Solved: NBAR just to monitor Web Sites

johnramz · ‎04-19-2011

I am just getting started on learning about QOS and I came accross NBAR. I simply configured it with this line on a particular interface:

ip nbar protocol-discovery

Now I do 'show ip nbar protocol-discover' and I noticed most of the traffic is http and also some unknown traffic. I already know how to customize it to detect different ports, for example for RDP traffic:

ip nbar custom RDP dest tcp 3389

NOW, I just want to do the same with the http traffic by configuring a filter that will allow detect all traffic from "youtube" or "yahoo" for example. I do not want to DROP or BLOCK this traffic I just want to monitor it without even turrning ON QOS at this point.

Thanks

John

cadet alain · ‎04-19-2011

Hi,

I suppose you want an example with NBAR?

here it is:

class-map GOOGLE

match protocol http host " google.com"

class-map YAHOO

match protocol http host "yahoo.com"

policy-map URL

class GOOGLE

class YAHOO

interface x/x

service-policy input URL

then a sh policy-map int fx/x will give you the statistics.

I added the protocol keyword I had missed in the config I posted, it won't work without it

Regards.

Alain.

Ce message a été modifié par: cadetalain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎04-19-2011

Hi,

I think the best option is to use NetFlow and monitor on a host with a NetFlow collector but if you want to use NBAR then you must use MQC with no action and you'll be able to count traffic going to each site, you'll have to use the match http host command in your class-map.

Regards.

Alain.

Don't forget to rate helpful posts.

johnramz · ‎04-19-2011

Thanks for your prompt reply. Could you provide an example?

cadet alain · ‎04-19-2011

Hi,

I suppose you want an example with NBAR?

here it is:

class-map GOOGLE

match protocol http host " google.com"

class-map YAHOO

match protocol http host "yahoo.com"

policy-map URL

class GOOGLE

class YAHOO

interface x/x

service-policy input URL

then a sh policy-map int fx/x will give you the statistics.

I added the protocol keyword I had missed in the config I posted, it won't work without it

Regards.

Alain.

Ce message a été modifié par: cadetalain

Don't forget to rate helpful posts.

johnramz · ‎04-19-2011

Thanks again for your prompt reply. One more question, where does NBAR come into play in this example?

Would that traffic also show under: sh ip nbar protocol-discovery , and be part of the output of that command?

Reason I ask is because NBAR gives a total for that last 5 minutes traffic with a breakdown. I was wondering if that trafffic would show in there

Thanks

John

cadet alain · ‎04-19-2011

where does NBAR come into play in this example?

everytime you use match protocol this is NBAR which operates and here it is making deep packet inspection looking at fields in layers above 3.

Would that traffic also show under: sh ip nbar protocol-discovery , and be part of the output of that command?

NBAR protocol discovery will not filter http traffic per destination url.

I was wondering if that trafffic would show in there

yes but you can change from 5 minutes to 30 sec min with this command under interface : load-interval

Regards.

Alain.

Don't forget to rate helpful posts.

johnramz · ‎04-19-2011

Thanks Alain. It does not seem to be working. Here is what I did. I just did "GOOGLE": That's the same interface where I have nbar configured. I posted below.

Thanks

John

RTR#conf t

Enter configuration commands, one per line. End with CNTL/Z.

RTR(config)#class-map GOOGLE

RTR(config-cmap)#match protocol http host "google.com"

RTR(config-cmap)#exit

RTR(config)#policy-map URL

RTR(config-pmap)#class GOOGLE

RTR(config-pmap-c)#exit

RTR(config-pmap)#exit

RTR(config)#int fa0/1

RTR(config-if)#service-policy input URL

RTR(config-if)#load-interval ?

<30-600> Load interval delay in seconds

RTR(config-if)#load-interval 60

RTR#sh policy-map int fa0/1 input class GOOGLE

FastEthernet0/1

Service-policy input: URL

Class-map: GOOGLE (match-all)

0 packets, 0 bytes

1 minute offered rate 0 bps

Match: protocol http host "google.com"

RTR#sh policy-map int fa0/1

FastEthernet0/1

Service-policy input: URL

Class-map: GOOGLE (match-all)

0 packets, 0 bytes

1 minute offered rate 0 bps

Match: protocol http host "google.com"

Class-map: class-default (match-any)

8958 packets, 2137793 bytes

1 minute offered rate 6000 bps, drop rate 0 bps

Match: any

RTR# sh run

....

interface FastEthernet0/1

ip address x.x.x.210 255.255.255.240

ip nbar protocol-discovery

ip nat outside

ip virtual-reassembly

load-interval 60

duplex auto

speed auto

service-policy input URL

cadet alain · ‎04-19-2011

Hi,

As this is WAN interface then the policy-map must be applied outbound

Regards.

Alain.

Don't forget to rate helpful posts.

johnramz · ‎04-19-2011

Would you mind providing more detail and outline the commands to accomplish it? . Apologize for being newbie

John

cadet alain · ‎04-19-2011

No problem.

int f0/1

no service-policy input URL

service-policy output URL

Regards.

Alain.

Don't forget to rate helpful posts.

johnramz · ‎04-19-2011

Alain,

something might be stopping this from working. I made the change but no joy

John

FastEthernet0/1

Service-policy output: URL

Class-map: GOOGLE (match-all)

0 packets, 0 bytes

1 minute offered rate 0 bps

Match: protocol http host "google.com"

Class-map: class-default (match-any)

10098 packets, 2853593 bytes

1 minute offered rate 3000 bps, drop rate 0 bps

Match: any

interface FastEthernet0/1

ip address x.x.x..210 255.255.255.240

ip nbar protocol-discovery

ip nat outside

ip virtual-reassembly

load-interval 60

duplex auto

speed auto

service-policy output URL

cadet alain · ‎04-19-2011

hi,

just to test could you do this:

class-map test

match protocol icmp

policy-map test

int f0/1

no service-policy out URL

service-policy out test

then ping 8.8.8.8 from a host and do sh policy-map test int f0/1

if you've got matches then remove this policy-map from interface and reapply the one for http and from a web browser go to google.com and look at interface again to see if you've got matches.

Regards.

Alain.

Don't forget to rate helpful posts.

johnramz · ‎04-19-2011

Alain,

Thanks for sticking with me. I figured out. I did test it with the icmp and it worked fine. The correction I made was:

*google.com* instead of "google.com" . Actually I did *google* so that any traffic containing that word will be filtered. Then IOS adds the quotes anyway.

Thanks for your help . The only question I have standing in case you know is how to clear the counter for those packets and bytes back to "0" without removing and re-adding "service-policy out URL"?

John

RTR#sh policy-map int fa0/1

FastEthernet0/1

Service-policy output: URL

Class-map: GOOGLE (match-all)

85 packets, 64823 bytes

1 minute offered rate 7000 bps

Match: protocol http host "*google*"

Class-map: class-default (match-any)

3279 packets, 682644 bytes

1 minute offered rate 17000 bps, drop rate 0 bps

Match: any

cadet alain · ‎04-19-2011

Hi,

To reset counters: clear counters command

Regards.

Alain.

Don't forget to rate helpful posts.