Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Block http traffic using Router?

I am using class-map to block some URLs, but it's not working:

sample is:

class-map match-any denied-URL

match protocol http url "*yahoo*"

!

!

policy-map denied-URL

class denied-URL

drop

Examples from other forums can be seen at:

http://www.ciscoblog.com/archives/2006/11/throttling_band.html

Can anyone help? what am i missing? or is there any other way?

Thanks

7 REPLIES

Re: Block http traffic using Router?

Hi,

You must use the police command to drop any traffic using the conform-action drop:

class-map match-any denied-URL

match protocol http url "*yahoo*"

!

!

policy-map denied-URL

class denied-URL

police 8000 1500 1500 conform-action drop exceed-action drop

And here you are another method:

Router(config)#class-map match-any denied-URL

Router(config-cmap)#match protocol http url "*yahoo*"

Router(config)#policy-map mark-denied-HTTP-requests

Router(config-pmap)#class denied-URL

Router(config-pmap-c)#set ip dscp 1

Router(config)#interface ethernet 0/0

Router(config-if)#service-policy input mark-denied-HTTP-requests

Router(config)#access-list 101 deny ip any any dscp 1

Router(config)#access-list 101 permit ip any any

Router(config)#interface serial 0/1

Router(config-if)#ip access-group 101 out

I hope that i've been informative.

HTH, please rate if it does help,

Mohammed Mahmoud.

New Member

Re: Block http traffic using Router?

tried the first method (police one) already, but the same result :(

Y r u using two interfaces in the second method?

plz explain.

Re: Block http traffic using Router?

Hi,

The first method should work, how are you applying the service policy?

As for the second method, it matches the undesired traffic when it enters the LAN interface, sets its DSCP to 1 and then block any traffic with DSCP 1 on the egress of the outgoing interface to the internet, in this manner the undesired HTTP requests are not sent to the internet.

HTH, please do rate if it does help,

Mohammed Mahmoud.

New Member

Re: Block http traffic using Router?

Thanks for reply

first method is not working, service policy is applying same as u have written.

even the second method is not working. I don't know y? there are matches on the acl but the packets are not dropped & the website is still opening.

This is what i have done:

class-map match-any deny

match protocol http url "*google*"

!

!

policy-map mark

class deny

set ip dscp 1

...

Re: Block http traffic using Router?

Hi,

Can you please post your whole configuration in the 2 scenarios, and also what is the version of your IOS ?

BR,

Mohammed Mahmoud.

New Member

Re: Block http traffic using Router?

class-map match-any deny

match protocol http url "*google*"

!

!

policy-map mark

class deny

set ip dscp 1

interface GigabitEthernet0/1 //outside

service-policy input mark

interface GigabitEthernet0/2 // inside

ip access-group 133 out

access-list 133 deny ip any any dscp 1

access-list 133 permit ip any any

IOS image: c7200-c6is-mz.123-11.YF1.bin

Thanks for all ur support.

Plz reply

Re: Block http traffic using Router?

Hi,

Can you please try and reverse them as following, and please make sure that CEF is enabled ("ip cef" in the global configuration), are there any other interfaces on this router, is there any routing protocol.

interface GigabitEthernet0/1 //outside

ip access-group 133 out

interface GigabitEthernet0/2 // inside

service-policy input mark

In order to prevent the HTTP requests from being sent to the internet from the first place.

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

1108
Views
0
Helpful
7
Replies