Block http traffic using Router?

Unanswered Question
May 4th, 2007
User Badges:

I am using class-map to block some URLs, but it's not working:


sample is:

class-map match-any denied-URL

match protocol http url "*yahoo*"

!

!

policy-map denied-URL

class denied-URL

drop


Examples from other forums can be seen at:

http://www.ciscoblog.com/archives/2006/11/throttling_band.html


Can anyone help? what am i missing? or is there any other way?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mohammedmahmoud Sat, 05/05/2007 - 00:07
User Badges:
  • Green, 3000 points or more

Hi,


You must use the police command to drop any traffic using the conform-action drop:


class-map match-any denied-URL

match protocol http url "*yahoo*"

!

!

policy-map denied-URL

class denied-URL

police 8000 1500 1500 conform-action drop exceed-action drop



And here you are another method:



Router(config)#class-map match-any denied-URL

Router(config-cmap)#match protocol http url "*yahoo*"


Router(config)#policy-map mark-denied-HTTP-requests

Router(config-pmap)#class denied-URL

Router(config-pmap-c)#set ip dscp 1



Router(config)#interface ethernet 0/0

Router(config-if)#service-policy input mark-denied-HTTP-requests


Router(config)#access-list 101 deny ip any any dscp 1

Router(config)#access-list 101 permit ip any any


Router(config)#interface serial 0/1

Router(config-if)#ip access-group 101 out



I hope that i've been informative.




HTH, please rate if it does help,

Mohammed Mahmoud.

Farhan Jaffer Sat, 05/05/2007 - 00:45
User Badges:

tried the first method (police one) already, but the same result :(


Y r u using two interfaces in the second method?

plz explain.



mohammedmahmoud Sat, 05/05/2007 - 00:57
User Badges:
  • Green, 3000 points or more

Hi,


The first method should work, how are you applying the service policy?


As for the second method, it matches the undesired traffic when it enters the LAN interface, sets its DSCP to 1 and then block any traffic with DSCP 1 on the egress of the outgoing interface to the internet, in this manner the undesired HTTP requests are not sent to the internet.



HTH, please do rate if it does help,

Mohammed Mahmoud.

Farhan Jaffer Sat, 05/05/2007 - 02:10
User Badges:

Thanks for reply


first method is not working, service policy is applying same as u have written.


even the second method is not working. I don't know y? there are matches on the acl but the packets are not dropped & the website is still opening.


This is what i have done:


class-map match-any deny

match protocol http url "*google*"

!

!

policy-map mark

class deny

set ip dscp 1


...

mohammedmahmoud Sat, 05/05/2007 - 02:24
User Badges:
  • Green, 3000 points or more

Hi,


Can you please post your whole configuration in the 2 scenarios, and also what is the version of your IOS ?



BR,

Mohammed Mahmoud.

Farhan Jaffer Sat, 05/05/2007 - 03:01
User Badges:

class-map match-any deny

match protocol http url "*google*"

!

!

policy-map mark

class deny

set ip dscp 1


interface GigabitEthernet0/1 //outside

service-policy input mark


interface GigabitEthernet0/2 // inside

ip access-group 133 out


access-list 133 deny ip any any dscp 1

access-list 133 permit ip any any


IOS image: c7200-c6is-mz.123-11.YF1.bin


Thanks for all ur support.


Plz reply

mohammedmahmoud Sat, 05/05/2007 - 03:17
User Badges:
  • Green, 3000 points or more

Hi,


Can you please try and reverse them as following, and please make sure that CEF is enabled ("ip cef" in the global configuration), are there any other interfaces on this router, is there any routing protocol.


interface GigabitEthernet0/1 //outside

ip access-group 133 out


interface GigabitEthernet0/2 // inside

service-policy input mark


In order to prevent the HTTP requests from being sent to the internet from the first place.



HTH, please do rate all helpful replies,

Mohammed Mahmoud.


Actions

This Discussion