Block http traffic using Router?

Farhan Jaffer · ‎05-04-2007

I am using class-map to block some URLs, but it's not working:

sample is:

class-map match-any denied-URL

match protocol http url "*yahoo*"

!

policy-map denied-URL

class denied-URL

drop

Examples from other forums can be seen at:

http://www.ciscoblog.com/archives/2006/11/throttling_band.html

Can anyone help? what am i missing? or is there any other way?

Thanks

mohammedmahmoud · ‎05-05-2007

Hi,

You must use the police command to drop any traffic using the conform-action drop:

class-map match-any denied-URL

match protocol http url "*yahoo*"

!

policy-map denied-URL

class denied-URL

police 8000 1500 1500 conform-action drop exceed-action drop

And here you are another method:

Router(config)#class-map match-any denied-URL

Router(config-cmap)#match protocol http url "*yahoo*"

Router(config)#policy-map mark-denied-HTTP-requests

Router(config-pmap)#class denied-URL

Router(config-pmap-c)#set ip dscp 1

Router(config)#interface ethernet 0/0

Router(config-if)#service-policy input mark-denied-HTTP-requests

Router(config)#access-list 101 deny ip any any dscp 1

Router(config)#access-list 101 permit ip any any

Router(config)#interface serial 0/1

Router(config-if)#ip access-group 101 out

I hope that i've been informative.

HTH, please rate if it does help,

Mohammed Mahmoud.

Farhan Jaffer · ‎05-05-2007

tried the first method (police one) already, but the same result :(

Y r u using two interfaces in the second method?

plz explain.

mohammedmahmoud · ‎05-05-2007

Hi,

The first method should work, how are you applying the service policy?

As for the second method, it matches the undesired traffic when it enters the LAN interface, sets its DSCP to 1 and then block any traffic with DSCP 1 on the egress of the outgoing interface to the internet, in this manner the undesired HTTP requests are not sent to the internet.

HTH, please do rate if it does help,

Mohammed Mahmoud.

Farhan Jaffer · ‎05-05-2007

Thanks for reply

first method is not working, service policy is applying same as u have written.

even the second method is not working. I don't know y? there are matches on the acl but the packets are not dropped & the website is still opening.

This is what i have done:

class-map match-any deny

match protocol http url "*google*"

!

policy-map mark

class deny

set ip dscp 1

...

mohammedmahmoud · ‎05-05-2007

Hi,

Can you please post your whole configuration in the 2 scenarios, and also what is the version of your IOS ?

BR,

Mohammed Mahmoud.

Farhan Jaffer · ‎05-05-2007

class-map match-any deny

match protocol http url "*google*"

!

policy-map mark

class deny

set ip dscp 1

interface GigabitEthernet0/1 //outside

service-policy input mark

interface GigabitEthernet0/2 // inside

ip access-group 133 out

access-list 133 deny ip any any dscp 1

access-list 133 permit ip any any

IOS image: c7200-c6is-mz.123-11.YF1.bin

Thanks for all ur support.

Plz reply

mohammedmahmoud · ‎05-05-2007

Hi,

Can you please try and reverse them as following, and please make sure that CEF is enabled ("ip cef" in the global configuration), are there any other interfaces on this router, is there any routing protocol.

interface GigabitEthernet0/1 //outside

ip access-group 133 out

interface GigabitEthernet0/2 // inside

service-policy input mark

In order to prevent the HTTP requests from being sent to the internet from the first place.

HTH, please do rate all helpful replies,

Mohammed Mahmoud.