Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Service-Policy on LAN to WAN traffic

I would like to know how can I block sites i.e. and be able to make some exceptions with some local IP's using a combination of class-maps, policy-maps and access-lists. My router is a 2801 with version 12.4 (1c)

I need a configuration example so that I can costumize it.

i.e. Block for everyone in my LAN except for 192.168.x.1 and 192.168.x.5

Something else. Does anyone know if it is possible to block MSN with the Cisco NBAR tecnology? What would the configuration be?


Re: Service-Policy on LAN to WAN traffic

MSN Messenger uses the port 1863. So what you can also do is create an access-list to block traffic on port 1863. Then apply the access-list to the interface.

access-list 101 deny tcp any any eq 1863

access-list 101 permit ip any any

Interface configuration:(configured on the interface connecting to the internet)

ip access-group 101 in


Re: Service-Policy on LAN to WAN traffic

Class-map match-all sample

match protocol http host

match access-group name test

ip access-list extended test

deny ip host any

deny ip host any

permit ip any any

Policy test

class sample


Since it is set to match all both matches must be true. You may or may not have the drop option and may need to police it with all the options set to drop.

If its does not have a protocol for MSN you can add them to nbar with a "custom" option but its just as easy to use a access list.

Hope this helps and hopefully I didn't make too many errors since I didn't put in a router to check my syntax