【实验说明】


 
peiConfigure router to filter traffic based on application-level criteria

 
【实验拓扑】

IOS: c2691-advsecurityk9-mz.124-11.T2.bin

 

Using NBAR to Filter Traffic_第1张图片

【实验配置步骤】
  • 按照上图配置网络为 “Standard NAT with Overloading(PAT)”,参照IP-service 中的实验
  • 在R4上启用CEF
  • R4上创建 map-class IMAGES ,匹配match 任意HTTP URLS中包含(.gif, .jpeg, .jpg)协议;注意match-any 与match-all 的区别,一个是OR、一个是AND 的区别
  • 创建 policy-map DROP_IMAGES ,并丢弃class名为IMAGES的流量
  • 在R4的串口的入方向应用 policy-map DROP_IMAGES

 
【实验配置】

 
R4:
ip cef
class-map match-any IMAGES
match protocol http url “*.gif”
match protocol http url “*.jpeg|*.jpg”
!
policy-map DROP_IMAGES
class IMAGES
drop
!
interface Serial 0/1
service-policy input DROP_IMAGES
!
interface Serial 0/0.1
service-policy input DROP_IMAGES

 
【实验验证】

 
没有验证成功,先把文档中的结果贴上来

 
R5#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R5(config)#ip http server
R5(config)#ip http path flash:
R5(config)#do copy start flash:test.gif
Destination filename [test.gif]?
Erase flash: before copying? [confirm]n
Verifying checksum... OK (0x10CB)
1668 bytes copied in 0.288 secs (5792 bytes/sec)
R5(config)#do copy start flash:test.jpg
Destination filename [test.jpg]?
Erase flash: before copying? [confirm]n
Verifying checksum... OK (0x10CB)
1668 bytes copied in 0.300 secs (5560 bytes/sec)
R5(config)#do copy start flash:test.jpeg
Destination filename [test.jpeg]?
Erase flash: before copying? [confirm]n
Verifying checksum... OK (0x10CB)
1668 bytes copied in 0.288 secs (5792 bytes/sec)
R5(config)#do copy start flash:test.txt
Destination filename [test.txt]?
Erase flash: before copying? [confirm]n
Verifying checksum... OK (0x10CB)
1668 bytes copied in 0.294 secs (5670 bytes/sec)
R1#copy http://150.1.5.5/test.txt null:
Loading http://150.1.5.5/test.txt !
1668 bytes copied in 2.496 secs (668 bytes/sec)
R1#copy http://150.1.5.5/test.gif null:
%Error opening http://150.1.5.5/test.gif (I/O error)
R1#copy http://150.1.5.5/test.jpeg null:
%Error opening http://150.1.5.5/test.jpeg (I/O error)
R1#copy http://150.1.5.5/test.jpg null:
%Error opening http://150.1.5.5/test.jpg (I/O error)
R4#show policy-map interface serial 0/0.1
Serial0/0.1
Service-policy input: DROP_IMAGES
Class-map: IMAGES (match-any)
24 packets, 4971 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http url "*.jpeg|*.jpg"
16 packets, 3314 bytes
5 minute rate 0 bps
Match: protocol http url "*.gif"
8 packets, 1657 bytes
5 minute rate 0 bps
drop
Class-map: class-default (match-any)
70 packets, 7822 bytes
5 minute offered rate 0 bps, drop rate 0 bps Match: any