[nsp] code-red NBAR fix and MRTG

From: Scott.Keoseyan@BroadWing.com
Date: Mon Aug 13 2001 - 15:46:38 EDT

Hi,

I recently implemented the suggested code-red NBAR solution on a 7500 I have
connected to our IP network from our lab. I noted that it appears to
function as expected, but since I turned it on my MRTG application is unable
to pull traffic stats from the interface I applied the service-policy to.
Any ideas? I am using the out-of-the-box MRTG config and polling my ATM
subif. The MRTG app simply stopped adding data to the graphs around the
same time I implemented the NBAR. It is polling other interface stats in
the router just fine.

I did move the IOS on the router to 12.1E to support the NBAR. Could this
have re-indexed the interfaces with regard to SNMP? Would there be a
command to display the snmp ifindex table on the router by chance?

Here is the router config:

!
class-map match-any http-hacks
  match protocol http url "*default.ida*"
  match protocol http url "*x.ida*"
  match protocol http url "*.ida*"
  match protocol http url "*cmd.exe*"
  match protocol http url "*root.exe*"
!
!
interface ATM1/1/0.100 point-to-point
 bandwidth 25000
 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
 ip access-group 2010 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 pvc 0/100
  protocol ip xxx.xxx.xxx.xxx broadcast
  encapsulation aal5snap
 !
 service-policy input police-inbound-http-hacks

The solution appears to be working. Being that my lab is a stub-node with
no servers reachable here, there isn't a whole lot of traffic ending up
here:

Router#sh policy-map int a1/1/0.100

 ATM1/1/0.100

  service-policy input: police-inbound-http-hacks

    class-map: http-hacks (match-any)
      1917 packets, 2857782 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      match: protocol http url "*default.ida*"
        1917 packets, 2857782 bytes
        5 minute rate 0 bps
      match: protocol http url "*x.ida*"
        0 packets, 0 bytes
        5 minute rate 0 bps
      match: protocol http url "*.ida*"
        0 packets, 0 bytes
        5 minute rate 0 bps
      match: protocol http url "*cmd.exe*"
        0 packets, 0 bytes
        5 minute rate 0 bps
      match: protocol http url "*root.exe*"
        0 packets, 0 bytes
        5 minute rate 0 bps
      police:
        8000 bps, 4470 limit, 4470 extended limit
        conformed 1914 packets, 2853246 bytes; action: drop
        exceeded 3 packets, 4536 bytes; action: drop
        violated 0 packets, 0 bytes; action: drop
        conformed 0 bps, exceed 0 bps violate 0 bps 

--
 Scott A. Keoseyan (sak@broadwing.com)
 Principal Engineer - Lab Services
 B R O A D W I N G    Inc.*
 1881 Campus Commons, Suite 210
 Reston, Virginia 20191
 (703)391-1831 - (FAX)391-1810 
 http://www.broadwing.com/ccielab
 http://www.labyrinth.org/homepages/scott/home.html

* Company name mentioned for identification purposes only.  
  These ramblings are my own opinions

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:49 EDT