Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

http filter use QOS

Hi,all:

my config like this:

Class Map match-all 1 (id 3)

   Match protocol dns

Class Map match-all 2 (id 4)

   Match protocol http host "*cisco.com*"

Class Map match-all 3 (id 5)

   Match not class-map 1

   Match not class-map 2

Policy Map 1

   Class 1

   Class 2

   Class 3

     drop

I want deny all web access except to cisco.com

If i not use "drop" command in class 3,i can see packets match stats in class 2 when i use command "show policy-map interface";but if i use "drop" command in class 3,all http packets will be droped,i can't access the cisco.com,and there is any packets match stats in class 2,but class 1 and class 3's match stats grow up correct,i try some other way for class 3,like:

class 3

    match class class-default

or

class 3

    match any

or

class 3

    match access-group xxx

but all fail,the router drop all http packets as long as "drop" command be used in class3.

My equipment is 2911 router,and only ip base ios,so i must use qos to do this only.:(

please help me,thx

5 REPLIES

Re: http filter use QOS

Hi,

The idea is to have class map 3 inserted into the default class and then set the action to drop the default class which not matching protocol (dns and cisco url).

your config should look like this:

class map match-all not-dns-cisco

match not protocol dns

match not http url "*cisco.com*"

policy-map dns-cisco

class not-dns-cisco

class class-default

drop

** Apply your policy map to the Interface.

with the above config, any traffic that matched protocol dns and Cisco Url will not be dropped and the rest of the traffic will be dropped

HTH

Mohamed

New Member

Re: http filter use QOS

thank you very much!

But discarding packets cannot be configured for the default class.

Re: http filter use QOS

Yes you are correct!

The Default class will be at the end of any policy map even if you didnt manually configured and action or policy on it.

configure it like this :

policy-map dns-cisco

class not-dns-cisco

drop

at the end of this policy, there is a default class and it should be permitting the rest of the traffic.

check this and let us know the results.

HTH

Mohamed

New Member

Re: http filter use QOS

Hi:

I had checked it,but still fail.

When i ping cisco.com from pc,the domain name can be resolved,but all http traffic be drop.

Re: http filter use QOS

The match statment should look like this:

class-map match-any not-dns-cisco

match not protocol dns

match not protocol http url "*cisco.com*"

Can you check this out,

Mohamed

294
Views
0
Helpful
5
Replies