http filter use QOS

Unanswered Question
Jul 12th, 2010


my config like this:

Class Map match-all 1 (id 3)

   Match protocol dns

Class Map match-all 2 (id 4)

   Match protocol http host "**"

Class Map match-all 3 (id 5)

   Match not class-map 1

   Match not class-map 2

Policy Map 1

   Class 1

   Class 2

   Class 3


I want deny all web access except to

If i not use "drop" command in class 3,i can see packets match stats in class 2 when i use command "show policy-map interface";but if i use "drop" command in class 3,all http packets will be droped,i can't access the,and there is any packets match stats in class 2,but class 1 and class 3's match stats grow up correct,i try some other way for class 3,like:

class 3

    match class class-default


class 3

    match any


class 3

    match access-group xxx

but all fail,the router drop all http packets as long as "drop" command be used in class3.

My equipment is 2911 router,and only ip base ios,so i must use qos to do this only.:(

please help me,thx

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Mohamed Sobair Mon, 07/12/2010 - 12:02


The idea is to have class map 3 inserted into the default class and then set the action to drop the default class which not matching protocol (dns and cisco url).

your config should look like this:

class map match-all not-dns-cisco

match not protocol dns

match not http url "**"

policy-map dns-cisco

class not-dns-cisco

class class-default


** Apply your policy map to the Interface.

with the above config, any traffic that matched protocol dns and Cisco Url will not be dropped and the rest of the traffic will be dropped



flowaycco Mon, 07/12/2010 - 19:15

thank you very much!

But discarding packets cannot be configured for the default class.

Mohamed Sobair Mon, 07/12/2010 - 23:50

Yes you are correct!

The Default class will be at the end of any policy map even if you didnt manually configured and action or policy on it.

configure it like this :

policy-map dns-cisco

class not-dns-cisco


at the end of this policy, there is a default class and it should be permitting the rest of the traffic.

check this and let us know the results.



flowaycco Tue, 07/13/2010 - 00:06


I had checked it,but still fail.

When i ping from pc,the domain name can be resolved,but all http traffic be drop.

Mohamed Sobair Tue, 07/13/2010 - 00:21

The match statment should look like this:

class-map match-any not-dns-cisco

match not protocol dns

match not protocol http url "**"

Can you check this out,



This Discussion