RE: [nsp] code-red NBAR fix and MRTG

From: Scott.Keoseyan@BroadWing.com
Date: Tue Aug 14 2001 - 11:15:01 EDT


Apparently the ifindex was re-indexed when I did the upgrade to support the
NBAR...

Scott

> -----Original Message-----
> From: Juan C. Verde [mailto:juanc.verde@inycom.es]
> Sent: Tuesday, August 14, 2001 11:02 AM
> To: cisco-nsp@puck.nether.net
> Subject: Re: [nsp] code-red NBAR fix and MRTG
>
>
> Hi
>
> Scott.Keoseyan@BroadWing.com wrote:
> >
> > Hi,
> >
> > I recently implemented the suggested code-red NBAR solution
> on a 7500 I have
> > connected to our IP network from our lab. I noted that it
> appears to
> > function as expected, but since I turned it on my MRTG
> application is unable
> > to pull traffic stats from the interface I applied the
> service-policy to.
> > Any ideas? I am using the out-of-the-box MRTG config and
> polling my ATM
> > subif. The MRTG app simply stopped adding data to the
> graphs around the
> > same time I implemented the NBAR. It is polling other
> interface stats in
> > the router just fine.
>
> Could it be a CEF issue? According to our experience,
> enabling CEF in a
> 3620 stops, at least, SNMP counters in CAR-MIB in subinterfaces
> FastEtherhet with ISL encap. Tested with c3620-is56i-mz.121-5.T9
>
> Cheers
> Juan C. Verde
>
>
> > I did move the IOS on the router to 12.1E to support the
> NBAR. Could this
> > have re-indexed the interfaces with regard to SNMP? Would
> there be a
> > command to display the snmp ifindex table on the router by chance?
> >
> > Here is the router config:
> >
> > !
> > class-map match-any http-hacks
> > match protocol http url "*default.ida*"
> > match protocol http url "*x.ida*"
> > match protocol http url "*.ida*"
> > match protocol http url "*cmd.exe*"
> > match protocol http url "*root.exe*"
> > !
> > !
> > interface ATM1/1/0.100 point-to-point
> > bandwidth 25000
> > ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
> > ip access-group 2010 in
> > no ip redirects
> > no ip unreachables
> > no ip proxy-arp
> > pvc 0/100
> > protocol ip xxx.xxx.xxx.xxx broadcast
> > encapsulation aal5snap
> > !
> > service-policy input police-inbound-http-hacks
> >
> > The solution appears to be working. Being that my lab is a
> stub-node with
> > no servers reachable here, there isn't a whole lot of
> traffic ending up
> > here:
> >
> > Router#sh policy-map int a1/1/0.100
> >
> > ATM1/1/0.100
> >
> > service-policy input: police-inbound-http-hacks
> >
> > class-map: http-hacks (match-any)
> > 1917 packets, 2857782 bytes
> > 5 minute offered rate 0 bps, drop rate 0 bps
> > match: protocol http url "*default.ida*"
> > 1917 packets, 2857782 bytes
> > 5 minute rate 0 bps
> > match: protocol http url "*x.ida*"
> > 0 packets, 0 bytes
> > 5 minute rate 0 bps
> > match: protocol http url "*.ida*"
> > 0 packets, 0 bytes
> > 5 minute rate 0 bps
> > match: protocol http url "*cmd.exe*"
> > 0 packets, 0 bytes
> > 5 minute rate 0 bps
> > match: protocol http url "*root.exe*"
> > 0 packets, 0 bytes
> > 5 minute rate 0 bps
> > police:
> > 8000 bps, 4470 limit, 4470 extended limit
> > conformed 1914 packets, 2853246 bytes; action: drop
> > exceeded 3 packets, 4536 bytes; action: drop
> > violated 0 packets, 0 bytes; action: drop
> > conformed 0 bps, exceed 0 bps violate 0 bps
> >
> > --
> > Scott A. Keoseyan (sak@broadwing.com)
> > Principal Engineer - Lab Services
> > B R O A D W I N G Inc.*
> > 1881 Campus Commons, Suite 210
> > Reston, Virginia 20191
> > (703)391-1831 - (FAX)391-1810
> > http://www.broadwing.com/ccielab
> > http://www.labyrinth.org/homepages/scott/home.html
> >
> > * Company name mentioned for identification purposes only.
> > These ramblings are my own opinions
>



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:49 EDT