Re: Limiting Internet Access using NBAR not working.

beitzell · ‎01-29-2004

I wish to limit access to the internet from a certain subnet(s) but I need to be able to access microsoft still (Windows update). I am trying to use NBAR to achieve that but to no success. Can anyone look at this config and give me a clue to what I am doing wrong?

The ACL is working in so far as traffic to and from 10.0.0.0 is going through. The problem is I am not seeing any matches to the dscp line.

I am running a Hybrid 6509 (7.6(1)/12.1(13)E9)

! I added yahoo just to play with host matching

class-map match-any class-icp

match protocol http host "*microsoft.com*"

match protocol http host "*yahoo.com*"

!

policy-map map-icp

class class-icp

set ip dscp 1

interface Vlan121

ip address 10.62.121.1 255.255.255.0

no ip unreachables

service-policy input map-icp

ip access-group ICP in

ip access-list extended ICP

permit ip any 10.0.0.0 0.255.255.255

permit ip any any dscp 1

deny ip any any

patrick.cannon · ‎01-29-2004

Have you thrown traffic with the IP priority bit set?

randyhorn · ‎01-29-2004

You will never hit the second line of the access list, since you are allowing all traffic to the 10.0.0.0 network, you are essentailly allowing all traffic. You may want to try putting the permit for the 10.0.0.0 network after the dscp permit.

tmoffett · ‎02-20-2004

I wasn't aware that NBAR worked in Hybrid mode?

As far as I know, only the first packet is going to go through the MSFC and the rest will be all PFC based. If so, your NBAR will not match anything becasue it isn't "seeing" any traffic, other than syn packets and such.

I know for sure that QoS ACLs on the MSFC won't affect traffic (aside from the first packet in a flow) in a hybrid mode configuration.

Can anyone else comment on that?