cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1501
Views
10
Helpful
23
Replies

QoS question - Is this possible

John Blakley
VIP Alumni
VIP Alumni

All,

I don't think this is possible without extra equipment/software, but I wanted to ask.

Is there a way that I can create a time-based ACL and apply that policy-map to the ACL (or vice-versa)?

What I want to do is restrict flash applications between 5 - 7:30PM. I know that I can restrict URLs through a class-map, so I thought I would be able to restrict *.flv and *.swf between that time. Is there a way to do it?

I have either an 871W or an ASA that I can do this on. (The ASA is behind the 871W.)

Thanks,

John

HTH, John *** Please rate all useful posts ***
23 Replies 23

mikegrous
Level 3
Level 3

My example would be for a router. Not sure if the ASA has the features to do this but if it does this should work with some modification to fit for the ASA.

You would write your ACL that matches ip access-list 100 permit ip any any time-range TIME (specify this range with the time-range command in global config.)

class-map match-all CLASSMAP

this class map would then match the ACL

and it would then match your *.flv using NBAR

policy-map 1

class 1

shape? or police or drop or whatever..

nbar doc )http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_traffic_nbar_ps6017_TSD_Products_Configuration_Guide_Chapter.html

Thanks for this Mike! I'm going to try it tonight.

John

HTH, John *** Please rate all useful posts ***

adamclarkuk_2
Level 4
Level 4

Hi

The ASA does support time-ranges :

time-range working_hours

periodic weekdays 9:00 to 17:00

access-list limit extended permit ip host x.x.x.x any time-range working_hours

You can also use regexp within a policy-map to search for what you need :-

regex blockex1 ".flv"

regex blockex2 ".swf"

class-map type inspect http match-all block-flv

match request header host regex blockex1

match access-list

class-map type inspect http match-all block-swf

match request header host regex blockex1

match access-list

policy-map type inspect http block-url-policy

parameters

class block-flv

drop-connection log

class block-swf

drop-connection log

policy-map global_policy

class inspection_default

inspect http block-url-policy

service-policy global_policy global

Okay, so this didn't work the way that I wanted. The embedded videos still play. In the following example, I tried to block javascript because I noticed that java was loading for a certain game site, but that didn't work either:

Class-map: NO_FLASH (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group 151

Match: protocol http url "*.js"

drop

class-map match-all NO_FLASH

match access-group 151

match protocol http url "*.js"

access-list 151

10 permit ip host 10.20.1.100 any

policy-map OUTBOUND

class ROKU-OUTBOUND

priority percent 25

class NO_FLASH

drop

class class-default

fair-queue 256

int fa4

service-policy output OUTBOUND

I also tried mime type "video/x-flv" and I could still play videos. I also tried to match on .swf, .flv, and .js (exampled above). NBAR doesn't have a type that matches flash, so my thought is because http is allowed out, I may not be able to block it using "normal" methods. The urls are randomnized, so I'd have to block the whole site. The problem with that is I don't know how many sites I need to block, and I wanted to just block the filetypes.

Any other ideas?

Thanks!

John

HTH, John *** Please rate all useful posts ***

Did you enable nbar on the correct interfaces with the interface level command

ip nbar protocol-discovery

Yes, and I forgot to paste that information in. Here's a portion of it attached.

Thanks,

John

HTH, John *** Please rate all useful posts ***

The forum wouldn't let me attach a file if I edit my own post. I had to reply and then attach =)

John

HTH, John *** Please rate all useful posts ***

Have you applied the ip nbar command on the interface facing your internal network as well.

Other than that your config looks good, is your ACL correct as well as the time on your router ?

Also, edit your regexp to include swf byt adding a |, ie :-

match protocol http url *.js|*.swf

If I could get any of these to work alone, then this would definitely be the way to go. Problem is that it doesn't work with either of them.

John

HTH, John *** Please rate all useful posts ***

What about answers to my earlier post

Have you applied the ip nbar command on the interface facing your internal network as well.

Other than that your config looks good, is your ACL correct as well as the time on your router ?

Maybe try removing the ACL to see if that works ?

Oh, I'm sorry I didn't see this one.

Actually, no. I don't think nbar is applied to the internal interface. The time is correct. I'll have to apply it and test it later tonight and I'll let you know.

Thanks Adam!

John

HTH, John *** Please rate all useful posts ***

That will be your problem then as the inspection can not take place, all should be good once you add NBAR to the internal interface.

Okay,

I enabled inspection on the bvi and interface do0 (I was connected wirelessly). It still didn't work.

I changed the class-map to "match protocol http mime video/flv and application/x-shockwave-flash, and a combination of the two (application/x-shockwave-flash|video/flv). This didn't work either.

I also tried the "match protocol http url *.swf|*.flv" to try to match the embedded video. I did forget to try the .js filetype, but the other didn't work.

I removed the match statement to make sure the class-map and policy-map/class/drop statement was working. I couldn't get on the internet at that point, and my policy-map had hits on it. So, I have "class-map match-any NO_FLASH" as my class map, and it definitely works. I also tried changing to "class-map match-all NO_FLASH." The latter will work perfectly once I can figure out why my config isn't working.

Thanks,

John

HTH, John *** Please rate all useful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco