01-29-2004 01:10 PM - edited 03-02-2019 01:14 PM
I wish to limit access to the internet from a certain subnet(s) but I need to be able to access microsoft still (Windows update). I am trying to use NBAR to achieve that but to no success. Can anyone look at this config and give me a clue to what I am doing wrong?
The ACL is working in so far as traffic to and from 10.0.0.0 is going through. The problem is I am not seeing any matches to the dscp line.
I am running a Hybrid 6509 (7.6(1)/12.1(13)E9)
! I added yahoo just to play with host matching
class-map match-any class-icp
match protocol http host "*microsoft.com*"
match protocol http host "*yahoo.com*"
!
policy-map map-icp
class class-icp
set ip dscp 1
interface Vlan121
ip address 10.62.121.1 255.255.255.0
no ip unreachables
service-policy input map-icp
ip access-group ICP in
ip access-list extended ICP
permit ip any 10.0.0.0 0.255.255.255
permit ip any any dscp 1
deny ip any any
01-29-2004 05:14 PM
Have you thrown traffic with the IP priority bit set?
01-29-2004 05:45 PM
You will never hit the second line of the access list, since you are allowing all traffic to the 10.0.0.0 network, you are essentailly allowing all traffic. You may want to try putting the permit for the 10.0.0.0 network after the dscp permit.
02-20-2004 07:38 AM
I wasn't aware that NBAR worked in Hybrid mode?
As far as I know, only the first packet is going to go through the MSFC and the rest will be all PFC based. If so, your NBAR will not match anything becasue it isn't "seeing" any traffic, other than syn packets and such.
I know for sure that QoS ACLs on the MSFC won't affect traffic (aside from the first packet in a flow) in a hybrid mode configuration.
Can anyone else comment on that?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide