QoS question - Is this possible

Unanswered Question
Mar 10th, 2009

All,

I don't think this is possible without extra equipment/software, but I wanted to ask.

Is there a way that I can create a time-based ACL and apply that policy-map to the ACL (or vice-versa)?

What I want to do is restrict flash applications between 5 - 7:30PM. I know that I can restrict URLs through a class-map, so I thought I would be able to restrict *.flv and *.swf between that time. Is there a way to do it?

I have either an 871W or an ASA that I can do this on. (The ASA is behind the 871W.)

Thanks,

John

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
mikegrous Tue, 03/10/2009 - 08:36

My example would be for a router. Not sure if the ASA has the features to do this but if it does this should work with some modification to fit for the ASA.

You would write your ACL that matches ip access-list 100 permit ip any any time-range TIME (specify this range with the time-range command in global config.)

class-map match-all CLASSMAP

this class map would then match the ACL

and it would then match your *.flv using NBAR

policy-map 1

class 1

shape? or police or drop or whatever..

nbar doc )http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_traffic_nbar_ps6017_TSD_Products_Configuration_Guide_Chapter.html

adamclarkuk_2 Tue, 03/10/2009 - 08:48

Hi

The ASA does support time-ranges :

time-range working_hours

periodic weekdays 9:00 to 17:00

access-list limit extended permit ip host x.x.x.x any time-range working_hours

You can also use regexp within a policy-map to search for what you need :-

regex blockex1 ".flv"

regex blockex2 ".swf"

class-map type inspect http match-all block-flv

match request header host regex blockex1

match access-list

class-map type inspect http match-all block-swf

match request header host regex blockex1

match access-list

policy-map type inspect http block-url-policy

parameters

class block-flv

drop-connection log

class block-swf

drop-connection log

policy-map global_policy

class inspection_default

inspect http block-url-policy

service-policy global_policy global

John Blakley Wed, 03/11/2009 - 04:31

Okay, so this didn't work the way that I wanted. The embedded videos still play. In the following example, I tried to block javascript because I noticed that java was loading for a certain game site, but that didn't work either:

Class-map: NO_FLASH (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group 151

Match: protocol http url "*.js"

drop

class-map match-all NO_FLASH

match access-group 151

match protocol http url "*.js"

access-list 151

10 permit ip host 10.20.1.100 any

policy-map OUTBOUND

class ROKU-OUTBOUND

priority percent 25

class NO_FLASH

drop

class class-default

fair-queue 256

int fa4

service-policy output OUTBOUND

I also tried mime type "video/x-flv" and I could still play videos. I also tried to match on .swf, .flv, and .js (exampled above). NBAR doesn't have a type that matches flash, so my thought is because http is allowed out, I may not be able to block it using "normal" methods. The urls are randomnized, so I'd have to block the whole site. The problem with that is I don't know how many sites I need to block, and I wanted to just block the filetypes.

Any other ideas?

Thanks!

John

adamclarkuk_2 Wed, 03/11/2009 - 04:36

Did you enable nbar on the correct interfaces with the interface level command

ip nbar protocol-discovery

John Blakley Wed, 03/11/2009 - 05:12

Yes, and I forgot to paste that information in. Here's a portion of it attached.

Thanks,

John

adamclarkuk_2 Wed, 03/11/2009 - 06:05

Have you applied the ip nbar command on the interface facing your internal network as well.

Other than that your config looks good, is your ACL correct as well as the time on your router ?

adamclarkuk_2 Wed, 03/11/2009 - 06:10

Also, edit your regexp to include swf byt adding a |, ie :-

match protocol http url *.js|*.swf

John Blakley Wed, 03/11/2009 - 07:02

If I could get any of these to work alone, then this would definitely be the way to go. Problem is that it doesn't work with either of them.

John

adamclarkuk_2 Wed, 03/11/2009 - 07:03

What about answers to my earlier post

Have you applied the ip nbar command on the interface facing your internal network as well.

Other than that your config looks good, is your ACL correct as well as the time on your router ?

Maybe try removing the ACL to see if that works ?

John Blakley Wed, 03/11/2009 - 07:08

Oh, I'm sorry I didn't see this one.

Actually, no. I don't think nbar is applied to the internal interface. The time is correct. I'll have to apply it and test it later tonight and I'll let you know.

Thanks Adam!

John

adamclarkuk_2 Wed, 03/11/2009 - 07:26

That will be your problem then as the inspection can not take place, all should be good once you add NBAR to the internal interface.

John Blakley Thu, 03/12/2009 - 06:35

Okay,

I enabled inspection on the bvi and interface do0 (I was connected wirelessly). It still didn't work.

I changed the class-map to "match protocol http mime video/flv and application/x-shockwave-flash, and a combination of the two (application/x-shockwave-flash|video/flv). This didn't work either.

I also tried the "match protocol http url *.swf|*.flv" to try to match the embedded video. I did forget to try the .js filetype, but the other didn't work.

I removed the match statement to make sure the class-map and policy-map/class/drop statement was working. I couldn't get on the internet at that point, and my policy-map had hits on it. So, I have "class-map match-any NO_FLASH" as my class map, and it definitely works. I also tried changing to "class-map match-all NO_FLASH." The latter will work perfectly once I can figure out why my config isn't working.

Thanks,

John

adamclarkuk_2 Thu, 03/12/2009 - 06:43

Gonna need to see your config mate, also what URL are you testing with so I can try to replicate?

John Blakley Thu, 03/12/2009 - 06:57

Here's the config for the class-map, policy-map, and all of the interfaces:

class-map match-all NO_FLASH

match access-group 151

match protocol http mime "application/x-shockwave-flash"

policy-map OUTBOUND

class ROKU-OUTBOUND

priority percent 25

class NO_FLASH

drop

class class-default

fair-queue 256

interface FastEthernet0

description Router Trunk

switchport mode trunk

!

interface FastEthernet1

!

interface FastEthernet2

switchport access vlan 2

duplex full

speed 100

!

interface FastEthernet3

duplex full

speed 100

!

interface FastEthernet4

bandwidth 6144

ip address dhcp client-id FastEthernet4

ip access-group EXTERNAL in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip nat outside

ip inspect NEMESIS-FW out

ip virtual-reassembly

ip route-cache flow

speed 100

full-duplex

no cdp enable

service-policy output OUTBOUND

!

interface Dot11Radio0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

!

encryption vlan 1 mode ciphers tkip

!

ssid ISIS

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

infrastructure-client

ip nbar protocol-discovery

!

interface Dot11Radio0.1

description Normal WIFI

encapsulation dot1Q 1 native

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

no ip address

ip virtual-reassembly

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Vlan2

description DMZ$FW_INSIDE$

ip address 192.168.2.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

service-policy input ROKU

interface BVI1

description Internal Interface$ES_LAN$$FW_INSIDE$

ip address 10.20.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip nat inside

ip virtual-reassembly

ip route-cache flow

!

hold-queue 100 out

!

access-list 151 permit ip 10.20.1.0 0.0.0.255 any

I was trying both youtube.com and addictinggames.com. I need to be able to block any online game or video anywhere, not just these two sites.

Thanks for looking at this Adam!

John

John Blakley Fri, 03/13/2009 - 04:01

I've been playing around with this for a while this morning, and I can't get it to work. Does it have something to do with NAT?

adamclarkuk_2 Fri, 03/13/2009 - 04:05

Ah Highly possible. Is your ACL matching the post or pre NAT address and have you tried it without the ACL ?

John Blakley Fri, 03/13/2009 - 04:17

Okay,

It does start to match the traffic with the acl removed. I can still get to youtube, but addictinggames.com stopped working (which is what I want). I couldn't get it to work with the mime type under match protocol, but I got it to work with the url *.swf|*.flv|*.js.

How would I be able to get this to work using NAT?

John Blakley Fri, 03/13/2009 - 04:37

I can't get it to match the mime type though.

I pulled this from youtube's "embed this link on your site" code:

http://www.youtube.com/v/5zozqhQa29M&hl=en&fs=1">http://www.youtube.com/v/5zozqhQa29M&hl=en&fs=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="344">

The mime type that I have set on the match protocol is application/x-shockwave-flash, but I'm not seeing hits on it.

John

adamclarkuk_2 Fri, 03/13/2009 - 04:39

At least we have progress.

Lets focus on the ACL first. Are you matching on the pre or post NAT, put both in the ACL and see which gets the hit, it should be the post NAT address

John Blakley Fri, 03/13/2009 - 06:28

Okay,

Yes it matches my external address of 99.x.x.x, and it doesn't match the internal address.

Even though it was matching on it, I could still get to youtube. My match statement was like:

match protocol http url *youtube.com*

I also tried:

*.youtube.com

*youtube.com

Nothing I tried will block the traffic. I know that I'm missing something because I've seen too many documents that verify this is configured correctly.

John

adamclarkuk_2 Fri, 03/13/2009 - 06:43

Hi mate

So you setup is similar to this :-

class-map match-any test

match protocol http url "*youtube.com"

match protocol http url "*youtube.com*"

!

!

policy-map test

class test

drop

Can you post the out of :-

sh policy-map interface

Actions

This Discussion