spremkumar Tue, 09/02/2008 - 09:15

Hi Sanjeev


can you calrify on which environment (like SP/enterprise etc.,) you are trying to implement url blocking ???


regds


ror.sanjeev Tue, 09/02/2008 - 20:06

Hi..I am trying to implement on enterprise network with 7507 cisco internet gateway router.


In earlier response,most of them are saying u can do with the following :

class-map match-all test

match protocol http host *youtube.com*


policy-map test

class test

drop


But there is no command like drop??

on this link http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00800fc176.shtml

it is written there,u can do with ser dscp 1,I have applied the same,but users are still able to open the site or URL.


Thanks you very much for ur corporation.

Thanks,

-Sanjeev

Marwan ALshawi Tue, 09/02/2008 - 20:21

if ur ios dose not have firewall feature it wont be availabe i mean the drop

but what u might do as work aroung


policy-map test

class test

set dscp 8


then


mack ACL match source lan and distination as any eq dscp 8


this acl will be deny acl

like

access-list 100 deny [lan network] any eq dscp 8


it is not good way if u have Qos in ur network with diffrent marking methods because the way may overlav with amarked traffic

if u dont have Qos so u can do it like this

but it is cpu intensive as it is on application layer with NBAR


if helpful Rate

ror.sanjeev Tue, 09/02/2008 - 21:25

Hi..I hv tried with dscp 8 also,but not working,still site is opening.


I want to block youtube actually,is there any specific dscp value for this..


I have cisco IOS 12.3(11)T3.


Thanks,

-Sanjeev

Marwan ALshawi Tue, 09/02/2008 - 21:39

i think u have problem with matching statement

try to make it like


*youtube.com


When specifying a URL for classification, include only the portion of the URL that follows the www.hostname.domain in the match statement. For example, for the URL www.cisco.com/latest/whatsnew.html, include only /latest/whatsnew.html


Within NBAR, the match protocol http c-header-field command is used to specify that NBAR identify request messages (the "c" in the c-header-field portion of the command is for client). The match protocol http s-header-field command is used to specify response messages (the "s" in the s-header-field portion of the command is for server).


have alook at the following link


http://www.cisco.com/en/US/docs/ios/12_4t/qos/configuration/guide/qsnbar1.html#wp1055866


good luck


If helpful Rate

ror.sanjeev Tue, 09/02/2008 - 21:58

Hi..following is my configuration:

class-map match-all test

match protocol http url "*youtube.com"

!

!

policy-map test

class test

set dscp cs1


ip nbar protocol-discovery on fa5/1/1 out interface.


ACLs applied:

deny ip any any dscp 8

permit ip any any log


I am getting logs match :

10 deny ip any any dscp cs1 (4031 matches)

20 permit ip any any log (50835 matches)


still the site is opening..not able to block the URL,IOS verison is 12.3(11)T3


Thanks,

-Sanjeev

Marwan ALshawi Wed, 09/03/2008 - 22:21

one more thing


u need to apply the polcy that match and mark the traffic on the lan in terface in the input direction


and apply the ACL on the outbound direction on the outside interface that connected to the internet


good luck

Actions

This Discussion