From: mahmoud genidy (ccie.mahmoud@gmail.com)
Date: Mon Feb 23 2009 - 22:01:18 ARST
Thanks Dale for explanation. I still need some help.
So back to the original post in this mail. We need to *POLICE* the
*REPLIES*from
www.cisco.com/directory to 1000K and to *DROP* this traffic if it includes
IMAGES (jpeg, jpg, gif). Based on my understanding I created this config
(but have no lab to verify):
{
Class-map match-any IMAGES
match protocol http url "/directory/*.jpeg"
match protocol http url "/directory/*.jpg"
match protocol http url "/directory/*.gif"
Class-map match-all DROP-TRAFFIC
match protocol http host "www.cisco.com"
match class IMAGES
Class-map match-all POLICE-TRAFFIC
match protocol http host "www.cisco.com"
match protocol http url "/directory*"
match not class IMAGES
Policy-map NBAR-POLICY
class DROP-TRAFFIC
drop
class POLICE-TRAFFIC
police 1000000
interface fa 0/0 ! Internet facing
interface
service-policy *OUT* NBAR-POLICY ! Applying the service poicy
out Client->Server direction
}
happy to be corrected.
Thanks,
M Genidy
On Tue, Feb 24, 2009 at 10:20 AM, Dale Shaw <dale.shaw@gmail.com> wrote:
> Hi,
>
> On Tue, Feb 24, 2009 at 9:51 AM, mahmoud genidy <ccie.mahmoud@gmail.com>
> wrote:
> > Ok, now how we can match the traffic coming from SPECIFIC web-server
> > (Server->Client) if I can't match based on HOST and URL?
> > Of course assuming I don't have the IP address of the web-server.
>
> If you classify the traffic using 'match protocol http host' or 'match
> protocol http url' in a service-policy applied OUT (i.e. catching the
> HTTP GET), the return traffic associated with the original outbound
> request is matched also -- i.e. the web server's response to the
> original request.
>
> The direction of the traffic you classify doesn't _really_ matter.
> This is (very) briefly explained in either the config guide or command
> reference (I forget which).
>
> cheers,
> Dale
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:12 ARST