Using a Policy Map to both prioritise traffic and DROP unwanted traffic - Page 2

petermann · ‎05-13-2007

Hi all,

Here's the problem. I want to drop all traffic except that defined in a policy-map. I'm using the policy map to serve two functions. Firstly to prioritize certain types of traffic and also to drop unwanted traffic by using NBAR.

Ok, here's an example. First the class maps:

!

class-map match-any platinum

match protocol rtp

class-map match-any gold

match protocol http

match protocol secure-http

match protocol dns

class-map match-any silver

match protocol smtp

match protocol pop3

match protocol secure-ftp

match protocol secure-pop3

class-map match-any bronze

match protocol ipsec

match protocol ftp

match protocol irc

class-map match-any drop

match any

and here's the policy map:

policy-map qos

class platinum

priority percent 20

set dscp ef

class gold

bandwidth remaining percent 30

set dscp 41

class silver

bandwidth remaining percent 30

set dscp 31

class bronze

bandwidth remaining percent 10

set dscp 21

class drop

drop

I now apply it to my interface going out to the Internet:

interface dialer0

service-policy output qos

But, my problem is that as soon as it is applied, I can't surf the internet. However, as can be seen in the policy map, within the 'gold' class I have the following:

match protocol http

Furthermore, the 'gold' class comes before the 'drop' class. I've checked and every time I surf the internet, my web based packets are getting dropped by the 'drop' class. I don?t understand why this is!

To get around this, I have defined the following ACL:

access-list 150 permit tcp any any eq www

!

and added it to the 'gold' class.

!

class-map match-any gold

match access-group 150

and it works, web traffic is detected by the ACL and output by the "Gold" service.

However, I?m not able to detect the web based traffic using NBAR (via the match protocol http command).

But the basic ACL worked. However, this is not ideal since it is vulnerable to programs like Skype masquerading as web traffic and tunneling out. Therefore, ideally I would like to capture the web traffic via NBAR using the 'match protocol http' command.

Does anyone know why this doesn?t work? or alternatively could suggest another best-practice method.

Any suggestions/help would be much appreciated.

Thanks.

- peter

petermann · ‎05-13-2007

Hi Mohammed,

That was very helpful thanks. As per you suggestion, I configured the following:

class-map match-any platinum

match protocol rtp

match protocol telnet

class-map match-any gold

match protocol http

match protocol secure-http

match protocol dns

class-map match-any silver

match protocol smtp

match protocol pop3

match protocol secure-ftp

match protocol secure-pop3

class-map match-any bronze

match protocol ipsec

match protocol ftp

match protocol irc

class-map match-any drop

match any

!

policy-map classify_mark

class platinum

set dscp ef

class gold

set dscp 41

class silver

set dscp 31

class bronze

set dscp 21

class drop

set dscp 10

!

exit

!

interface fastethernet0

service-policy input classify_mark

end

!

Now when I do a "show policy-map inter fa0" I get "http" traffic being matched.

for example:

Class-map: gold (match-any)

1792 packets, 280523 bytes

5 minute offered rate 13000 bps, drop rate 0 bps

Match: protocol http

1409 packets, 193834 bytes

5 minute rate 2000 bps

Match: protocol secure-http

358 packets, 84753 bytes

5 minute rate 10000 bps

Match: protocol dns

25 packets, 1936 bytes

5 minute rate 0 bps

QoS Set

dscp 41

Packets marked 1792

So, the problem has been very much narrowed down. So I guess now the quesiton is why doesn't NBAR match the HTTP protocol on egress but does on ingress. Anyone got any ideas??

THANKYOU ALL VERY MUCH!

- pete

mohammedmahmoud · ‎05-14-2007

Hi,

You are welcomed :) thats the solution i did to work around it, and i am in the process of searching for a reason.

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

petermann · ‎05-14-2007

Hi Mohammed,

The thing is, whilst it works I don't really want 2 policy-maps on the router.

Whilst my first example illustrated marking the packets with a DSCP value, this was just for the example.

What I really want to do is us the policy-map as an advanced traffic filter, which gives me fine control (using NBAR) on what protocols are allowed on egress, and dropping the rest.

A simple ACL on the fa0 ingress (only working up to L4) would be vulnerable to programs like Skype and P2P which will tunnel out of other allowed ports (like 80).

The added advantage of course is that I can also priorities traffic with a policy map. - Two benefits for the price of one!

If you do find a solution, please let me know.

Thanks again. All the best.

bjornarsb · ‎05-14-2007

Hi,

What type of router is this?

You are in the situation that QOS features in the ingress direction is not supported in the egress direction.

So you should set ip precendence input and do

match ip precendence on output.

HTH

Regards,

Bjornarsb

petermann · ‎05-14-2007

Hi Bjornarsb,

I have tried this and classification of traffic on ingress works (even http), as illustrated in the previous post.

I realise best practice when applying QoS is to mark as close to source as possible, but in this scenario it is just a 1721 for a small office. I ideally do not want ?two? policy maps on a single router, one classifying and marking on ingress and other other applying scheduling on the egress.

I just want to drop traffic which doesn't match a "match protocol" statement using a policy-map applied to Egress. ? Essentially, a traffic filter using NBAR.

All the other protocols work, except "http".

All the very best.

- peter

bjornarsb · ‎05-14-2007

OK, then I realy don't know. :)

By the way have you tried this:

hostname(config)# class-map http_traffic

hostname(config-cmap)# match port tcp eq 80

BR,

Bjornarsb

petermann · ‎05-14-2007

hi Bjornarsb,

I very much apprciate your comments.

I will try what you have suggested this evening.

However, we are just matching on port, and therefore I suspect Skype and other P2P apps will take advantage and tunnel out.

thanks though.

pete

bjornarsb · ‎05-14-2007

Or you could try just to do this, just call the class and do what you want without a new match.

ip cef

!

class-map match-any dscp46

match ip dscp 46

class-map match-all telnet_ping_snmp

match access-group 150

class-map match-all http

match access-group 154

class-map match-all pop3_smtp

match access-group 153

!

policy-map voice_traffic

class dscp46

shape average 30000 10000

class telnet_ping_snmp

shape average 20000 15440

class pop3_smtp

shape average 20000 15440

class http

shape average 20000 15440

!

interface FastEthernet0/0

ip address 10.10.247.2 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/0.1

encapsulation dot1Q 1 native

ip address 10.1.1.1 255.255.255.0

service-policy output voice_traffic

HTH

Regards,

Bjornarsb

petermann · ‎05-14-2007

Thanks Bjornarsb,

But your example doesn't have a class drop. for example:

class-map match-any drop

drop

!

policy-map voice_traffic

class dscp46

shape average 30000 10000

class telnet_ping_snmp

shape average 20000 15440

class pop3_smtp

shape average 20000 15440

class http

shape average 20000 15440

class drop

drop

!

you would need this to capture the rogue traffic. From my experiences, when you have the drop class at the end, your http traffic will stop working, despite matching http traffic BEFORE the drop class in the policy-map.

thanks anyway.