Hi, I assume you applied the ACL and the service policy in the right places ? I.e, if my users are on the fa0/0 segment and my internet conneciton is thru se0/0 then you'd apply the ACL out on the se0/0 and
the service policy inbound on the fa0/0. i.e
class-map match-any permit
match protocol http url "*hotmail.com"
match protocol http url "*yahoo.com"
set ip dscp 1
service-policy inbound mark-http-traffic
ip access-group 105 out
access-list 105 permit ip "specific" any dscp 1
access-list 105 permit ip "specific" any
This should let you do the HTTP filtering you want. However it will block any other traffic not specifically configured, so this might not be what you want. Also, an easier way here, as long as your topology allows it, would be to simply configure service policy without even marking any traffic, just based on the class you can police on anything else and wil save you some lines of the config, i.e
police 1000000 31250 31250 conform-action drop exceed-action drop violate-action drop
That will discard anything defined in the class "block" with protocol filter such as
My input interface is f0/0 and the out interface ( internet ) is f0/1. I have exactly done what you have recommended, but still it is not working. I do not see any matches for access-list 105 for dscp 1.
While experimenting I changed it to "dscp default". In this case all the packets are matched ( see on the access-list 105 ). But the end user is able to browse all the web sites ( our intention is to allow only hotmail and yahoo ). We even tried dscp 2 , but no help.
Regarding your suggestion for using police and drop all the packets that matches the url, this would work for blocking hotmail and yahoo , but we want to allow hotmail and yahoo.
Can you please let me know why dscp 1 does not work.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...