match protocol http host, Deny URL Cause Slow connection

Unanswered Question
Apr 27th, 2010

Hello, I'm trying to block Facebook out of customers

I'm using IOS Version 12.4(13r)T  - c3845-adventerprisek9-mz.124-24.T.bin

class-map match-all DENY_FACEBOOK

match access-group name URL_FILTERING

match protocol http host "*facebook*"

!

!

policy-map HTTP

class HTTP

  priority percent 75

policy-map URL_FILTERING

class DENY_FACEBOOK

   drop

class class-default

!

interface GigabitEthernet0/0.250

encapsulation dot1Q 252

ip address 192.168.xxx.xxx 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

ip policy route-map HTTPS

no snmp trap link-status

service-policy input URL_FILTERING

!

ip access-list extended URL_FILTERING

deny   ip host 192.168.x.12 any

deny   ip host 192.168.x.33 any

deny   ip host 192.168.x.56 any

deny   ip host 192.168.x.112 any

permit ip any any

route-map HTTPS permit 10

match ip address HTTPS

set interface Dialer5

!

I have Adsl ATM hwics,

And Every one that is not Approved(denied) in the ACL URL_FILTERING is experiencing VERY VERY Slow Connection

sometimes it takes like 8 minutes to load google.com until i cancel the block, i have the same configuration on another 3845 with another version

and it works fine, it works only at old versions or something, btw i have to use 2.4(13r)T cause i have hwic adsl cards.

Please let me know if you have answer!

Thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
stdejongh Wed, 10/13/2010 - 02:12

Hi,

I'm having exactly the same problem.

My aim is to prevent access to direct-http download sites for people in subnet 172.30.6.0/23.

Router: Cisco IOS Software, 2801 Software (C2801-IPBASE-M), Version 15.1(1)T, RELEASE SOFTWARE (fc1)

interface FastEthernet0/1/0

ip address 172.30.0.1 255.255.255.252

ip nbar protocol-discovery

ip nat inside

ip virtual-reassembly

ip policy route-map REDIR-SERVERS

duplex auto

speed auto

service-policy input pmap-fa010-in         <-----  THE PROBLEM

service-policy output nc2class-bw-limit  <----- Bandwidth allocation by subnet ... works fine.

policy-map pmap-fa010-in
class CLASS-DIRECTHTTP
   drop
class-map match-all CLASS-DIRECTHTTP
match access-group name CLASSROOMS
match class-map direct-HTTP
class-map match-any direct-HTTP
  match protocol http host "*rapidshare.com*"
ip access-list standard CLASSROOMS
permit 172.30.6.0 0.0.1.255
The result is that the traffic to Rapidshare is really blocked, but other http traffic is very very very slow and sometimes even blocked. It seems that most of the http traffic from the given subnet match the rule ( sh policy-map int fa0/1/0 input => counters increasing when request are sent)
I tested the config on an old 2621XM running AdvIP 12.4(6)T and everything was working fine.
Any help would be welcome.

Actions

This Discussion