Re: NBAR

jason.chin · ‎07-02-2003

I want to give a limited class of service to 1 subnet allowing only protocols like http, pop3, smtp and blocking or limiting everything else like kazaa, etc. Im running a 3662 with IOS 12.2(15)T1 (IP Plus) What would be the best configuration to accomplish this?? also can ACLs be applied to priority-maps or class maps?? as i only want these rules to apply to 1 subnet while hosts on another subnet have full access to the internet.

thisisshanky · ‎07-02-2003

Check this out!

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122s/122snwft/release/122s14/fsnbarad.htm#1033029

To match one particular subnet, you can add multiple match statement as follows.

class-map file-transfer

match protocol kazaa2

match access-group

and Create an access-list with number = X which matches the particular subnet.

HTH

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

jason.chin · ‎07-03-2003

Thank for the help. Ive tried the ACLs and they work fine. So far i have the configuration pasted below. My question is how do i class the remaining traffic not defined in Bronze-Rules and limit it but restricting this rule to the Subnet defined by the ACL named Bronze-Networks. Also how do i allow the protocols defined by Bronze-Rules?

class-map match-all Bronze-Rules

match protocol dns

match protocol ftp

match protocol gre

match protocol http

match protocol pptp

match protocol pop3

match protocol smtp

match protocol ssh

match access-group name Bronze-Networks

!

ip access-list standard Bronze-Networks

permit 192.168.2.0 0.0.0.255

thisisshanky · ‎07-03-2003

There are three things that need to be defined.

a) Define the traffic using Class-map command (Traffic Selection)

b) Define the policy applied to each of the above classes (Class based marking)

c) Applying the policy to an interface.

You can define multiple class maps to define different traffic. Check the example in the link that i posted before. (see at the end an example given, check out steps 1 through 5)

You need to club your traffic classes as follows.

class-map match-all Bronze-Rules-DNS

match protocol dns

match access-group name Bronze-Networks

class-map match-all Bronze-Rules-FTP

match protocol ftp

match access-group name Bronze-Networks

class-map match-all Bronze-Rules-GRE

match protocol gre

match access-group name Bronze-Networks

class-map match-all Bronze-Rules-HTTP

match protocol http

match access-group name Bronze-Networks

class-map match-all Bronze-Rules-PPTP

match protocol pptp

match access-group name Bronze-Networks

class-map match-all Bronze-Rules-POP3

match protocol pop3

match access-group name Bronze-Networks

class-map match-all Bronze-Rules-SMTP

match protocol smtp

match access-group name Bronze-Networks

class-map match-all Bronze-Rules-SSH

match protocol ssh

match access-group name Bronze-Networks

ip access-list standard Bronze-Networks

permit 192.168.2.0 0.0.0.255

Once the classes are defined, the paramaters (policy) to be set (ip precedence, rate limiting (CAR) ) etc can be set on these traffic classes using Policy map.

All traffic, that is not matched by Bronze-Rules, will fall into the default class (class-default). You need to define class-default only if you need to set any parameters for the default class.

Policy-map Restrict_Traffic

class Bronze-Rules

rate-limit output ....

rate-limit input ....

class class-default

rate-limit output .....

rate-limit input ....

Once the policy map is defined, you can apply it on an interface using "service-policy" command as follows:

int s0/0

service-policy {input | output} Restrict_Traffic -----> apply the policy map here.

Hope this helps.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

jason.chin · ‎07-04-2003

Ok, I used the config you recomended, here is what i saw, the "class class-default" rule captured all traffic from the other subnets seen by the router (Gold and Silver Subnets) and blocked it. How do i restrict the "class class-default" rule so it only blocks "unmatched" traffic for the subnet specified in the ACL Bronze-Networks. The config i used:

!

class-map match-all Bronze-Rules-PPTP

match protocol pptp

match access-group name Bronze-Networks

class-map match-all Bronze-Rules-SMTP

match protocol smtp

match access-group name Bronze-Networks

class-map match-all Bronze-Rules-HTTP

match protocol http

match access-group name Bronze-Networks

class-map match-all Bronze-Rules-FTP

match protocol ftp

match access-group name Bronze-Networks

class-map match-all Bronze-Rules-SSH

match protocol ssh

match access-group name Bronze-Networks

class-map match-all Bronze-Rules-GRE

match protocol gre

match access-group name Bronze-Networks

class-map match-all Bronze-Rules-DNS

match protocol dns

match access-group name Bronze-Networks

class-map match-all Bronze-Rules-POP3

match protocol pop3

match access-group name Bronze-Networks

!

policy-map Bronze-Policy

class Bronze-Rules-DNS

set precedence 1

class Bronze-Rules-FTP

set precedence 1

class Bronze-Rules-GRE

set precedence 1

class Bronze-Rules-HTTP

set precedence 1

class Bronze-Rules-POP3

set precedence 1

class Bronze-Rules-PPTP

set precedence 1

class Bronze-Rules-SMTP

set precedence 1

class Bronze-Rules-SSH

set precedence 1

class class-default

police cir 8000 bc 1000 be 1000

conform-action drop

exceed-action drop

!

ip access-list standard Bronze-Networks

permit 192.168.2.0 0.0.0.255

!

jason.chin · ‎07-09-2003

Is it possible to get the "class class-default" to police only addresses specified by the ACL Bronze-Networks and ignore other subnets seen by the router??