• Part 1: OSPF Broadcast & Non-Broadcast Network Types
• Part 2: OSPF Point-to-Multipoint & Point-to-Multipoint Non-Broadcast Network Types
• Part 3: OSPF Point-to-Point & Loopback Network Types
• Part 4: Mixing & Matching OSPF Network Types
• Part 5: OSPF Network Types in Multi-Hub Partial-Mesh Networks

Read this article and more like it on ardenpackeer.com
Follow me on twitter: http://twitter.com/ardenpackeer

Tutorial: OSPF Network Types & Frame-Relay Series

I wasn’t going to comment, because frankly I thought it was crap as soon as I read it on Networkworld. “This is just some guy drumming up exposure for his company. Nothing to see here…move along”, I thought. If you followed Ethan’s blog, to me it was obvious Ethan didn’t cheat. I didn’t want to post about it because I didn’t think it deserved the attention it has subsequently attracted.

Heck, I find this screenshot I took a couple of minutes ago amusing:

Here is a site that claims ethanbanks.net is safe. It even states that “this is the kind of PTP you should be looking for”. However it appears they see nothing wrong with dragging the name of owner of that site through the mud. I care about the integrity of these exams as well but his comments on Networkworld is bordering on slander. Who in their right mind would want anything to do with this company?

I think this is a sad attack on someone that has tried to give back to our little community. We’ve all followed Ethan through his preparation attempts and shared his joy when he passed. If you looked through his blog you would have clearly seen the amount of hard work and dedication he put into achieving his CCIE. You can’t fake that. He knew his stuff. If he was cheating, he was going about it the wrong way :)

This whole things seems like CertGuard trying to drum up free exposure. To me, it seems like they are trying to get you to use their search tool to verify any material you purchase…so you don’t end up like Ethan. Kinda like a mafia extortion racket. There must be many people they could have “made an example of” so one must wonder, did they target Ethan Banks for vilification due to his high profile, and if so was it also more for publicity than justice.

Having a watchdog protecting the value of our certifications is a good idea in principle, but in this case the implementation is just as evil as the crime. Cisco is the final authority on the matter. They should be the watchdog, not some guy who’s credentials and methods are questionable. How does CertGuard know material is safe unless they’ve looked at the questions themselves?

I was going to say that I wouldn’t be using any sites that have the CertGuard logo on it, but then I couldn’t find any. :)

Come back Ethan. Our community needs leaders like you.

Update: Ethan’s back!….and Robert Williams from CertGuard has issued an apology.

Read this article and more like it on ardenpackeer.com
Follow me on twitter: http://twitter.com/ardenpackeer

Blog: The Whole Ethan Thing….

One solution to this problem is the use of Cisco’s Network Based Application Recognition (NBAR). NBAR is a deep packet inspection and classification engine. It was first introduced in experimental versions of IOS v12.1 and can be used with Cisco’s Modular Quality Of Service Command Line (MQC).

In this article we will look at using MQC to filter websites. I will demonstrate using the match protocol http command to match a URL, a host or MIME type. We will use the following topology for demonstration:

R3 will act as a webserver and R1 as a client. The filtering will be applied on R2. You can download the dynamips .net file the following topology here.
R1 Base Configuration:

hostname R1
!
int s1/0
 ip add 10.0.12.1 255.255.255.0
 no shut
!
router ospf 1
 network 10.0.12.1 0.0.0.0 area 0

R2 Base Configuration:

hostname R2
!
int s1/0
 ip add 10.0.12.2 255.255.255.0
 no shut
!
int s1/1
 ip add 10.0.23.2 255.255.255.0
 no shut
!
router ospf 1
 network 10.0.12.2 0.0.0.0 area 0
 network 10.0.23.2 0.0.0.0 area 0

R3 Base Configuration:

hostname R3
!
int s1/0
 ip add 10.0.23.3 255.255.255.0
 no shut
!
int f0/0
 ip add 192.168.1.100 255.255.255.0
 no shut
!
router ospf 1
 network 10.0.23.3 0.0.0.0 area 0
!
ip http server
ip http path flash:

We have set up R3 as a webserver. Details on how to setup R3 as a webserver using IOS can be found here.

R3#sh run | in ip http
ip http server
no ip http secure-server
ip http path flash:

R3#dir
Directory of flash:/

    1  -rw-          90                    <no>  picture.gif
    2  -rw-         329                    <no>  picture.jpg
    3  -rw-         174                    <no>  index.html

8388604 bytes total (8387812 bytes free)
</no></no></no>

Basic HTTP Filtering using NBAR

Lets set up basic http filtering with MQC on R2.

R2(config)#class-map match-all MATCH-HTTP
R2(config-cmap)#match protocol http
R2(config-cmap)#exit
R2(config)#policy-map HTTP-POLICY
R2(config-pmap)#class MATCH-HTTP
R2(config-pmap-c)#set dscp af13
R2(config-pmap-c)#exit
R2(config-pmap)#int s1/0
R2(config-if)#service-policy input HTTP-POLICY

In the code above we have a class map called MATCH-HTTP. The match protocol http command tells NBAR to match the http protocol. This will match all http traffic. The MATCH-HTTP class is then utilized in the HTTP-POLICY policy map. This policy map is used to set a DSCP marking on all traffic that matches the MATCH-HTTP class (ie all http traffic). The policy is then implemented on R2’s s1/0. Traffic is inspected and marked as it comes into that interface.

We can check how many packets have been marked using the show policy-map command.

R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http
      QoS Set
        dscp af13
          Packets marked 0

    Class-map: class-default (match-any)
      2 packets, 168 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
R2#

Lets generate some http traffic, and see if our policy marks some packets.

R1#copy http://10.0.23.3/index.html null:
Loading http://10.0.23.3/index.html
174 bytes copied in 0.544 secs (320 bytes/sec)

R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      5 packets, 344 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http
      QoS Set
        dscp af13
          Packets marked 5

    Class-map: class-default (match-any)
      124 packets, 10340 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

We used the copy http://10.0.23.3/index.html null: command to generate some http traffic. We can see above that 5 packets were generated and were marked as af13. All other traffic will fall into the class-default class. With the packets marked, we could forward them or drop them.

Instead of matching all of the http protocol we can use NBAR to look further into the packet and classify or drop packets based on the host requested.

Match protocol HTTP host

The match protocol HTTP url command is used to match a url. It takes a regular expression as an argument. For example:

match protocol http host *youtube.com*
! This would match anything in youtube.com like http://www.youtube.com or http://video.youtube.com
!
match protocol http host *google*
! This would match anything with google in the host like http://mail.google.com or
http://www.google.com.au
!
match protocol http host google*
! This would match http://google.com but not http://video.google.com

Lets set up R2 to filter based on a host.

R2(config)#class-map MATCH-HTTP
R2(config-cmap)#no match protocol http
R2(config-cmap)#match protocol http host 10.0.23.3

R2#clear counters s1/0
Clear "show interface" counters on this interface [confirm]
*Mar  1 00:04:42.071: %CLEAR-5-COUNTERS: Clear counter on interface Serial1/0 by console
R2#
R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http host "10.0.23.3"
      QoS Set
        dscp af13
          Packets marked 0

    Class-map: class-default (match-any)
      1 packets, 84 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

We’ve cleared the counters on R2, so lets generate some traffic on R1 again.

R1#copy http://10.0.23.3/index.html null:
Loading http://10.0.23.3/index.html
174 bytes copied in 0.596 secs (292 bytes/sec)

R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      5 packets, 344 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http host "10.0.23.3"
      QoS Set
        dscp af13
          Packets marked 5

    Class-map: class-default (match-any)
      64 packets, 5300 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

We can see here it matched 5 packets based on the host. We can use this to match whole sites like youtube.com or video.google.com.

Match protocol HTTP url

We can match strings AFTER the host portion of a URL using the match protocol http url command. It also takes a regular expression as an argument. For example:

match protocol http url *video*
! This would match http://www.cisco.com/video/index.php or
http://www.google.com/stuff/video.html
!
match protocol http url video*
! This would match http://www.cisco.com/video but not http://www.cisco.com/stuff/video.html
! because stuff precedes the video portion of the url and in the expression above we have said
! it has to start with the string video
!
match protocol http url *.jpeg|*.jpg|*.gif
! This would match any .jpeg or .jpg or .gif extention in the url

Lets set up R2 to match based on a URL.

R2(config)#class-map MATCH-HTTP
R2(config-cmap)#no match protocol http host 10.0.23.3
R2(config-cmap)#match protocol http url *.jpg

As you can see above we have used the match protocol http url function of NBAR to match any url that ends in a .jpg. This effectively blocks jpeg images (unless they have a different extension).

Let test it, before we send some traffic we’ll reset the counters on the interface.

R2#clear counters s1/0
Clear "show interface" counters on this interface [confirm]
*Mar  1 00:43:39.135: %CLEAR-5-COUNTERS: Clear counter on interface Serial1/0 by console
R2#
R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http url "*.jpg"
      QoS Set
        dscp af13
          Packets marked 0

    Class-map: class-default (match-any)
      1 packets, 84 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

If we request a gif file we shouldn’t match the class MATCH-HTTP. Lets test that first.

R1#copy http://10.0.23.3/picture.gif null:
Loading http://10.0.23.3/picture.gif
90 bytes copied in 0.644 secs (140 bytes/sec)

R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http url "*.jpg"
      QoS Set
        dscp af13
          Packets marked 0

    Class-map: class-default (match-any)
      18 packets, 1209 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

Great Success! Looks pretty good. Now lets try a .jpg extension. We should match this.

R1#copy http://10.0.23.3/picture.jpg null:
Loading http://10.0.23.3/picture.jpg
329 bytes copied in 0.820 secs (401 bytes/sec)

R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      7 packets, 433 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http url "*.jpg"
      QoS Set
        dscp af13
          Packets marked 7

    Class-map: class-default (match-any)
      22 packets, 1469 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

Awesome! You can see above we matched based on a URL.

match protocol http mime

We can also use the match protocol http mime to match internet mime types. The mime type has to be the same mime type that the web server responds with. For a list of valid mime types check out: http://www.sfsu.edu/training/mimetype.htm. Lets look at an example:

match protocol http mime image/jpeg
! This would match jpeg,jpg,jpe,jfif,pjpeg, and pjp types
!
match protocol http mime image/jpg
! This would not match anything as it is not a proper mime type. Get a list of the mime types
! here: http://www.sfsu.edu/training/mimetype.htm
!
match protocol http mime image*
! This would match all image mime types
!
match protocol http mime application/x-shockwave-flash
! This would not only match swf flash movies, but all of flash.

Lets set up R2 to filter the image/jpeg mime type:

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#class-map MATCH-HTTP
R2(config-cmap)#no match protocol http url *.jpg
R2(config-cmap)#match protocol http mime ?
  WORD  Enter a string as the sub-protocol parameter

R2(config-cmap)#match protocol http mime image/jpeg
R2(config-cmap)#exit
R2(config)#exit

Once again, we’ll clear the counters so we can verify that this works correctly.

R2#clear counters s1/0
Clear "show interface" counters on this interface [confirm]
*Mar  1 01:12:10.759: %CLEAR-5-COUNTERS: Clear counter on interface Serial1/0 

R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http mime "image/jpeg"
      QoS Set
        dscp af13
          Packets marked 0

    Class-map: class-default (match-any)
      1 packets, 84 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

On R1 lets generate some traffic. A gif file will be requested first. This should not match our policy.

R1#copy http://10.0.23.3/picture.gif null:
Loading http://10.0.23.3/picture.gif
90 bytes copied in 0.808 secs (111 bytes/sec)

R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http mime "image/jpeg"
      QoS Set
        dscp af13
          Packets marked 0

    Class-map: class-default (match-any)
      10 packets, 689 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

All good! Ok lets do the final test and actually request a jpeg image and see if it matches our policy.

R1#copy http://10.0.23.3/picture.jpg null:
Loading http://10.0.23.3/picture.jpg
329 bytes copied in 1.216 secs (271 bytes/sec)

R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      5 packets, 220 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http mime "image/jpeg"
      QoS Set
        dscp af13
          Packets marked 5

    Class-map: class-default (match-any)
      16 packets, 1162 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

You can see above that the jpeg image was matched. It works!

Putting it all together

So lets put it all together. We can use all three match protocol http commands in a match-any class map. For example:

class-map match-any INTERNET-SCUM
 match protocol http host *youtube.com*|*video.google.com*
 match protocol http mime video/flv|video/x-flv|video/mp4|video/x-m4v|audio/mp4a-latm
 match protocol http mime video/3gpp|video/quicktime
 match protocol http url *.flv|*.mp4|*.m4v|*.m4a|*.3gp|*.mov
! uncomment below if you don't want ANY flash.
! match protocol http mime application/x-shockwave-flash
! match protocol http url *.swf
!
policy-map NOINTERNETVIDEO
 class INTERNET-SCUM
  drop
!
int s1/0
 service-policy input NOINTERNETVIDEO
!

This would match any traffic going to youtube or video.google.com, or any flash applications, or common video mime types, and any swf (flash or flash movie) files! Be aware that NBAR does make your router take a hit in CPU processor usage, I’d suggest evaluating your processor usage before using this in production.

HTH! Now back to labs!

Summary:

• Use the match http protocol command to match the http protocol.
• match protocol http host matches the host portion
• match protocol http url matches the url after the hostname
• match protocol http mime matches mime types

Resources
Webserver – Dynamips .net configuration file
QOS HTTP Filtering – R1 Final Configuration
QOS HTTP Filtering – R2 Final Configuration
QOS HTTP Filtering – R3 Final Configuration

Read this article and more like it on ardenpackeer.com
Follow me on twitter: http://twitter.com/ardenpackeer

Tutorial: How to use Cisco MQC & NBAR to filter websites like Youtube

Let’s take a look at how we configure it. This article focuses on the basics, getting two routers to talk to each other in a virtual environment. Part II will focus on setting up a basic lab that we can use for all the examples in this site.

First we need to download Dynagen. Dynagen is a front-end to the Dynamips Cisco emulator. It provides a custom-built windows installer and easy to use configuration file which makes lab set up a whole lot nicer than the basic dynamips. It runs on Windows, Linux and MacOSX (with Intel cpus). This article will focus on the Windows installation and configuration. We can download Dynagen here. We will also need WinPcap, which we can download here.Once we have downloaded Dynagen installation is a snap. Just double click the exe files and click next a couple of times!

Once we have Dynagen installed and ready to roll you should see a Dynagen Sample Labs icon, a Dynamips Server icon and a Network device icon placed on your desktop. We’ll need to reboot the machine after the installation, to make sure windows picks up

Our First Dynagen Lab

Double click on the Dynagen Sample Labs and open up the simple1 folder. In the simple1 folder you’ll see a simple1.net file. These .net files are used by dynagen to describe a network topology. Lets have a look at the file:

[localhost]
#
[[7200]]
image = \Program Files\Dynamips\images\c7200-advipservicesk9_li-mz.124-11.T.bin
# On Linux / Unix use forward slashes:
# image = /opt/7200-images/c7200-jk9o3s-mz.124-7a.image
npe = npe-400
ram = 160
#
[[ROUTER R1]]
s1/0 = R2 s1/0
#
[[router R2]]
# No need to specify an adapter here, it is taken care of
# by the interface specification under Router R1

The simple1.net configuration file is divided up into three section. The [localhost] tag up the top specifies that the simulated routers defined will run on the local dynamips server. Dynamips allows you to run labs on multiple servers (so it appears as one giant lab), but for the purpose of this example we are only looking at one dynamips server.

The simple1.net file has two routers defined, R1 and R2. They are connected up via Serial 1/0 on both routers. Lets start up the dynamips server by double clicking on the Dynamips Server icon on the desktop.

You can see above, that R1 and R2 have both started correctly. You should notice that your CPU usage has just shot through the roof. This is because there are no idle-pc values set for the IOS we are using. We will tweak that a bit later, but first lets have a play with our new virtual network.

On the dynagen console, type:

console R1

This allows us to get access to the console port of R1. If you type this in fast enough, you should see R1 IOS startup process. Once the router has finished its startup process we can configure the router as if we were directly connected to its console port!

I feel the need for more speed! Tweaking idle-pc timings for Dynagen

One of the problems you might notice as you progress through this tutorial is the CPU usage for Dynagen. With two routers started, R1 and R2, its probably already utilising 100% CPU usage. If its using 100% for two routers, how in the world are we going to create a 6 router lab? We can tweak the way Dynagen uses this IOS on your PC by changing the idle-pc timings.

What are idle-pc timings? The Dynagen simulator does not know when the router is performing useful router stuff, and just being idle. Setting idle-pc values is a way of getting Dynagen to analyse the IOS that you are running, and figuring out when it is actually idle.

The idle-pc values are specific to the IOS that you are running, so the results i get here might be different than yours.

The first thing we need to do is stop R2. On the Dynagen management console enter:

stop R2

You can see above that R2 has been stopped. The CPU usage might drop slightly but we can do a whole lot better than that. For the best analysis results, we should have only one router running so Dynagen can accurately collect idle-pc statistics.

Log into R1 and make sure that R1 is idle. You might need to wait until all the interfaces are initialized.

You can see above that R1 has completed its boot cycle and all its interfaces are initialized. For all intents and purposes the Router is now idle.

On the Dynagen management console enter:

idlepc get R1

Dynagen will then collect statistics for this router. This can take a minute or two, but once this is complete you should be presented with a list of idle-pc values

The items with the star next to them are the ones we want to try. Selecting one should drop your cpu-usage dramatically. If it did not drop we can try the following on the Dynagen management console:

idlepc show R1

This should present all the idle-pc values so we can select another value to try. Once we are satisfied with the CPU usage, we should save the idle-pc timing so we don’t have to do this everytime we use dynagen. We can save our idle-pc values by entering the following on the Dynagen management console:

idlepc save R1 db

This will save idle-pc information about the IOS we are running to a dynagen configuration file. Any other routers we now start with the analysed IOS will automatically have the idle-pc applied.

The Finished Lab

We can see in the configuration file for simple1.net that R1 and R2 are connected via there Serial 1/0 interfaces. Lets start up R1 and R2 and get them talking.

On the Dynagen management console enter:

start R2

This should start up R2. R2 uses the same IOS as R1 and should use the same idle-pc values to minimize the CPU resources required. We can log onto R2 by going to the Dynagen management console and entering:

console R2

R2 should go a startup procedure and after it has initialized its interfaces we can configure them both:

R1

Router#
Router# conf t
Router(config)# hostname R1
R1(config)# no ip domain-lookup
R1(config)# line con 0
R1(config-line)# exec-timeout 0 0
R1(config-line)# logging synchronous
R1(config-line)# int s1/0
R1(config-if)# ip address 192.168.1.1 255.255.255.0
R1(config-if)# no shut
R1(config-if)# end
R1# wr

R2

Router#
Router# conf t
Router(config)# hostname R2
R2(config)# no ip domain-lookup
R2(config)# line con 0
R2(config-line)# exec-timeout 0 0
R2(config-line)# logging synchronous
R2(config-line)# int s1/0
R2(config-if)# ip address 192.168.1.2 255.255.255.0
R2(config-if)# no shut
R2(config-if)# end
R2# wr

Once the virtual routers are set up they should be able to ping each other as if they were physical router connected up to each other.

Looks like we have a working simulation. We will be building on the lab in Part 2 of this article to come up with a topology consisting of 6 routers. Stay Tuned!

Read this article and more like it on ardenpackeer.com
Follow me on twitter: http://twitter.com/ardenpackeer

Tutorial: How to set up a basic Dynamips Lab using Dynagen, Part 1