TP2010: Difference between revisions
Jump to navigation
Jump to search
Created page with "=Info= * Proxy: Squid ** Let op FD's (file descriptors) ** WCCP *** Squid in transparent mode, iptables redirect poort * Shaping op cisco ** Netflow: [http://forums.cacti.net/about12393.html] ** Shaping basics [http://slaptijack.com/networking/easy-traffic-shaping-in-cisco-ios/] ** [http://wiki.nil.com/Traffic_shaping_in_Cisco_IOS] ** [http://www.cisco.com/en/US/docs/ios/12_1t/12_1t2/feature/guide/clsbsshp.html#wp1025965 uitleg] Eerst definities: class-map match-all..." |
(No difference)
|
Latest revision as of 09:44, 5 April 2022
Info
- Proxy: Squid
- Let op FD's (file descriptors)
- WCCP
- Squid in transparent mode, iptables redirect poort
- Shaping op cisco
Eerst definities: class-map match-all HTTP match protocol http class-map match-any HighPrio match packet length max 384 match protocol icmp
Dan Policy policy-map blaa class HTTP shape average 10000000
En dan toepassen interface fa0/0 service out blaa
[ INET ]
|
______|_______
| Cisco 2811 |
|______________|
|
_______|_______
| Cisco 3750 |
|_______________|
| | | |
| | | |
____|__|__|__|_____ ___
_| |_ /_ /|
| LAN |--------| | | <-- Squid
|_ _| | | |
|___________________| |__|/
| ___
|____________________|___| <-- Client
/___/
Testconfig (v1)
class-map match-all HTTP
match protocol http
class-map match-all Prio
class-map match-any SSH
match protocol ssh
class-map match-all High
match class-map SSH
class-map match-any HTTPS
match access-group name HTTPS
class-map match-any Normal
match class-map HTTP
match class-map HTTPS
class-map match-any Prios
match class-map Normal
match class-map High
class-map match-all Downstream
match class-map Prios
class-map match-all Web
match class-map HTTP
match class-map HTTPS
class-map match-all Low
!
!
policy-map Prio
policy-map High
class SSH
policy-map Normal
class HTTP
police rate percent 70
violate-action drop
class HTTPS
policy-map Prios
class Normal
bandwidth percent 70
service-policy Normal
class High
bandwidth percent 30
service-policy High
policy-map Downstream
class Downstream
shape average 1000000
service-policy Prios
class class-default
shape average 100000
policy-map Low
!
interface FastEthernet0
ip address 192.168.38.249 255.255.255.0
ip broadcast-address 0.0.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
ip address 10.9.0.1 255.255.255.0
ip broadcast-address 0.0.0.0
ip nat inside
ip virtual-reassembly
service-policy output Downstream
!
ip route 0.0.0.0 0.0.0.0 192.168.38.1
!
ip access-list extended HTTP
permit tcp any any eq www
ip access-list extended HTTPS
permit tcp any any eq 443
ip access-list extended Mail
permit tcp any any eq pop3
permit tcp any any eq 143
permit tcp any any eq 993
permit tcp any any eq 995
permit tcp any any eq smtp
!
testconfig (v5)
Wanneer verkeer is binnen gekomen heeft het geen nut meer om te shapen. De queue van de provider zit dan al vol. De clue zit hem dus in het upstream shapen (upload naar je ISP) zodat je de eigen queue kan beheren. (WAN-out-shape)
Downstream kunnen we wel policen om zo de TCP sessies te remmen. (WAN-in-police)
Services
ACL
Opmerkingen: FTP, ipsec, pptp en l2tp: op nbar laten staan?
BIJWERKEN
Gaming
WoW
TCP: 3724, 6112, 6881-6999 Game: TCP 1119 & 3724 Voice: UDP 3724 Downloader (updates): TCP 6112 & 6881-6999
Steam
Steam Client * UDP 27000 to 27015 inclusive (Game client traffic) * UDP 27015 to 27030 inclusive (Typically Matchmaking and HLTV) * TCP 27014 to 27050 inclusive (Steam downloads) * UDP 4380 Dedicated or Listen Servers * TCP 27015 (SRCDS Rcon port) Steamworks P2P Networking and Steam Voice Chat * UDP 3478 (Outbound) * UDP 4379 (Outbound) * UDP 4380 (Outbound) Additional Ports for Call of Duty: Modern Warfare 2 Multiplayer * UDP 1500 (outbound) * UDP 3005 (outbound) * UDP 3101 (outbound) * UDP 28960
IM
MSN
Sign in to the Messenger service TCP 80, 443, 1863
Network Detection TCP 7001
UDP 9, 7001
Audio TCP 80, 443, 1863
TCP/UDP 30000 - 65535
Audio (Legacy) UDP 5004 – 65535
Webcam and Video Conversations TCP 80
TCP/UDP 5000 - 65535
File Transfer TCP 443, 1863
TCP/UDP 1025 - 65535
File Transfer (Legacy) TCP 6891 - 6900
Sharing Folders TCP 1863
TCP/UDP 1025 – 65535
Whiteboard and Application Sharing TCP 1503
Remote Assistance TCP 3389
TCP/UDP 49152 – 65535
Windows Live Call TCP 443, 5061
UDP 5004 - 65525
Games TCP 80, 443, 1863
TCP/UDP 1025 - 65535
Skype
Niet mogelijk vast te stellen?
IRC
TCP 6667
ICQ
TCP 5190
Blocked
Torrent
Op basis van headers? Is het nodig om dit te blokkeren als we inbound connecties niet door laten?
NNTP
TCP 119
Analyse
DNS
IPTraf ┌ Packet Distribution by Size ─────────────────────────────────────────────────┠│ │ │ Packet size brackets for interface eth0 │ │ │ │ │ │ Packet Size (bytes) Count Packet Size (bytes) Count │ │ 1 to 75: 6118 751 to 825: 0 │ │ 76 to 150: 6710 826 to 900: 0 │ │ 151 to 225: 900 901 to 975: 0 │ │ 226 to 300: 329 976 to 1050: 0 │ │ 301 to 375: 130 1051 to 1125: 1 │ │ 376 to 450: 154 1126 to 1200: 0 │ │ 451 to 525: 101 1201 to 1275: 0 │ │ 526 to 600: 42 1276 to 1350: 0 │ │ 601 to 675: 4 1351 to 1425: 0 │ │ 676 to 750: 0 1426 to 1500+: 2 │ │ │ │ │ │ Interface MTU is 1500 bytes, not counting the data-link header │ │ Maximum packet size is the MTU plus the data-link header length │ │ Packet size computations include data-link headers, if any │ └ Elapsed time: 0:05 ────────────────────────────────────────────────────────┘
SSH
Proto/Port ───────── Pkts ─── Bytes ── PktsTo ─ BytesTo PktsFrom BytesFrom ─ TCP/22 621 87044 311 16220 310 70824
Sent: 621 p -> 87044 bytes = 140 bytes pp Received: 310 p -> 70824 bytes = 228 bytes pp