100000 bps, bc 3125 bytes

conformed 0 packets, 0 bytes; actions:

transmit

exceeded 0 packets, 0 bytes; actions:

drop

conformed 0 bps, exceed 0 bps


Class-map: class-default (match-any)

14367 packets, 1890350 bytes

5 minute offered rate 13000 bps, drop rate 0 bps

Match: any



Edison Ortiz Sun, 09/09/2007 - 04:25
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

This line


match protocol http url "*youtube.com*"


should be


match protocol http url host "*youtube.com*"

Edison Ortiz Sun, 09/09/2007 - 05:03
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

and actually, I recommend removing the "*" from the beginning of the string:


match protocol http url host "youtube*"

fd_case17 Sun, 09/09/2007 - 08:17
User Badges:

(config-cmap)#match protocol http url host "*youtube.com*"

^

% Invalid input detected at '^' marker.

my ios :

3700 Software (C3745-ADVENTERPRISEK9_IVS-M), Version 12.4(9)T


Edison Ortiz Sun, 09/09/2007 - 13:41
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Verified command with a router, this is the correct syntax


match protocol http host "youtube.com*"

fd_case17 Mon, 09/10/2007 - 07:35
User Badges:

this line doesn't match packets I want

They 're in class map default.

I test with a router ( 2600)

Edison Ortiz Mon, 09/10/2007 - 08:57
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Strange...


Do you have CEF enabled ?

What IOS version are you running on the 2600 ?

Can you change the traffic flow from service-policy input to service-policy output ?

Actions

This Discussion