|
Posted by Peter Danes on July 12, 2008, 9:36 am
If you were Registered and logged in, you could reply and use other advanced thread options
Thanks so much for offering to help.
I've done one better and extracted the QoS config for you and also the
show access-list 110 output:
class-map match-any high
match protocol sip
match protocol rtp
match access-group 110
class-map match-any medium
match protocol http
match protocol smtp
match protocol pop3
class-map match-any low
match protocol bittorrent
match protocol nntp
!
class-map match-all match-low
match dscp af11
class-map match-all match-medium
match dscp af41
class-map match-all match-high
match dscp ef
!
policy-map queue-on-dscp
class match-high
priority percent 50
class match-medium
priority percent 20
class match-low
bandwidth remaining percent 20
random-detect
class class-default
fair-queue
random-detect
!
policy-map classmark
class high
set ip dscp ef
class medium
set ip dscp af41
class low
set ip dscp af11
class class-default
!
interface ATM0
pvc 8/35
ubr 1200
tx-ring-limit 3
service-policy output queue-on-dscp
!
interface Vlan1
service-policy input classmark
ip nbar protocol-discovery
!
access-list 110 permit tcp any any eq 6112
access-list 110 permit icmp any any
access-list 110 permit tcp any any eq 3389
access-list 110 permit tcp any eq 3389 any
GW#sh access-list 110
Extended IP access list 110
10 permit tcp any eq 3389 any eq 3389
20 permit tcp any eq 6112 any (86045 matches)
30 permit tcp any any eq 6112
40 permit icmp any any (9616 matches)
50 permit tcp any any eq 3389
60 permit tcp any eq 3389 any
Bod43@hotmail.co.uk wrote:
>> Hi All,
>>
>> I am trying to classify RDP traffic to mark it with a DSCP value but I
>> can't seem to get my ACL to pick it up. The router is a Cisco 877 and I
>> can't see an RDP option using NBAR either.
>>
>> I have tried the following with no luck:
>>
>> permit tcp any eq 3389 any eq 3389
>> permit tcp any any eq 3389
>> permit tcp any eq 3389 any
>>
>> Can anyone think of a way to classify RDP traffic?
>>
>> Kind Regards
>>
>> Peter
>
> RDP traffic uses as you correctly surmise TCP port 3389.
> The server listens on that port and the client connects to it.
>
> The access list :-
>
> permit tcp any any eq 3389
> permit tcp any eq 3389 any
>
> WILL match it if applied.
>
> It may also match some small amount of other traffic
> in the event that the source port is 3389.
>
> slightly safer is
>
> permit tcp any any eq 3389 ! server on destination side
> permit tcp any eq 3389 any established
>
> If you do a sh access-l the output should show a hit counter.
>
> Extended IP access list ACL.family.in
> 10 permit ip any host 172.20.146.1 (3 matches)
> 20 permit udp host 172.20.146.22 10.88.37.0 0.0.0.255 eq netbios-
> ns log
> 30 deny ip any 10.0.0.0 0.255.255.255 log
> 40 deny ip any 192.168.0.0 0.0.255.255 log
> 50 deny ip any 172.0.0.0 0.31.255.255 log (924 matches)
> 60 permit ip any any (725756 matches)
>
>
> If you post the rest of the config someone may be
> able to make some suggestions.
>
> Bits are pretty cheap now so I think you should post
> the whole config after sanitising it for items that you wish
> to remain private e.g. passwords and public IP addresses.
> Even encrypted passwords. Non "secret" passwords are weakly
> encrypted.
>
> sh tech includes a sh run that has had the passwords removed
> already.
>
> Please dont post the whole sh tech though:-)
>
> I recommend replacing say the first two octets of the public address
> with something else
> Search 123.234.
> Replace X.Y.
>
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map