NBAR and http download

Unanswered Question
Aug 31st, 2007

Hi all,

I want to limit http download for urls like

youtube.com for example

How can I do this ,

I make it for entire protocol http

but for only this url I don't see .

Can You help me please

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Mohamed Sobair Fri, 08/31/2007 - 12:45

Hi,

I am afraid you cant limit traffic for specific URLS using NBAR. rather than using HTTP.

NBAR is most offenly used for peer-to-peer applications using PDLM (Packet description language Module).

You can installs every new application and you can copy and install in into your router flash using the command (ip nbar pdlm flash://xxx.pdlm) and apply the policy which defines the matching class.

In your case, There is another ption, just figure the source IP of the website & create 2 class-maps , One matches traffic from your source IP's to the destination URL & limit its bandwidth accordingly.

The other Class matches any any, then apply the policy to the interface.

example:

class-map match-any tube.com

match access-group 100

class-map match-any normal-traffic

match access-group 101

access-list 100 permit ip (your source IP's) (destination URL IP) eq www

access-list 101 permit ip any any

policy-map policing-tube

class tube.com

police (bit per second) conform-action drop -- Bandwidthe limited for Tube.com traffic

class normal-traffic

police (bits per second)

int x

service-policy output/input policing-tube

let us know if it works with you,

Regards,

Mohamed Sobair

fd_case17 Fri, 09/07/2007 - 08:17

hi all

In fact the pb is: a router (3745) with 2 interfaces: 1 for LAN f0/0

1 for WAN f0/1

I want to limit bandwith in download for url like youtube...

so my config is:

class-map youtube

match protocol http url "*youtube.com*"

policy-map youtube

class youtube

police 100000

nbar is applied on 2 interfaces fastethernet.

So if I want to limit download (100Kbits) ,I put the policy-map in INPUT on F0/1

But It doesn't work .

nbar match for the get request but it doesn't match for the reponse.

How can I do that?

Nbar doesn't seem to be stateful for me.

Thanks for your answer.

fd_case17 Sun, 09/09/2007 - 00:28

Hi, my conf:

class-map match-all youtube

match protocol http url "*youtube.com*"

policy-map youtube

class youtube

police 100000 conform-action transmit exceed-action drop

interface FastEthernet0/0

description To WAN

ip address dhcp

ip nbar protocol-discovery

ip nat outside

ip virtual-reassembly

speed 100

full-duplex

service-policy input youtube

interface FastEthernet0/1

description To LAN

ip address 10.0.0.2 255.255.255.240

ip nbar protocol-discovery

ip nat inside

ip virtual-reassembly

speed 100

full-duplex

Output of sh policy-map interface

FastEthernet0/0

Service-policy input: youtube

Class-map: youtube (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: protocol http url "*youtube.com*"

police:

cir 100000 bps, bc 3125 bytes

conformed 0 packets, 0 bytes; actions:

transmit

exceeded 0 packets, 0 bytes; actions:

drop

conformed 0 bps, exceed 0 bps

Class-map: class-default (match-any)

14367 packets, 1890350 bytes

5 minute offered rate 13000 bps, drop rate 0 bps

Match: any

Edison Ortiz Sun, 09/09/2007 - 04:25

This line

match protocol http url "*youtube.com*"

should be

match protocol http url host "*youtube.com*"

Edison Ortiz Sun, 09/09/2007 - 05:03

and actually, I recommend removing the "*" from the beginning of the string:

match protocol http url host "youtube*"

fd_case17 Sun, 09/09/2007 - 08:17

(config-cmap)#match protocol http url host "*youtube.com*"

^

% Invalid input detected at '^' marker.

my ios :

3700 Software (C3745-ADVENTERPRISEK9_IVS-M), Version 12.4(9)T

Edison Ortiz Sun, 09/09/2007 - 13:41

Verified command with a router, this is the correct syntax

match protocol http host "youtube.com*"

fd_case17 Mon, 09/10/2007 - 07:35

this line doesn't match packets I want

They 're in class map default.

I test with a router ( 2600)

Edison Ortiz Mon, 09/10/2007 - 08:57

Strange...

Do you have CEF enabled ?

What IOS version are you running on the 2600 ?

Can you change the traffic flow from service-policy input to service-policy output ?

Actions

This Discussion