in
IEOC CCIE Forums

IEOC - INE's Online Community

Welcome to INE's Online Community - IEOC - a place for CCIE and CCENT candidates to connect, share, and learn. Our Online Community features CCIE forums and discussions for all tracks including Routing & Switching, Voice, Security, Service Provider, Wireless,, and Storage. Through these online communities you can discuss your questions with thousands of your peers, hundreds of CCIE's and INE's own team of world renowned CCIE instructors and authors, Brian Dennis - Quintuple CCIE #2210, Brian McGahan – Triple CCIE #8593, Petr Lapukhov - Quad CCIE #16379, and Mark Snow - Dual CCIE #14073.
Latest post 05-15-2014 9:28 PM by Randy. 11 replies.
Page 1 of 1 (12 items)
Sort Posts: Previous Next
  • 07-03-2009 3:12 AM

    10.81 Advanced HTTP Classification with NBAR

    Hi experts,

    according to my testing, this SG statement is not true:

    "Matching is case-sensitive and you can use patterns like [aA] to match both cases."


    This also contradicts what is said in 11.12 Using NBAR for Content-Based Filtering,
    where it is stated:

    "All matching is case insensitive. The pattern "text" matches "TEXT" as well."


    Any clarification would be highly appreciated!


    tom

    CCIE#26636

    • Post Points: 20
  • 12-11-2009 12:52 PM In reply to

    Re: 10.81 Advanced HTTP Classification with NBAR

    Hello, in the blog post, it says that is not case sensitive.

     

    I am also writing because on my dynamips Lab i have no match, can someone confirm me this problem?

    thnx

    CCIE #27262 (R&S, SP)

    • Post Points: 50
  • 04-22-2013 6:45 AM In reply to

    Re: 10.81 Advanced HTTP Classification with NBAR

    Hello,

     

    at the very beginning I had the same problem but you have to check several things :

     

    1. match protocol http url ".bin|.text|.taxt" : this doesn't work. it seems you have to put the "*" to get a match (it's correct on the SG, but I thought it was a real pattern)

    2. in the check provided by the SG, you're on the wrong way : it shoud be SW1 -> R4 and not the opposite, as your policy-map is applied in output

    3. Bad luck but take care to the routes too .. because SW1 could go through R3 ( I just shut interface f0/0 on R3 for the test)

     

    Regards

    • Post Points: 5
  • 04-22-2013 6:52 AM In reply to

    Re: 10.81 Advanced HTTP Classification with NBAR

    Hello,

     

    That's true. This classification is not case sensitive.

    ex : protocol http url "*.bin|*.text|*.taxt"
    it matches toto.text AND toto.TEXT

    Regards

    • Post Points: 5
  • 05-12-2014 10:31 AM In reply to

    Re: 10.81 Advanced HTTP Classification with NBAR

    I also have no match for this.

    Strangely I cant even get a basic "*.bin" match to work (with service-policy input)

    Anyone else?

    • Post Points: 20
  • 05-12-2014 10:43 AM In reply to

    • JoeM
    • Top 10 Contributor
    • Joined on 04-15-2012
    • Guadalajara, Mexico
    • Elite
    • Points 31,465

    Re: 10.81 Advanced HTTP Classification with NBAR

    I haven't looked at the task (done long time ago).  But just a note about what I remember when dealing with the HTTP URL. 

    These are suppose to be bi-directional, but my experience was that the match is made on the GET request.  Try matching in that direction, and let us know if this works.

    • Post Points: 20
  • 05-13-2014 3:44 AM In reply to

    Re: 10.81 Advanced HTTP Classification with NBAR

    Hi Joe

    Yep this is an odd one - I expected this to be straight forward :/

    I'm basically testing this using SW1, R6 & R4.  R6 is where the NBAR config is applied (inbound on f0/0.146), R4 is where I issue the copy http command, and SW1 is where R4 connects to.

    I've stripped the config back to bare - it should just drop now:

    Config on R6:
    class-map match-all URLMATCH
     match protocol http url "*.bin"
    !
    !
    policy-map URLPOLICY
     class URLMATCH
      drop
    !
    int f0/0.146
    service-policy input URLPOLICY (I've tried both input/output)

    command on R4:
    copy http://admin:cisco@155.1.67.7/c3560-ipservicesk9-mz.150-2.SE/c3560-ipservicesk9-mz.150-2.SE.bin null:

    config on sw1:
    ip http server
    ip http path flash:

    I know that traffic from R4 to SW1 is going via R6:
    R4#traceroute 155.1.67.7
      1 155.1.146.6 4 msec 4 msec 4 msec
      2 155.1.67.7 4 msec *  0 msec

    Sh policy-map int f0/0.146 (on R6):
    R6#sh policy-map int f0/0.146
     FastEthernet0/0.146

      Service-policy output: URLPOLICY

        Class-map: URLMATCH (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: protocol http url "*.bin"
          drop

        Class-map: class-default (match-any)
          29038 packets, 10672718 bytes
          5 minute offered rate 148000 bps, drop rate 0 bps
          Match: any

    To tell you the truth, Its stumped me!

    • Post Points: 20
  • 05-13-2014 6:41 AM In reply to

    Re: 10.81 Advanced HTTP Classification with NBAR

    Hi All,

    I tried using  like following:  match protocol http url /*.txt*

    R2#s policy-map int
     FastEthernet0/0

      Service-policy input: pm4

        Class-map: cm4 (match-all)
          5 packets, 1051 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: protocol http url "/*.txt*"
          drop
    Seems to work in both directions  Needed "*" at end of "txt"

    Worked best using small mtu for file transfer.

    • Post Points: 20
  • 05-13-2014 7:18 AM In reply to

    Re: 10.81 Advanced HTTP Classification with NBAR

    Hi Randy - thanks for chiming in.

    I just amended my match to be like yours (albeit for .bin):

        Class-map: URLMATCH (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: protocol http url "/*.bin*"
          drop

    As you can see - still nothing :(

    I'm running 15.1(3)T4.

    I want to move on, but this is really bugging me...!

    edit: also just tried "/*.text*" - same result :(     WTF?!!

    • Post Points: 20
  • 05-13-2014 7:48 AM In reply to

    Re: 10.81 Advanced HTTP Classification with NBAR

    I was using 12.4(15)T .  So, not surprising if matching rules have changed (or bug in my IOS ; or order of configuration or something else.).

    Best regards to all.

    • Post Points: 20
  • 05-13-2014 8:01 AM In reply to

    Re: 10.81 Advanced HTTP Classification with NBAR

    I'm going to move on - I dont think I've misconfigured it, but I dont want to hang around any more on a minor feature.  I'll test again on the CSR platform later.

    Joe/Randy - Thanks for looking in.

    cheers
    will

    • Post Points: 20
  • 05-15-2014 9:28 PM In reply to

    Re: 10.81 Advanced HTTP Classification with NBAR

     

    One observation that may be relevant is NBAR version.

    Noticed following about nbar on INE's CSR1000V:

    R1#show version
    Cisco IOS XE Software, Version 03.11.01.S - Standard Support Release
    Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(1)S1, RELEASE SOFTWARE (fc2)

    After "show ip nbar version":

    NBAR software version:  17
    NBAR minimum backward compatible version:  13   <<<<<<<<<<<<<<

    And INE routers:

    IOS 12.4(24)T  using nbar version 6

     

     

    • Post Points: 5
Page 1 of 1 (12 items)
IEOC CCIE Forums Internetwork Expert CCIE Training
About IEOC | Terms of Use | RSS | Privacy Policy
© 2010 Internetwork Expert, Inc. All Rights Reserved