Can a layer 4 policy block IM traffic in IOS firewall?

Unanswered Question
Dec 25th, 2008

Hi experts,

My customer wants to allow messaging just for certain users IP and block it for anybody else. His configuration is something like the following:

class-map match-all msn

match protocol imap

match access-group name Permited_MSN

ip access-list extended Permited_MSN

deny ip host 192.168.1.x

permit ip any any


policy-map msnmap

class msn


interface BVI1

ip address

ip pim dense-mode

ip nat inside

ip virtual-reassembly

service-policy input msnmap

Doing a show policy-map, we never see matched packets being dropped.

Cisco1811W#show policy-map interface bvi 1


Service-policy input: msnmap

Class-map: msn (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: protocol imap

Match: access-group name Permited_MSN


Class-map: class-default (match-any)

1722583 packets, 929916071 bytes

5 minute offered rate 612000 bps, drop rate 0 bps

Match: any

Should this configuration work? Can the router block MSN like traffic with a layer 4 policy or it is necessary to use zone-based with application policy?

Any comment on this is highly appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)

The class map "MSN" will not work, The config is trying to match imap AND the access-list. IMAP has nothing to do with MSN.

Confirmation it is not working is in the policy-map lines:

"0 packets, 0 bytes"

To be honest using QoS (which is the policy map) is not the way to block this type of traffic. MSN has specific ports - depending on the version. The latest versions of MSN or Live Messenger will use HTTP.


jopontes Fri, 12/26/2008 - 09:47

Thank you Andrew!

I figured that this configuration had nothing to do with what the customer wants.

I am now configuring using the zone-based policies.

Configuring an Instant Messenger (IM) Policy

However, this seems to have only match-any clause, which does not give the option to tie an acl to take an action only on certain IP traffic.

Is there any other way to accomplish it?


This Discussion