QoS: How to classify RDP traffic?
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||||||||
|
Posted by Peter Danes on July 11, 2008, 11:41 am
Please log in for more thread options I am trying to classify RDP traffic to mark it with a DSCP value but I can't seem to get my ACL to pick it up. The router is a Cisco 877 and I can't see an RDP option using NBAR either. I have tried the following with no luck: permit tcp any eq 3389 any eq 3389 permit tcp any any eq 3389 permit tcp any eq 3389 any Can anyone think of a way to classify RDP traffic? Kind Regards Peter | ||||||||||||||||||||||
|
Posted by on July 12, 2008, 6:08 am
Please log in for more thread options RDP traffic uses as you correctly surmise TCP port 3389. The server listens on that port and the client connects to it. The access list :- permit tcp any any eq 3389 permit tcp any eq 3389 any WILL match it if applied. It may also match some small amount of other traffic in the event that the source port is 3389. slightly safer is permit tcp any any eq 3389 ! server on destination side permit tcp any eq 3389 any established If you do a sh access-l the output should show a hit counter. Extended IP access list ACL.family.in 10 permit ip any host 172.20.146.1 (3 matches) 20 permit udp host 172.20.146.22 10.88.37.0 0.0.0.255 eq netbios- ns log 30 deny ip any 10.0.0.0 0.255.255.255 log 40 deny ip any 192.168.0.0 0.0.255.255 log 50 deny ip any 172.0.0.0 0.31.255.255 log (924 matches) 60 permit ip any any (725756 matches) If you post the rest of the config someone may be able to make some suggestions. Bits are pretty cheap now so I think you should post the whole config after sanitising it for items that you wish to remain private e.g. passwords and public IP addresses. Even encrypted passwords. Non "secret" passwords are weakly encrypted. sh tech includes a sh run that has had the passwords removed already. Please dont post the whole sh tech though:-) I recommend replacing say the first two octets of the public address with something else Search 123.234. Replace X.Y. | ||||||||||||||||||||||
|
Posted by Peter Danes on July 12, 2008, 9:36 am
Please log in for more thread options Hi Bod43,
Thanks so much for offering to help. I've done one better and extracted the QoS config for you and also the show access-list 110 output: class-map match-any high match protocol sip match protocol rtp match access-group 110 class-map match-any medium match protocol http match protocol smtp match protocol pop3 class-map match-any low match protocol bittorrent match protocol nntp ! class-map match-all match-low match dscp af11 class-map match-all match-medium match dscp af41 class-map match-all match-high match dscp ef ! policy-map queue-on-dscp class match-high priority percent 50 class match-medium priority percent 20 class match-low bandwidth remaining percent 20 random-detect class class-default fair-queue random-detect ! policy-map classmark class high set ip dscp ef class medium set ip dscp af41 class low set ip dscp af11 class class-default ! interface ATM0 pvc 8/35 ubr 1200 tx-ring-limit 3 service-policy output queue-on-dscp ! interface Vlan1 service-policy input classmark ip nbar protocol-discovery ! access-list 110 permit tcp any any eq 6112 access-list 110 permit icmp any any access-list 110 permit tcp any any eq 3389 access-list 110 permit tcp any eq 3389 any GW#sh access-list 110 Extended IP access list 110 10 permit tcp any eq 3389 any eq 3389 20 permit tcp any eq 6112 any (86045 matches) 30 permit tcp any any eq 6112 40 permit icmp any any (9616 matches) 50 permit tcp any any eq 3389 60 permit tcp any eq 3389 any Bod43@hotmail.co.uk wrote: >> Hi All,
>> >> I am trying to classify RDP traffic to mark it with a DSCP value but I >> can't seem to get my ACL to pick it up. The router is a Cisco 877 and I >> can't see an RDP option using NBAR either. >> >> I have tried the following with no luck: >> >> permit tcp any eq 3389 any eq 3389 >> permit tcp any any eq 3389 >> permit tcp any eq 3389 any >> >> Can anyone think of a way to classify RDP traffic? >> >> Kind Regards >> >> Peter >
> RDP traffic uses as you correctly surmise TCP port 3389. > The server listens on that port and the client connects to it. > > The access list :- > > permit tcp any any eq 3389 > permit tcp any eq 3389 any > > WILL match it if applied. > > It may also match some small amount of other traffic > in the event that the source port is 3389. > > slightly safer is > > permit tcp any any eq 3389 ! server on destination side > permit tcp any eq 3389 any established > > If you do a sh access-l the output should show a hit counter. > > Extended IP access list ACL.family.in > 10 permit ip any host 172.20.146.1 (3 matches) > 20 permit udp host 172.20.146.22 10.88.37.0 0.0.0.255 eq netbios- > ns log > 30 deny ip any 10.0.0.0 0.255.255.255 log > 40 deny ip any 192.168.0.0 0.0.255.255 log > 50 deny ip any 172.0.0.0 0.31.255.255 log (924 matches) > 60 permit ip any any (725756 matches) > > > If you post the rest of the config someone may be > able to make some suggestions. > > Bits are pretty cheap now so I think you should post > the whole config after sanitising it for items that you wish > to remain private e.g. passwords and public IP addresses. > Even encrypted passwords. Non "secret" passwords are weakly > encrypted. > > sh tech includes a sh run that has had the passwords removed > already. > > Please dont post the whole sh tech though:-) > > I recommend replacing say the first two octets of the public address > with something else > Search 123.234. > Replace X.Y. > | ||||||||||||||||||||||
|
Posted by Mr. Nobody on July 12, 2008, 12:00 pm
Please log in for more thread options Are you tying to restrict the traffic, mark it or route it, or combination
thereof? > Hi All,
> > I am trying to classify RDP traffic to mark it with a DSCP value but I > can't seem to get my ACL to pick it up. The router is a Cisco 877 and I > can't see an RDP option using NBAR either. > > I have tried the following with no luck: > > permit tcp any eq 3389 any eq 3389 > permit tcp any any eq 3389 > permit tcp any eq 3389 any > > Can anyone think of a way to classify RDP traffic? > > Kind Regards > > Peter | ||||||||||||||||||||||
|
Posted by Peter Danes on July 13, 2008, 3:24 am
Please log in for more thread options Hi There,
I'm trying to classify and mark it so I can put that traffic in a priority queue. Mr. Nobody wrote: > Are you tying to restrict the traffic, mark it or route it, or combination
> thereof? > > >> Hi All,
>> >> I am trying to classify RDP traffic to mark it with a DSCP value but I >> can't seem to get my ACL to pick it up. The router is a Cisco 877 and I >> can't see an RDP option using NBAR either. >> >> I have tried the following with no luck: >> >> permit tcp any eq 3389 any eq 3389 >> permit tcp any any eq 3389 >> permit tcp any eq 3389 any >> >> Can anyone think of a way to classify RDP traffic? >> >> Kind Regards >> >> Peter >
> | ||||||||||||||||||||||
| Similar Threads | Posted |
| QoS: How to classify RDP traffic? | July 11, 2008, 11:41 am |
| How does typical ISP traffic shaping/bandwidth limiting work ? Do ISP's allow bursty traffic per second ? | January 19, 2006, 3:50 pm |
| traffic-shaping limit ftp traffic | October 7, 2005, 11:51 am |
| Traffic-shaping traffic with precedence 2 | June 12, 2008, 5:05 am |
| Traffic-shaping traffic with precedence 2 | June 12, 2008, 11:14 am |
| Routing Question - How to send default internet traffic to PIX and VPN traffic from router out internet | February 27, 2007, 1:58 pm |
| pix vpn traffic | October 18, 2005, 12:57 pm |
| Traffic Log. | January 9, 2006, 1:20 pm |
| Traffic Log. | January 10, 2006, 4:15 am |
| traffic not following through pix | June 29, 2005, 9:37 am |
| Traffic out of DMZ | January 4, 2007, 12:28 pm |
| Need help with a PIX 520 and VPN traffic | June 27, 2007, 1:22 pm |
| PIX dropping traffic | July 15, 2005, 11:53 am |
| Forward FTP traffic on PIX 515 | September 24, 2005, 6:32 pm |
| QoS for SAN and VoIP traffic | November 24, 2005, 1:24 am |
>
> I am trying to classify RDP traffic to mark it with a DSCP value but I
> can't seem to get my ACL to pick it up. The router is a Cisco 877 and I
> can't see an RDP option using NBAR either.
>
> I have tried the following with no luck:
>
> =A0 permit tcp any eq 3389 any eq 3389
> =A0 permit tcp any any eq 3389
> =A0 permit tcp any eq 3389 any
>
> Can anyone think of a way to classify RDP traffic?
>
> Kind Regards
>
> Peter