R4 and R5 are connected via a serial cable. Configure IP Addressing so that R4 and R5 are in the 192.168.45.0/24. R4 should have an IP of 192.168.45.4/24. R5 should have an IP address off 192.168.45.5/24.

The catch: Do not configure an IP Address with the ip address 192.168.45.4 255.255.255.0 command directly on R4’s s1/1 interface.

Let’s have a look at the different ways we can solve this!

IP Unnumbered

R4:

interface lo0
 ip add 192.168.1.45.4 255.255.255.0
!
interface Serial1/1
 ip unnumbered Loopback0
 encapsulation ppp
 clock rate 64000

R5:

interface Serial1/1
 ip address 192.168.45.5 255.255.255.0
 encapsulation ppp
 no peer neighbor-route

R4#sh ip route | b Gateway
Gateway of last resort is not set

     192.168.45.0/24 is variably subnetted, 2 subnets, 2 masks
C       192.168.45.5/32 is directly connected, Serial1/1
C       192.168.45.0/24 is directly connected, Loopback0

R5#sh ip route | b Gateway
Gateway of last resort is not set

C    192.168.45.0/24 is directly connected, Serial1/1

The no peer neighbor-route is not needed on R5, but I put it there to illustrate a point. R5 doesn’t need the peer neighbor-route to R4 because it will see the 192.168.45.0/24 subnet as directly connected on its s1/1 interface. R4 does need the peer route to 192.168.45.5/32 otherwise it will forward any packets destined to that address out Lo0.

PPP IPCP

R4:

interface Serial1/1
 ip address negotiated
 encapsulation ppp
 clock rate 64000

R5:

interface Serial1/1
 ip address 192.168.45.5 255.255.255.0
 encapsulation ppp
 no peer neighbor-route
 peer default ip address 192.168.45.4

R4#sh ip route | b Gateway
Gateway of last resort is not set

     192.168.45.0/32 is subnetted, 2 subnets
C       192.168.45.5 is directly connected, Serial1/1
C       192.168.45.4 is directly connected, Serial1/1

R5#sh ip route | b Gateway
Gateway of last resort is not set

C    192.168.45.0/24 is directly connected, Serial1/1

We have used IPCP to give R4 and IP address. R4 needs the peer route, otherwise its routing table will only have a route to the 192.168.45.4/32 network. R5 doesn’t need the peer neighbor-route because that subnet is directly connected on the interface.

PPP Multilink

R4:

interface Multilink1
 ip address 192.168.45.4 255.255.255.0
 no peer neighbor-route
!
interface Serial1/1
 no ip address
 encapsulation ppp
 clock rate 64000
 ppp multilink
 ppp multilink group 1

R5:

interface Multilink1
 ip address 192.168.45.5 255.255.255.0
 no peer neighbor-route
!
interface Serial1/1
 no ip address
 encapsulation ppp
 ppp multilink
 ppp multilink group 1

R4#sh ip route | b Gateway
Gateway of last resort is not set

C    192.168.45.0/24 is directly connected, Multilink1

The IP address isn’t on R4’s s1/1 interface! :)

Once again the no peer neighbor-route command is not needed, but is used to show that we don’t require a /32 to the remote end of the PPP connection.

PPP over Frame Relay

R4:

interface Serial1/1
 no ip address
 encapsulation frame-relay
 no keepalive
 clockrate 64000
 no frame-relay inverse-arp
!
interface Serial1/1.45 point-to-point
 frame-relay interface-dlci 45 ppp Virtual-Template1
!
interface Virtual-Template1
 ip address 192.168.45.4 255.255.255.0
 no peer neighbor-route

R5:

interface Serial1/1
 no ip address
 encapsulation frame-relay
 no keepalive
 no frame-relay inverse-arp
!
interface Serial1/1.45 point-to-point
 frame-relay interface-dlci 45 ppp Virtual-Template1
!
interface Virtual-Template1
 ip address 192.168.45.5 255.255.255.0
 no peer neighbor-route

R4#sh ip route | b Gateway
Gateway of last resort is not set

C    192.168.45.0/24 is directly connected, Virtual-Access1

R5#sh ip route | b Gateway
Gateway of last resort is not set

C    192.168.45.0/24 is directly connected, Virtual-Access1

We have disabled LMI with the no keepalive command so we can do back-to-back frame-relay. Once again we have used no peer neighbor-route it illustrate that we don’t need a specific /32 to the other end.

Cool Huh? Why the hell would you need this stuff outside the CCIE? You wouldn’t! Just configure the damn interface with 192.168.45.4/24! Since when was the CCIE about best practices and how you would do it in real life?! :)

Anybody know of any other methods?

Read this article and more like it on ardenpackeer.com
Follow me on twitter: http://twitter.com/ardenpackeer

Troubleshooting: IP Addressing Tricks & Tips Using PPP

The ip igmp limit and ip igmp access-group commands apply to a layer 3 routed port! The question involved setting this up on a layer 2 port so this wouldn’t work properly. The correct answer involved ip igmp profile and ip igmp max-groups.

So, lets say you have a requirement where you want to limit users on vlan 10 from joining multicast groups 232.0.0.0 -> 239.255.255.255. The requirement also says to limit it so they can belong to only 5 multicast groups. How would you do this on a layer 2 port vs a layer 3 port? I’m glad you asked! :)

Solution on Layer 3 Switch:

Layer 2 Port (ie switchport)

int f0/10
 switchport mode access
 switchport access vlan 10
 ip igmp max-groups 5
 ip igmp filter 1
!
ip igmp profile 1
 deny
 range 232.0.0.0 239.255.255.255

Layer 3 Port (ie routed port)

int vlan 10
 ip igmp access-group DENY_THESE_GROUPS
 ip igmp limit 5
!
ip access-list standard DENY_THESE_GROUPS
 deny 232.0.0.0 7.255.255.255
 permit any

The Layer 3 port configuration would equally apply on a routed port (ie port with no switchport configured or a port on a router). Notice the differences in defining of the groups allowed. “Hey Ards, How about one of your famous tutorials on this so I can follow along in Dynamips?”. Sorry, no time :) My CCIE lab is in 30 days and I have a million practice labs to do! I’ll write one up when I’m done…hopefully with some CCIE digits next to my name!

Read this article and more like it on ardenpackeer.com
Follow me on twitter: http://twitter.com/ardenpackeer

Multicast: What is the difference between an igmp filter and an igmp access-group?

This is the main idea behind a backup interface. If your main interface goes down, a secondary interface (like ISDN or frame) is brought up and traffic goes through this until connectivity is restored to the main interface. In this article we will be exploring how we can implement such a configuration using the Cisco IOS backup interface command.

We will be using the following topology for this tutorial:

The Dynagen configuration that I am using to demonstrate this is as follows:

ghostios = True
sparsemem = True
model = 3640

[localhost]

    [[3640]]
        image = \Program Files\Dynamips\images\c3640-jk9o3s-mz.124-12.bin
        # On Linux / Unix use forward slashes:
        # image = /opt/7200-images/c7200-jk9o3s-mz.124-7a.image
        ram = 96

    [[ROUTER R1]]
        f0/0 = LAN 1
        s1/0 = FRAME 1
        s1/1 = R2 s1/1
        console = 2000
        model = 3640

    [[ROUTER R2]]
        f0/0 = LAN 2
        s1/0 = FRAME 2
        console = 2001
        model = 3640

    [[FRSW FRAME]]
        1:102 = 2:201

You can download this configuration .net file here.

Let’s set up the basic configuration. We are going to implement a point-to-point frame relay connection, and run EIGRP as our routing protocol.

R1:

hostname R1
!
interface FastEthernet0/0
 ip address 1.1.1.1 255.255.255.0
!
interface Serial1/0
 no ip address
 encapsulation frame-relay
 serial restart-delay 0
 no frame-relay inverse-arp
!
interface Serial1/0.12 point-to-point
 ip address 192.168.1.1 255.255.255.0
 frame-relay interface-dlci 102
!
interface Serial1/1
 ip address 192.168.2.1 255.255.255.0
!
router eigrp 1
 network 1.0.0.0
 network 192.168.1.0
 network 192.168.2.0
 no auto-summary

R2:

hostname R2
!
interface FastEthernet0/0
 ip address 2.2.2.2 255.255.255.0
!
interface Serial1/0
 no ip address
 encapsulation frame-relay
 no frame-relay inverse-arp
!
interface Serial1/0.12 point-to-point
 ip address 192.168.1.2 255.255.255.0
 frame-relay interface-dlci 201
!
interface Serial1/1
 ip address 192.168.2.2 255.255.255.0
!
router eigrp 1
 network 2.0.0.0
 network 192.168.1.0
 network 192.168.2.0
 no auto-summary

Let’s check connectivity and verify our routing table:

R2#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/137/188 ms

R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     1.0.0.0/24 is subnetted, 1 subnets
D       1.1.1.0 [90/2172416] via 192.168.2.1, 00:05:44, Serial1/1
                [90/2172416] via 192.168.1.1, 00:05:44, Serial1/0.12
     2.0.0.0/24 is subnetted, 1 subnets
C       2.2.2.0 is directly connected, FastEthernet0/0
C    192.168.1.0/24 is directly connected, Serial1/0.12
C    192.168.2.0/24 is directly connected, Serial1/1

Looking at the routing table it looks like R2 has two paths to get to the 1.1.1.0/24 network attached to R1. EIGRP is doing its job and has discovered both paths to that network.

The scenario that we are going to implement is that our frame-relay connection is our main connection. The s1/1 connection is connected to an ISDN modem which we don’t want to send traffic through unless there is a failure on R2’s frame-relay connection.

Let’s have a look at the configuration:

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#int s1/0.12
R2(config-subif)#backup interface s1/1
R2(config-subif)#
*Mar  1 00:39: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.2.1 (Serial1/1) is down: interface down
*Mar  1 00:39: %LINK-5-CHANGED: Interface Serial1/1, changed state to standby mode
*Mar  1 00:39: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed state to down

R2#sh int s1/1
Serial1/1 is standby mode, line protocol is down
  Hardware is M4T
  Internet address is 192.168.2.2/24
  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation HDLC, crc 16, loopback not set
  Keepalive set (10 sec)
  Restart-Delay is 0 secs
  Last input 00:05:13, output 00:05:10, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/1/256 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 1158 kilobits/sec
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     430 packets input, 24351 bytes, 0 no buffer
     Received 243 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     443 packets output, 23912 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 output buffer failures, 0 output buffers swapped out
     3 carrier transitions     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

Here we have configured serial 1/1 to be the backup interface for serial 1/0.12 (our frame-relay interface). Serial 1/0.12 is our primary interface and Serial 1/1 is our secondary interface.

You can see that as soon as we configure this the s1/1 interface state was changed to the standby state. It will remain in this state until our main interface serial 1/0.12 goes into the down state.

We can verify the backup configuration using the show backup command:

R2#sh backup
Primary Interface   Secondary Interface   Status
-----------------   -------------------   ------
Serial1/0.12        Serial1/1             normal operation

We can see here that serial 1/0.12 is acting as the primary interface. If that interface enters the down state the secondary interface will brought up.

Testing the Configuration

Let’s test the configuration. We will shut down the main interface. The standby interface will should then be brought up and we will form a EIGRP neighbor relationship with R1 over the standby interface.

Let’s have a look at the current routing table before we take down our main interface.

R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     1.0.0.0/24 is subnetted, 1 subnets
D       1.1.1.0 [90/2172416] via 192.168.1.1, 00:09:31, Serial1/0.12
     2.0.0.0/24 is subnetted, 1 subnets
C       2.2.2.0 is directly connected, FastEthernet0/0
C    192.168.1.0/24 is directly connected, Serial1/0.12

You can see above that traffic to the 1.1.1.0/24 subnet is via our frame-relay connection. Let’s take down the interface and verify that the backup configuration is working.

R2(config)#int s1/0
R2(config-if)#shut
R2(config-if)#end
R2#
*Mar  1 00:49: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.1 (Serial1/0.12) is down: interface down
*Mar  1 00:49: %SYS-5-CONFIG_I: Configured from console by console
*Mar  1 00:49: %LINK-5-CHANGED: Interface Serial1/0, changed state to administratively down
*Mar  1 00:49: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to down
*Mar  1 00:49: %LINK-3-UPDOWN: Interface Serial1/1, changed state to up
*Mar  1 00:49: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed state to up

R2#sh backup
Primary Interface   Secondary Interface   Status
-----------------   -------------------   ------
Serial1/0.12        Serial1/1             backup mode
R2#
*Mar  1 00:49: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.2.1 (Serial1/1) is up: new adjacency

Looks great. You can see that as soon as the main interface went down (interface serial 1/0.12) the standby interface was immediately brought up. Using the show backup command above, you can see that we are now operating in backup mode.

R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     1.0.0.0/24 is subnetted, 1 subnets
D       1.1.1.0 [90/2172416] via 192.168.2.1, 00:00:15, Serial1/1
     2.0.0.0/24 is subnetted, 1 subnets
C       2.2.2.0 is directly connected, FastEthernet0/0
D    192.168.1.0/24 [90/2681856] via 192.168.2.1, 00:00:15, Serial1/1
C    192.168.2.0/24 is directly connected, Serial1/1

Traffic to the 1.1.1.0/24 will now traverse the secondary interface until the main interface is brought back up.

R2#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/80/212 ms

Let’s have a look and see what happens when the main interface is brought back up.

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#int s1/0
R2(config-if)#no shut
R2(config-if)#end
R2#
*Mar  1 00:54: %SYS-5-CONFIG_I: Configured from console by console
*Mar  1 00:54: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.1 (Serial1/0.12) is up: new adjacency
*Mar  1 00:54: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up
*Mar  1 00:54: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.2.1 (Serial1/1) is down: interface down
*Mar  1 00:54: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up
*Mar  1 00:54: %LINK-5-CHANGED: Interface Serial1/1, changed state to standby mode
*Mar  1 00:54: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed state to down

R2#sh backup
Primary Interface   Secondary Interface   Status
-----------------   -------------------   ------
Serial1/0.12        Serial1/1             normal operation

Looks like it works as advertised! When the main interface for frame-relay is up, our secondary interface is in the standby state. When the main interface goes down, our secondary interface immediately comes up and connectivity to the 1.1.1.0/24 is maintained.

Waiting to Resume a Connection

Let’s say that the backup configuration is in a backup state (ie, the main interface has gone down). When the interface comes back up, the secondary interface switches back into a standby state immediately. This might not always be a good idea. Especially if the main interface is a bit flaky. We might want to wait a little while before we go into the standby state again in case the primary interface is flapping.

Let’s configure R2 to switch immediately to s1/1 if the main interface goes down. However if the main interface comes back up, we want to wait 5 minutes before interface s1/1 goes back into the standby state. We can implement this with the backup delay command.

R2:

interface Serial1/0.12 point-to-point
 backup delay 0 300
 backup interface Serial1/1
 ip address 192.168.1.2 255.255.255.0
 frame-relay interface-dlci 201   

You can see above the backup delay command takes two arguments. The first argument is how long to wait before switching over to the standby interface (in this case 0 seconds ie. immediately). The second argument is how long the standby interface should wait once the main interface comes back up before switching back to the standby state (in this case 300 seconds ie. 5 minutes).

Let’s test it:

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#int s1/0
R2(config-if)#shut
R2(config-if)#en
*Mar  1 01:21: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.1 (Serial1/0.12) is down: interface do
*Mar  1 01:21: %LINK-5-CHANGED: Interface Serial1/0, changed state to administratively down
*Mar  1 01:21: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to down
*Mar  1 01:21: %LINK-3-UPDOWN: Interface Serial1/1, changed state to up
*Mar  1 01:21: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed state to up

R2#sh backu
*Mar  1 01:21:22.955: %SYS-5-CONFIG_I: Configured from console by console
Primary Interface   Secondary Interface   Status
-----------------   -------------------   ------
Serial1/0.12        Serial1/1             backup mode
*Mar  1 01:21: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.2.1 (Serial1/1) is up: new adjacency

So it looks like our configuration is still working, with the standby interface coming up as soon as the main interface goes down.

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#int s1/0
R2(config-if)#no shut
*Mar  1 01:21: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up
*Mar  1 01:21: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.1 (Serial1/0.12) is up: new adjacency
*Mar  1 01:21: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up

R2#sh backup
Primary Interface   Secondary Interface   Status
-----------------   -------------------   ------
Serial1/0.12        Serial1/1             waiting to revert (288 more seconds)

You can see above, the secondary interface did not reenter the standby state. It will revert to the standby state once the 300 seconds have elapsed. Let’s wait 5 minutes and see if Serial1/1 reverts back to the standby state:

R2#
*Mar  1 01:26: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.2.1 (Serial1/1) is down: interface down
*Mar  1 01:26: %LINK-5-CHANGED: Interface Serial1/1, changed state to standby mode
*Mar  1 01:26: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed state to down
R2#
R2#sh backup
Primary Interface   Secondary Interface   Status
-----------------   -------------------   ------
Serial1/0.12        Serial1/1             normal operation

Looks great. So we have a working backup configuration. Hope this helps, now back to labs!

Summary:

• You can use the backup interface command to configure primary and secondary interfaces
• The backup interface command is configured on the primary interface and takes the secondary interface as an argument
• When the primary interface is up, the secondary interface is in a standby state.
• When the primary interface is down, the secondary interface is immediately brought up.
• You can configure a delay both for when the primary interface goes down, and when it comes back up

Resources:

• Dynamips/Dynagen .net configuration file

Read this article and more like it on ardenpackeer.com
Follow me on twitter: http://twitter.com/ardenpackeer

Tutorial: How to set up backup interfaces

One solution to this problem is the use of Cisco’s Network Based Application Recognition (NBAR). NBAR is a deep packet inspection and classification engine. It was first introduced in experimental versions of IOS v12.1 and can be used with Cisco’s Modular Quality Of Service Command Line (MQC).

In this article we will look at using MQC to filter websites. I will demonstrate using the match protocol http command to match a URL, a host or MIME type. We will use the following topology for demonstration:

R3 will act as a webserver and R1 as a client. The filtering will be applied on R2. You can download the dynamips .net file the following topology here.
R1 Base Configuration:

hostname R1
!
int s1/0
 ip add 10.0.12.1 255.255.255.0
 no shut
!
router ospf 1
 network 10.0.12.1 0.0.0.0 area 0

R2 Base Configuration:

hostname R2
!
int s1/0
 ip add 10.0.12.2 255.255.255.0
 no shut
!
int s1/1
 ip add 10.0.23.2 255.255.255.0
 no shut
!
router ospf 1
 network 10.0.12.2 0.0.0.0 area 0
 network 10.0.23.2 0.0.0.0 area 0

R3 Base Configuration:

hostname R3
!
int s1/0
 ip add 10.0.23.3 255.255.255.0
 no shut
!
int f0/0
 ip add 192.168.1.100 255.255.255.0
 no shut
!
router ospf 1
 network 10.0.23.3 0.0.0.0 area 0
!
ip http server
ip http path flash:

We have set up R3 as a webserver. Details on how to setup R3 as a webserver using IOS can be found here.

R3#sh run | in ip http
ip http server
no ip http secure-server
ip http path flash:

R3#dir
Directory of flash:/

    1  -rw-          90                    <no>  picture.gif
    2  -rw-         329                    <no>  picture.jpg
    3  -rw-         174                    <no>  index.html

8388604 bytes total (8387812 bytes free)
</no></no></no>

Basic HTTP Filtering using NBAR

Lets set up basic http filtering with MQC on R2.

R2(config)#class-map match-all MATCH-HTTP
R2(config-cmap)#match protocol http
R2(config-cmap)#exit
R2(config)#policy-map HTTP-POLICY
R2(config-pmap)#class MATCH-HTTP
R2(config-pmap-c)#set dscp af13
R2(config-pmap-c)#exit
R2(config-pmap)#int s1/0
R2(config-if)#service-policy input HTTP-POLICY

In the code above we have a class map called MATCH-HTTP. The match protocol http command tells NBAR to match the http protocol. This will match all http traffic. The MATCH-HTTP class is then utilized in the HTTP-POLICY policy map. This policy map is used to set a DSCP marking on all traffic that matches the MATCH-HTTP class (ie all http traffic). The policy is then implemented on R2’s s1/0. Traffic is inspected and marked as it comes into that interface.

We can check how many packets have been marked using the show policy-map command.

R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http
      QoS Set
        dscp af13
          Packets marked 0

    Class-map: class-default (match-any)
      2 packets, 168 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
R2#

Lets generate some http traffic, and see if our policy marks some packets.

R1#copy http://10.0.23.3/index.html null:
Loading http://10.0.23.3/index.html
174 bytes copied in 0.544 secs (320 bytes/sec)

R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      5 packets, 344 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http
      QoS Set
        dscp af13
          Packets marked 5

    Class-map: class-default (match-any)
      124 packets, 10340 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

We used the copy http://10.0.23.3/index.html null: command to generate some http traffic. We can see above that 5 packets were generated and were marked as af13. All other traffic will fall into the class-default class. With the packets marked, we could forward them or drop them.

Instead of matching all of the http protocol we can use NBAR to look further into the packet and classify or drop packets based on the host requested.

Match protocol HTTP host

The match protocol HTTP url command is used to match a url. It takes a regular expression as an argument. For example:

match protocol http host *youtube.com*
! This would match anything in youtube.com like http://www.youtube.com or http://video.youtube.com
!
match protocol http host *google*
! This would match anything with google in the host like http://mail.google.com or
http://www.google.com.au
!
match protocol http host google*
! This would match http://google.com but not http://video.google.com

Lets set up R2 to filter based on a host.

R2(config)#class-map MATCH-HTTP
R2(config-cmap)#no match protocol http
R2(config-cmap)#match protocol http host 10.0.23.3

R2#clear counters s1/0
Clear "show interface" counters on this interface [confirm]
*Mar  1 00:04:42.071: %CLEAR-5-COUNTERS: Clear counter on interface Serial1/0 by console
R2#
R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http host "10.0.23.3"
      QoS Set
        dscp af13
          Packets marked 0

    Class-map: class-default (match-any)
      1 packets, 84 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

We’ve cleared the counters on R2, so lets generate some traffic on R1 again.

R1#copy http://10.0.23.3/index.html null:
Loading http://10.0.23.3/index.html
174 bytes copied in 0.596 secs (292 bytes/sec)

R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      5 packets, 344 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http host "10.0.23.3"
      QoS Set
        dscp af13
          Packets marked 5

    Class-map: class-default (match-any)
      64 packets, 5300 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

We can see here it matched 5 packets based on the host. We can use this to match whole sites like youtube.com or video.google.com.

Match protocol HTTP url

We can match strings AFTER the host portion of a URL using the match protocol http url command. It also takes a regular expression as an argument. For example:

match protocol http url *video*
! This would match http://www.cisco.com/video/index.php or
http://www.google.com/stuff/video.html
!
match protocol http url video*
! This would match http://www.cisco.com/video but not http://www.cisco.com/stuff/video.html
! because stuff precedes the video portion of the url and in the expression above we have said
! it has to start with the string video
!
match protocol http url *.jpeg|*.jpg|*.gif
! This would match any .jpeg or .jpg or .gif extention in the url

Lets set up R2 to match based on a URL.

R2(config)#class-map MATCH-HTTP
R2(config-cmap)#no match protocol http host 10.0.23.3
R2(config-cmap)#match protocol http url *.jpg

As you can see above we have used the match protocol http url function of NBAR to match any url that ends in a .jpg. This effectively blocks jpeg images (unless they have a different extension).

Let test it, before we send some traffic we’ll reset the counters on the interface.

R2#clear counters s1/0
Clear "show interface" counters on this interface [confirm]
*Mar  1 00:43:39.135: %CLEAR-5-COUNTERS: Clear counter on interface Serial1/0 by console
R2#
R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http url "*.jpg"
      QoS Set
        dscp af13
          Packets marked 0

    Class-map: class-default (match-any)
      1 packets, 84 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

If we request a gif file we shouldn’t match the class MATCH-HTTP. Lets test that first.

R1#copy http://10.0.23.3/picture.gif null:
Loading http://10.0.23.3/picture.gif
90 bytes copied in 0.644 secs (140 bytes/sec)

R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http url "*.jpg"
      QoS Set
        dscp af13
          Packets marked 0

    Class-map: class-default (match-any)
      18 packets, 1209 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

Great Success! Looks pretty good. Now lets try a .jpg extension. We should match this.

R1#copy http://10.0.23.3/picture.jpg null:
Loading http://10.0.23.3/picture.jpg
329 bytes copied in 0.820 secs (401 bytes/sec)

R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      7 packets, 433 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http url "*.jpg"
      QoS Set
        dscp af13
          Packets marked 7

    Class-map: class-default (match-any)
      22 packets, 1469 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

Awesome! You can see above we matched based on a URL.

match protocol http mime

We can also use the match protocol http mime to match internet mime types. The mime type has to be the same mime type that the web server responds with. For a list of valid mime types check out: http://www.sfsu.edu/training/mimetype.htm. Lets look at an example:

match protocol http mime image/jpeg
! This would match jpeg,jpg,jpe,jfif,pjpeg, and pjp types
!
match protocol http mime image/jpg
! This would not match anything as it is not a proper mime type. Get a list of the mime types
! here: http://www.sfsu.edu/training/mimetype.htm
!
match protocol http mime image*
! This would match all image mime types
!
match protocol http mime application/x-shockwave-flash
! This would not only match swf flash movies, but all of flash.

Lets set up R2 to filter the image/jpeg mime type:

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#class-map MATCH-HTTP
R2(config-cmap)#no match protocol http url *.jpg
R2(config-cmap)#match protocol http mime ?
  WORD  Enter a string as the sub-protocol parameter

R2(config-cmap)#match protocol http mime image/jpeg
R2(config-cmap)#exit
R2(config)#exit

Once again, we’ll clear the counters so we can verify that this works correctly.

R2#clear counters s1/0
Clear "show interface" counters on this interface [confirm]
*Mar  1 01:12:10.759: %CLEAR-5-COUNTERS: Clear counter on interface Serial1/0 

R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http mime "image/jpeg"
      QoS Set
        dscp af13
          Packets marked 0

    Class-map: class-default (match-any)
      1 packets, 84 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

On R1 lets generate some traffic. A gif file will be requested first. This should not match our policy.

R1#copy http://10.0.23.3/picture.gif null:
Loading http://10.0.23.3/picture.gif
90 bytes copied in 0.808 secs (111 bytes/sec)

R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http mime "image/jpeg"
      QoS Set
        dscp af13
          Packets marked 0

    Class-map: class-default (match-any)
      10 packets, 689 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

All good! Ok lets do the final test and actually request a jpeg image and see if it matches our policy.

R1#copy http://10.0.23.3/picture.jpg null:
Loading http://10.0.23.3/picture.jpg
329 bytes copied in 1.216 secs (271 bytes/sec)

R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      5 packets, 220 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http mime "image/jpeg"
      QoS Set
        dscp af13
          Packets marked 5

    Class-map: class-default (match-any)
      16 packets, 1162 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

You can see above that the jpeg image was matched. It works!

Putting it all together

So lets put it all together. We can use all three match protocol http commands in a match-any class map. For example:

class-map match-any INTERNET-SCUM
 match protocol http host *youtube.com*|*video.google.com*
 match protocol http mime video/flv|video/x-flv|video/mp4|video/x-m4v|audio/mp4a-latm
 match protocol http mime video/3gpp|video/quicktime
 match protocol http url *.flv|*.mp4|*.m4v|*.m4a|*.3gp|*.mov
! uncomment below if you don't want ANY flash.
! match protocol http mime application/x-shockwave-flash
! match protocol http url *.swf
!
policy-map NOINTERNETVIDEO
 class INTERNET-SCUM
  drop
!
int s1/0
 service-policy input NOINTERNETVIDEO
!

This would match any traffic going to youtube or video.google.com, or any flash applications, or common video mime types, and any swf (flash or flash movie) files! Be aware that NBAR does make your router take a hit in CPU processor usage, I’d suggest evaluating your processor usage before using this in production.

HTH! Now back to labs!

Summary:

• Use the match http protocol command to match the http protocol.
• match protocol http host matches the host portion
• match protocol http url matches the url after the hostname
• match protocol http mime matches mime types

Resources
Webserver – Dynamips .net configuration file
QOS HTTP Filtering – R1 Final Configuration
QOS HTTP Filtering – R2 Final Configuration
QOS HTTP Filtering – R3 Final Configuration

Read this article and more like it on ardenpackeer.com
Follow me on twitter: http://twitter.com/ardenpackeer

Tutorial: How to use Cisco MQC & NBAR to filter websites like Youtube

We will be setting up this topology:

I will bridge f0/0 on the virtual R3 to my real lan. This way I can transfer the files i need to my virtual router using tftp. So first we need to set up dynamips so that f0/0 on R3 is bridged to my computers ethernet card. When you install Dynagen it creates a command script called Network device list.cmd. This script displays your network cards with device names that dynamips can refer to.

When run it produces something like this:

The red circle is the part we are interested in. That is how dynamips refers to our physical network card. In our .net file for dynamips we will bridge a virtual interface to this physical interface.

To do this, we create a .net file (webserver.net) with the following contents:

ghostios = true
sparsemem = true
model = 3640

[localhost]

    [[3640]]
    image = \Program Files\Dynamips\images\c3640-jk9o3s-mz.124-12.bin
    # On Linux / Unix use forward slashes:
    # image = /opt/7200-images/c7200-jk9o3s-mz.124-7a.image
    ram = 96

    [[ROUTER R1]]
    s1/0 = R2 s1/0

    [[ROUTER R2]]
    s1/1 = R3 s1/0

    [[ROUTER R3]]
    f0/0 = NIO_gen_eth:\Device\NPF_{064084F0-A2EA-45FA-A362-ADDBC779026C}

This sets up the topology shown above, with R3’s f0/0 bridged to our physical network card. Now all we need to do is add an ip address to R3’s f0/0 thats in the same subnet as our physical network card and we should have connectivity between the two.

R1 Configuration:

hostname R1
!
int s1/0
 ip add 10.0.12.1 255.255.255.0
 no shut
!
router ospf 1
 network 10.0.12.1 0.0.0.0 area 0

R2 Configuration:

hostname R2
!
int s1/0
 ip add 10.0.12.2 255.255.255.0
 no shut
!
int s1/1
 ip add 10.0.23.2 255.255.255.0
 no shut
!
router ospf 1
 network 10.0.12.2 0.0.0.0 area 0
 network 10.0.23.2 0.0.0.0 area 0

R3 Configuration:

hostname R3
!
int s1/0
 ip add 10.0.23.3 255.255.255.0
 no shut
!
int f0/0
 ip add 192.168.1.100 255.255.255.0
 no shut
!
router ospf 1
 network 10.0.23.3 0.0.0.0 area 0

I have added an ip address to the R3 f0/0 interface that’s in the same subnet as my computer (192.168.1.0/24), so lets see if they can ping each other.

R3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 2 subnets
O       10.0.12.0 [110/128] via 10.0.23.2, 00:00:10, Serial1/0
C       10.0.23.0 is directly connected, Serial1/0
C    192.168.1.0/24 is directly connected, FastEthernet0/0
R3#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/48/116 ms

You can see the virtual R3 has connectivity to the physical host machine (192.168.1.1)! I’ve set up a tftp server on my host machine using tftpd32. I will use the tftp server to put files on R3 that i can serve out using the IOS webserver.

R3#copy tftp flash:
Address or name of remote host []? 192.168.1.1
Source filename []? picture.gif
Destination filename [picture.gif]?
Accessing tftp://192.168.1.1/picture.gif...
Erase flash: before copying? [confirm]n
Loading picture.gif from 192.168.1.1 (via FastEthernet0/0): !
[OK - 90 bytes]

Verifying checksum...  OK (0xA319)
90 bytes copied in 0.216 secs (417 bytes/sec)

R3#copy tftp flash:
Address or name of remote host [192.168.1.1]? 192.168.1.1
Source filename [picture.gif]? picture.jpg
Destination filename [picture.jpg]?
Accessing tftp://192.168.1.1/picture.jpg...
Erase flash: before copying? [confirm]n
Loading picture.jpg from 192.168.1.1 (via FastEthernet0/0): !
[OK - 329 bytes]

Verifying checksum...  OK (0x7656)
329 bytes copied in 0.244 secs (1348 bytes/sec)

R3#copy tftp flash:
Address or name of remote host [192.168.1.1]? 192.168.1.1
Source filename [picture.jpg]? index.html
Destination filename [index.html]?
Accessing tftp://192.168.1.1/index.html...
Erase flash: before copying? [confirm]n
Loading index.html from 192.168.1.1 (via FastEthernet0/0): !
[OK - 174 bytes]

Verifying checksum...  OK (0xA4BA)
174 bytes copied in 0.264 secs (659 bytes/sec)

R3#dir
Directory of flash:/

    1  -rw-          90                    <no>  picture.gif
    2  -rw-         329                    <no>  picture.jpg
    3  -rw-         174                    <no>  index.html

8388604 bytes total (8387812 bytes free)
</no></no></no>

You can see above that we copied three files (picture.jpg, picture.gif and index.html) to R3. These are the files that will make up a basic webpage that we are serving out.

Lets set up the web server:

R3(config)#ip http server
R3(config)#ip http path flash:

The ip http server command activates the built in IOS webserver. By default this command will first look for a file called home.html on any filesystem. If this file exists it will serve this page. If this file doesn’t exist it then looks for a file called home.shtml on any filesystem. If this is not found, by default it will serve a default page with links to exec, SDM, QDM and TAC support.

The ip http path flash: allows you the serve pages from the flash: device. Normally files cannot be served from flash: (other than home.html and home.shtml) unless you use the ip http path flash: command.

We now have our web server set up. Lets test it.

R1#telnet 10.0.23.3 80
Trying 10.0.23.3, 80 ... Open
get /index.html

<a href="http://www.ardenpackeer.com/picture.gif">picture.gif</a>
<a href="http://www.ardenpackeer.com/picture.jpg">picture.jpg</a>

[Connection to 10.0.23.3 closed by foreign host]

R1#copy http://10.0.23.3/index.html null0
Destination filename [null0]?
Erase flash: before copying? [confirm]n
Loading http://10.0.23.3/index.html
Verifying checksum...  OK (0xA4BA)
174 bytes copied in 0.704 secs (247 bytes/sec)

You can see above, we telneted into R3 port 80, and issued a GET request which returned the html file we entered. We can also use the copy command to retrieve files from the web server on R3. Great Success!

We will be using this web server to test NBAR http protocol matching in another article, but for now we have a working web server in IOS under dynamips.

HTH! Now back to labs!

Summary:

• You can use the Network device list.cmd script to get a list of all your physical interfaces for use with dynamips
• The ip http server command sets up a http server on IOS
• The ip http path flash: allows you to serve pages from the flash: device.

Resources:
Webserver – Dynamips .net configuration file
Webserver – R1 Final Configuration
Webserver – R2 Final Configuration
Webserver – R3 Final Configuration
Webserver – Sample Webpage files

Read this article and more like it on ardenpackeer.com
Follow me on twitter: http://twitter.com/ardenpackeer

Tutorial: How to set up a Cisco router as a Web Server

Router#sh run | include interface|ip address
interface Loopback0
 ip address 10.200.200.11 255.255.255.255
interface FastEthernet0/0
 ip address 10.1.1.1 255.255.255.0
interface BRI0/0
 no ip address
interface Serial1/0
 no ip address
interface Serial1/0.1 multipoint
 ip address 172.31.1.1 255.255.255.0
interface Serial1/0.2 multipoint
 ip address 172.31.11.1 255.255.255.0
interface Serial1/1
 ip address 10.1.0.1 255.255.255.0
interface Serial1/2
 no ip address
interface Serial1/3
 no ip address

Router#sh int | include is up|Internet
FastEthernet0/0 is up, line protocol is up
  Internet address is 10.1.1.1/24
Serial1/0 is up, line protocol is up
Serial1/0.1 is up, line protocol is up
  Internet address is 172.31.1.1/24
  Internet address is 172.31.11.1/24
Serial1/1 is up, line protocol is up
  Internet address is 10.1.0.1/24
Loopback0 is up, line protocol is up
  Internet address is 10.200.200.11/32

Router#sh ip int brief | exclude unassigned
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.1.1.1        YES NVRAM  up                    up
Serial1/0.1                172.31.1.1      YES NVRAM  up                    up
Serial1/0.2                172.31.11.1     YES NVRAM  administratively down down
Serial1/1                  10.1.0.1        YES NVRAM  up                    up
Loopback0                  10.200.200.11   YES NVRAM  up                    up 

When starting a lab with pre-configured routers and switches the above commands are very useful to get an overview of interfaces and addressing. I use this when doing labs with troubleshooting sections. If your Lab contains a troubleshooting section with preconfigured routers or switches, I would use the above the commands to verify that the configuration matches the topology of the lab.

Now back to labs!

Read this article and more like it on ardenpackeer.com
Follow me on twitter: http://twitter.com/ardenpackeer

Troubleshooting: How to Get Interface Summaries in IOS

Lets have a look at a tcl script that we can use to ping all the interfaces in a lab:

foreach address {
1.1.1.1
2.2.2.2
3.3.3.3
4.4.4.4
5.5.5.5
6.6.6.6
} { puts [ exec "ping $address" ] }

The code above is an example of a tcl script. On the router interface, go into privilege exec mode and enter the tclsh command. This places you in a tcl mode where we can enter tcl scripts. Then cut and paste the above from something like notepad.

Router#
Router#tclsh
Router(tcl)#foreach address {
+>1.1.1.1
+>2.2.2.2
+>3.3.3.3
+>4.4.4.4
+>5.5.5.5
+>6.6.6.6
+>} { puts [ exec "ping $address" ] }

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/7/12 ms

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/12 ms

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/8 ms

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/8 ms

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/16 ms
Router(tcl)#

Then end result: we ping each address in turn listed in the script. Something like this simple script is perfect for testing connectivity in the lab (or in real life!).

For more examples of tcl scripts check this link out.

HTH.

Read this article and more like it on ardenpackeer.com
Follow me on twitter: http://twitter.com/ardenpackeer

Verifying Connectivity Using A tcl Script