cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
939
Views
24
Helpful
9
Replies

Nbar match problem

stretchlad
Level 1
Level 1

I have been trying to configure nbar to match traffic from a certain website and restrict the bandwidth from that site but so far no luck.

F0 is my WAN port and the config is as follows:

class-map match-any SLOW

match protocol http host "http://www.bbc.*"

match protocol http url "*bbc*"

match protocol http host "http://newsimg.bbc.*"

match protocol http s-header-field "bbc.co.uk"

policy-map INBOUND

class SLOW

police cir 8000

conform-action transmit

exceed-action drop

violate-action drop

interface FastEthernet0

description $ETH-LAN$$FW_OUTSIDE$

bandwidth 768

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip nat outside

ip virtual-reassembly max-reassemblies 1024

zone-member security out-zone

load-interval 30

duplex auto

speed auto

crypto map VPN

service-policy input INBOUND

service-policy output Shape_out

Show output command:

spray#sh policy-map int f0 in

FastEthernet0

Service-policy input: INBOUND

Class-map: SLOW (match-any)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: protocol http host "http://www.bbc.*"

0 packets, 0 bytes

30 second rate 0 bps

Match: protocol http url "*bbc*"

0 packets, 0 bytes

30 second rate 0 bps

Match: protocol http host "http://newsimg.bbc.*"

0 packets, 0 bytes

30 second rate 0 bps

Match: protocol http s-header-field "bbc.co.uk"

0 packets, 0 bytes

30 second rate 0 bps

police:

cir 8000 bps, bc 1500 bytes, be 1500 bytes

conformed 0 packets, 0 bytes; actions:

transmit

exceeded 0 packets, 0 bytes; actions:

drop

violated 0 packets, 0 bytes; actions:

drop

conformed 0 bps, exceed 0 bps, violate 0 bps

Class-map: class-default (match-any)

4029 packets, 5318204 bytes

30 second offered rate 110000 bps, drop rate 0 bps

Match: any

Any ideas on why this is not working? This is an 1801 router running 12.4(11)T4

Thanks

9 Replies 9

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Kate,

http is defined as TCP port 80 on the server side.

Your inbound traffic from a website is directed to the client's side TCP port so the return traffic is not HTTP

Exactly as it happens with telnet:

TCP port 23 is used on the server side

traffic coming back from a telnet session will be for example on port 1440 on your PC.

You can see this with netstat -a on your PC

example:

TCP nnm-ws15:4424 SW-RM-TLD066-DTT-C-1.network.rai.it:telnet ESTA

ISHED

So you need to change your config to be able to match this traffic

Hope to help

Giuseppe

How does that help me police (rate limit) certain websites then?

If I apply the policy outbound does that only affect the ACK's that are being sent back to the site?

This can get very confusing because you have inside and outside interfaces which each have inbound and outbound policy available.

In your case when you apply a inbound policy to the outside interface you want to monitor and limit the traffic that is coming from a outside web server back into your network.

The URLs you are tring to limit are the result of a user attempting to GET information from the outside server. This data is sent to the server so it is outbound on the outside interface. The response from the server which is inbound on the outside interface does not ussually contain the URL it will only contain what the user requested.

There really is no way to look at a outbound url and somehow do something to the packets that are returned from the server.

This option is more used to block the request completely since if you never send them to the server you will never get any response.

If you want to limit all traffic from a web site you can use ip addresses to match on but if it is only some traffic you want to limit from the site and other traffic you do not then I don't know a way to accomplish that with a router.

Hello Kate,

I agree with Tim.

What you can do in the inbound direction is to use an IP ACL based rate-limit policer.

each ACL statement will look like

access-list 179 permit tcp host x.x.x.x eq 80 any

the well known port is on the source side

You need to resolve with DNS the URLs you want to limit.

This solution cannot provide distinction on the contents of the web site: all web content at the IP address will be limited.

In addition you should verify from time to time if the DNS resolution changes.

In the outbound direction you could limit access to specific URL using NBAR but actually this traffic is made of GETs and ACKs so you cannot real control the download traffic.

Hope to help

Giuseppe

Thank you both for the reply. I can understand why the URL stuff wouldnt work but why doesn't the Match: protocol http host "*bbc.co.uk" work?

Thanks again.

Hello Kate,

it is a question of direction of the traffic flow.

Your NBAR config would be OK to match if applied outbound = towards the internet and towards the servers

When applied inbound no matches can happen.

I tried to explain it in my first post.

traffic coming from the servers is TCP traffic where the source port is 80 (www) and the destination port in the TCP header is a dynamic port.

This what makes the difference, protocol http = TCP dest port 80

TCP source port 80 can be matched using an extended ACL like in my second post

Hope to help

Giuseppe

spray#sh ip nbar protocol-discovery interface f0 stats bit-rate top 5

FastEthernet0

Input Output

----- ------

Protocol 30sec Bit Rate (bps) 30sec Bit Rate (bps)

------------------------ ------------------------ ------------------------

http 61000 0

secure-http 39000 0

bittorrent 0 0

Wwar 0 0

ssh 0 0

unknown 159000 0

Total 259000 0

This shows nbar classifying as http so I dont understand why it doesn't work regardless of direction as port 80 will be involved either as source or destination.

Mostly because you are not checking for only port 80. You are also telling it to match a particular URL. The NBAR is matching all URL

If you look back at Giuseppe post and change your policy to match the access list he suggested you can limit http traffic in general. You can even limit different ip sites HTTP traffic but you cannot limit different http traffic to the same site.

You key problem is that you want to do session based traffic control. Maybe in the future cisco will add the ability to a router. This is why traffic shaper boxes cost so much because they can do this type of stuff.

Well thank you all for the helpfulk replies :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco