Nbar match problem

Unanswered Question
Aug 12th, 2008
User Badges:

I have been trying to configure nbar to match traffic from a certain website and restrict the bandwidth from that site but so far no luck.


F0 is my WAN port and the config is as follows:


class-map match-any SLOW

match protocol http host "http://www.bbc.*"

match protocol http url "*bbc*"

match protocol http host "http://newsimg.bbc.*"

match protocol http s-header-field "bbc.co.uk"


policy-map INBOUND

class SLOW

police cir 8000

conform-action transmit

exceed-action drop

violate-action drop

interface FastEthernet0

description $ETH-LAN$$FW_OUTSIDE$

bandwidth 768

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip nat outside

ip virtual-reassembly max-reassemblies 1024

zone-member security out-zone

load-interval 30

duplex auto

speed auto

crypto map VPN

service-policy input INBOUND

service-policy output Shape_out


Show output command:


spray#sh policy-map int f0 in

FastEthernet0


Service-policy input: INBOUND


Class-map: SLOW (match-any)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: protocol http host "http://www.bbc.*"

0 packets, 0 bytes

30 second rate 0 bps

Match: protocol http url "*bbc*"

0 packets, 0 bytes

30 second rate 0 bps

Match: protocol http host "http://newsimg.bbc.*"

0 packets, 0 bytes

30 second rate 0 bps

Match: protocol http s-header-field "bbc.co.uk"

0 packets, 0 bytes

30 second rate 0 bps

police:

cir 8000 bps, bc 1500 bytes, be 1500 bytes

conformed 0 packets, 0 bytes; actions:

transmit

exceeded 0 packets, 0 bytes; actions:

drop

violated 0 packets, 0 bytes; actions:

drop

conformed 0 bps, exceed 0 bps, violate 0 bps


Class-map: class-default (match-any)

4029 packets, 5318204 bytes

30 second offered rate 110000 bps, drop rate 0 bps

Match: any


Any ideas on why this is not working? This is an 1801 router running 12.4(11)T4


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (6 ratings)
Loading.
Giuseppe Larosa Tue, 08/12/2008 - 04:36
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Kate,

http is defined as TCP port 80 on the server side.

Your inbound traffic from a website is directed to the client's side TCP port so the return traffic is not HTTP


Exactly as it happens with telnet:

TCP port 23 is used on the server side

traffic coming back from a telnet session will be for example on port 1440 on your PC.


You can see this with netstat -a on your PC

example:


TCP nnm-ws15:4424 SW-RM-TLD066-DTT-C-1.network.rai.it:telnet ESTA

ISHED


So you need to change your config to be able to match this traffic


Hope to help

Giuseppe




stretchlad Thu, 08/14/2008 - 01:45
User Badges:

How does that help me police (rate limit) certain websites then?


If I apply the policy outbound does that only affect the ACK's that are being sent back to the site?

tdrais Thu, 08/14/2008 - 04:44
User Badges:
  • Blue, 1500 points or more

This can get very confusing because you have inside and outside interfaces which each have inbound and outbound policy available.


In your case when you apply a inbound policy to the outside interface you want to monitor and limit the traffic that is coming from a outside web server back into your network.


The URLs you are tring to limit are the result of a user attempting to GET information from the outside server. This data is sent to the server so it is outbound on the outside interface. The response from the server which is inbound on the outside interface does not ussually contain the URL it will only contain what the user requested.


There really is no way to look at a outbound url and somehow do something to the packets that are returned from the server.


This option is more used to block the request completely since if you never send them to the server you will never get any response.


If you want to limit all traffic from a web site you can use ip addresses to match on but if it is only some traffic you want to limit from the site and other traffic you do not then I don't know a way to accomplish that with a router.




Giuseppe Larosa Thu, 08/14/2008 - 10:48
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Kate,

I agree with Tim.


What you can do in the inbound direction is to use an IP ACL based rate-limit policer.


each ACL statement will look like


access-list 179 permit tcp host x.x.x.x eq 80 any


the well known port is on the source side


You need to resolve with DNS the URLs you want to limit.

This solution cannot provide distinction on the contents of the web site: all web content at the IP address will be limited.


In addition you should verify from time to time if the DNS resolution changes.


In the outbound direction you could limit access to specific URL using NBAR but actually this traffic is made of GETs and ACKs so you cannot real control the download traffic.


Hope to help

Giuseppe

stretchlad Fri, 08/15/2008 - 02:36
User Badges:

Thank you both for the reply. I can understand why the URL stuff wouldnt work but why doesn't the Match: protocol http host "*bbc.co.uk" work?


Thanks again.

Giuseppe Larosa Fri, 08/15/2008 - 05:29
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Kate,

it is a question of direction of the traffic flow.

Your NBAR config would be OK to match if applied outbound = towards the internet and towards the servers

When applied inbound no matches can happen.

I tried to explain it in my first post.


traffic coming from the servers is TCP traffic where the source port is 80 (www) and the destination port in the TCP header is a dynamic port.

This what makes the difference, protocol http = TCP dest port 80

TCP source port 80 can be matched using an extended ACL like in my second post


Hope to help

Giuseppe

stretchlad Wed, 08/27/2008 - 02:37
User Badges:

spray#sh ip nbar protocol-discovery interface f0 stats bit-rate top 5


FastEthernet0

Input Output

----- ------

Protocol 30sec Bit Rate (bps) 30sec Bit Rate (bps)

------------------------ ------------------------ ------------------------

http 61000 0

secure-http 39000 0

bittorrent 0 0

Wwar 0 0

ssh 0 0

unknown 159000 0

Total 259000 0


This shows nbar classifying as http so I dont understand why it doesn't work regardless of direction as port 80 will be involved either as source or destination.

tdrais Wed, 08/27/2008 - 04:50
User Badges:
  • Blue, 1500 points or more

Mostly because you are not checking for only port 80. You are also telling it to match a particular URL. The NBAR is matching all URL


If you look back at Giuseppe post and change your policy to match the access list he suggested you can limit http traffic in general. You can even limit different ip sites HTTP traffic but you cannot limit different http traffic to the same site.


You key problem is that you want to do session based traffic control. Maybe in the future cisco will add the ability to a router. This is why traffic shaper boxes cost so much because they can do this type of stuff.

Actions

This Discussion