08-12-2008 03:54 AM - edited 03-03-2019 11:06 PM
I have been trying to configure nbar to match traffic from a certain website and restrict the bandwidth from that site but so far no luck.
F0 is my WAN port and the config is as follows:
class-map match-any SLOW
match protocol http host "http://www.bbc.*"
match protocol http url "*bbc*"
match protocol http host "http://newsimg.bbc.*"
match protocol http s-header-field "bbc.co.uk"
policy-map INBOUND
class SLOW
police cir 8000
conform-action transmit
exceed-action drop
violate-action drop
interface FastEthernet0
description $ETH-LAN$$FW_OUTSIDE$
bandwidth 768
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly max-reassemblies 1024
zone-member security out-zone
load-interval 30
duplex auto
speed auto
crypto map VPN
service-policy input INBOUND
service-policy output Shape_out
Show output command:
spray#sh policy-map int f0 in
FastEthernet0
Service-policy input: INBOUND
Class-map: SLOW (match-any)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: protocol http host "http://www.bbc.*"
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http url "*bbc*"
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http host "http://newsimg.bbc.*"
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http s-header-field "bbc.co.uk"
0 packets, 0 bytes
30 second rate 0 bps
police:
cir 8000 bps, bc 1500 bytes, be 1500 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps, violate 0 bps
Class-map: class-default (match-any)
4029 packets, 5318204 bytes
30 second offered rate 110000 bps, drop rate 0 bps
Match: any
Any ideas on why this is not working? This is an 1801 router running 12.4(11)T4
Thanks
08-12-2008 04:36 AM
Hello Kate,
http is defined as TCP port 80 on the server side.
Your inbound traffic from a website is directed to the client's side TCP port so the return traffic is not HTTP
Exactly as it happens with telnet:
TCP port 23 is used on the server side
traffic coming back from a telnet session will be for example on port 1440 on your PC.
You can see this with netstat -a on your PC
example:
TCP nnm-ws15:4424 SW-RM-TLD066-DTT-C-1.network.rai.it:telnet ESTA
ISHED
So you need to change your config to be able to match this traffic
Hope to help
Giuseppe
08-14-2008 01:45 AM
How does that help me police (rate limit) certain websites then?
If I apply the policy outbound does that only affect the ACK's that are being sent back to the site?
08-14-2008 04:44 AM
This can get very confusing because you have inside and outside interfaces which each have inbound and outbound policy available.
In your case when you apply a inbound policy to the outside interface you want to monitor and limit the traffic that is coming from a outside web server back into your network.
The URLs you are tring to limit are the result of a user attempting to GET information from the outside server. This data is sent to the server so it is outbound on the outside interface. The response from the server which is inbound on the outside interface does not ussually contain the URL it will only contain what the user requested.
There really is no way to look at a outbound url and somehow do something to the packets that are returned from the server.
This option is more used to block the request completely since if you never send them to the server you will never get any response.
If you want to limit all traffic from a web site you can use ip addresses to match on but if it is only some traffic you want to limit from the site and other traffic you do not then I don't know a way to accomplish that with a router.
08-14-2008 10:48 AM
Hello Kate,
I agree with Tim.
What you can do in the inbound direction is to use an IP ACL based rate-limit policer.
each ACL statement will look like
access-list 179 permit tcp host x.x.x.x eq 80 any
the well known port is on the source side
You need to resolve with DNS the URLs you want to limit.
This solution cannot provide distinction on the contents of the web site: all web content at the IP address will be limited.
In addition you should verify from time to time if the DNS resolution changes.
In the outbound direction you could limit access to specific URL using NBAR but actually this traffic is made of GETs and ACKs so you cannot real control the download traffic.
Hope to help
Giuseppe
08-15-2008 02:36 AM
Thank you both for the reply. I can understand why the URL stuff wouldnt work but why doesn't the Match: protocol http host "*bbc.co.uk" work?
Thanks again.
08-15-2008 05:29 AM
Hello Kate,
it is a question of direction of the traffic flow.
Your NBAR config would be OK to match if applied outbound = towards the internet and towards the servers
When applied inbound no matches can happen.
I tried to explain it in my first post.
traffic coming from the servers is TCP traffic where the source port is 80 (www) and the destination port in the TCP header is a dynamic port.
This what makes the difference, protocol http = TCP dest port 80
TCP source port 80 can be matched using an extended ACL like in my second post
Hope to help
Giuseppe
08-27-2008 02:37 AM
spray#sh ip nbar protocol-discovery interface f0 stats bit-rate top 5
FastEthernet0
Input Output
----- ------
Protocol 30sec Bit Rate (bps) 30sec Bit Rate (bps)
------------------------ ------------------------ ------------------------
http 61000 0
secure-http 39000 0
bittorrent 0 0
Wwar 0 0
ssh 0 0
unknown 159000 0
Total 259000 0
This shows nbar classifying as http so I dont understand why it doesn't work regardless of direction as port 80 will be involved either as source or destination.
08-27-2008 04:50 AM
Mostly because you are not checking for only port 80. You are also telling it to match a particular URL. The NBAR is matching all URL
If you look back at Giuseppe post and change your policy to match the access list he suggested you can limit http traffic in general. You can even limit different ip sites HTTP traffic but you cannot limit different http traffic to the same site.
You key problem is that you want to do session based traffic control. Maybe in the future cisco will add the ability to a router. This is why traffic shaper boxes cost so much because they can do this type of stuff.
08-27-2008 04:53 AM
Well thank you all for the helpfulk replies :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide