Re: [nsp] code-red NBAR fix and MRTG

From: Juan C. Verde (juanc.verde@inycom.es)
Date: Tue Aug 14 2001 - 06:05:08 EDT


Hi

Scott.Keoseyan@BroadWing.com wrote:
>
> Hi,
>
> I recently implemented the suggested code-red NBAR solution on a 7500 I have
> connected to our IP network from our lab. I noted that it appears to
> function as expected, but since I turned it on my MRTG application is unable
> to pull traffic stats from the interface I applied the service-policy to.
> Any ideas? I am using the out-of-the-box MRTG config and polling my ATM
> subif. The MRTG app simply stopped adding data to the graphs around the
> same time I implemented the NBAR. It is polling other interface stats in
> the router just fine.

Could it be a CEF issue? According to our experience, enabling CEF in a
3620 stops, at least, SNMP counters in CAR-MIB in subinterfaces
FastEtherhet with ISL encap. Tested with c3620-is56i-mz.121-5.T9

Cheers
Juan C. Verde

> I did move the IOS on the router to 12.1E to support the NBAR. Could this
> have re-indexed the interfaces with regard to SNMP? Would there be a
> command to display the snmp ifindex table on the router by chance?
>
> Here is the router config:
>
> !
> class-map match-any http-hacks
> match protocol http url "*default.ida*"
> match protocol http url "*x.ida*"
> match protocol http url "*.ida*"
> match protocol http url "*cmd.exe*"
> match protocol http url "*root.exe*"
> !
> !
> interface ATM1/1/0.100 point-to-point
> bandwidth 25000
> ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
> ip access-group 2010 in
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> pvc 0/100
> protocol ip xxx.xxx.xxx.xxx broadcast
> encapsulation aal5snap
> !
> service-policy input police-inbound-http-hacks
>
> The solution appears to be working. Being that my lab is a stub-node with
> no servers reachable here, there isn't a whole lot of traffic ending up
> here:
>
> Router#sh policy-map int a1/1/0.100
>
> ATM1/1/0.100
>
> service-policy input: police-inbound-http-hacks
>
> class-map: http-hacks (match-any)
> 1917 packets, 2857782 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> match: protocol http url "*default.ida*"
> 1917 packets, 2857782 bytes
> 5 minute rate 0 bps
> match: protocol http url "*x.ida*"
> 0 packets, 0 bytes
> 5 minute rate 0 bps
> match: protocol http url "*.ida*"
> 0 packets, 0 bytes
> 5 minute rate 0 bps
> match: protocol http url "*cmd.exe*"
> 0 packets, 0 bytes
> 5 minute rate 0 bps
> match: protocol http url "*root.exe*"
> 0 packets, 0 bytes
> 5 minute rate 0 bps
> police:
> 8000 bps, 4470 limit, 4470 extended limit
> conformed 1914 packets, 2853246 bytes; action: drop
> exceeded 3 packets, 4536 bytes; action: drop
> violated 0 packets, 0 bytes; action: drop
> conformed 0 bps, exceed 0 bps violate 0 bps
>
> --
> Scott A. Keoseyan (sak@broadwing.com)
> Principal Engineer - Lab Services
> B R O A D W I N G Inc.*
> 1881 Campus Commons, Suite 210
> Reston, Virginia 20191
> (703)391-1831 - (FAX)391-1810
> http://www.broadwing.com/ccielab
> http://www.labyrinth.org/homepages/scott/home.html
>
> * Company name mentioned for identification purposes only.
> These ramblings are my own opinions



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:49 EDT