05-04-2007 11:48 PM - edited 03-03-2019 04:50 PM
I am using class-map to block some URLs, but it's not working:
sample is:
class-map match-any denied-URL
match protocol http url "*yahoo*"
!
!
policy-map denied-URL
class denied-URL
drop
Examples from other forums can be seen at:
http://www.ciscoblog.com/archives/2006/11/throttling_band.html
Can anyone help? what am i missing? or is there any other way?
Thanks
05-05-2007 12:07 AM
Hi,
You must use the police command to drop any traffic using the conform-action drop:
class-map match-any denied-URL
match protocol http url "*yahoo*"
!
!
policy-map denied-URL
class denied-URL
police 8000 1500 1500 conform-action drop exceed-action drop
And here you are another method:
Router(config)#class-map match-any denied-URL
Router(config-cmap)#match protocol http url "*yahoo*"
Router(config)#policy-map mark-denied-HTTP-requests
Router(config-pmap)#class denied-URL
Router(config-pmap-c)#set ip dscp 1
Router(config)#interface ethernet 0/0
Router(config-if)#service-policy input mark-denied-HTTP-requests
Router(config)#access-list 101 deny ip any any dscp 1
Router(config)#access-list 101 permit ip any any
Router(config)#interface serial 0/1
Router(config-if)#ip access-group 101 out
I hope that i've been informative.
HTH, please rate if it does help,
Mohammed Mahmoud.
05-05-2007 12:45 AM
tried the first method (police one) already, but the same result :(
Y r u using two interfaces in the second method?
plz explain.
05-05-2007 12:57 AM
Hi,
The first method should work, how are you applying the service policy?
As for the second method, it matches the undesired traffic when it enters the LAN interface, sets its DSCP to 1 and then block any traffic with DSCP 1 on the egress of the outgoing interface to the internet, in this manner the undesired HTTP requests are not sent to the internet.
HTH, please do rate if it does help,
Mohammed Mahmoud.
05-05-2007 02:10 AM
Thanks for reply
first method is not working, service policy is applying same as u have written.
even the second method is not working. I don't know y? there are matches on the acl but the packets are not dropped & the website is still opening.
This is what i have done:
class-map match-any deny
match protocol http url "*google*"
!
!
policy-map mark
class deny
set ip dscp 1
...
05-05-2007 02:24 AM
Hi,
Can you please post your whole configuration in the 2 scenarios, and also what is the version of your IOS ?
BR,
Mohammed Mahmoud.
05-05-2007 03:01 AM
class-map match-any deny
match protocol http url "*google*"
!
!
policy-map mark
class deny
set ip dscp 1
interface GigabitEthernet0/1 //outside
service-policy input mark
interface GigabitEthernet0/2 // inside
ip access-group 133 out
access-list 133 deny ip any any dscp 1
access-list 133 permit ip any any
IOS image: c7200-c6is-mz.123-11.YF1.bin
Thanks for all ur support.
Plz reply
05-05-2007 03:17 AM
Hi,
Can you please try and reverse them as following, and please make sure that CEF is enabled ("ip cef" in the global configuration), are there any other interfaces on this router, is there any routing protocol.
interface GigabitEthernet0/1 //outside
ip access-group 133 out
interface GigabitEthernet0/2 // inside
service-policy input mark
In order to prevent the HTTP requests from being sent to the internet from the first place.
HTH, please do rate all helpful replies,
Mohammed Mahmoud.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide