08-15-2006 05:22 AM - edited 03-03-2019 01:39 PM
2691
IOS: 12.3(17)
Hi
I'm trying to restrict internet access for a subnet; only allowing access to specific sites (windows/virus updates etc) using nbar
I've had success blocking sites and allowing all others with the following:
class-map match-any url-blocking
match protocol http host "*microsoft.com*"
match protocol http host "*www.mcafee.com*"
match protocol http url "*microsoft.com*"
match protocol http url "*www.mcafee.com*"
!
!
policy-map mark-url-blocking-traffic
class url-blocking
set ip dscp 1
!
ip access 107
deny ip any any dscp 1
permit ip any any
!
interface fa 0/0.2 (Internal interface)
ip access-group 107 out
!
!
interface fa 0/1 (External interface)
service-policy input mark-url-blocking-traffic
This blocked access to *.microsoft.com and *.mcafee.com but allowed access to everything else, So I presumed that by changing the access list to:
permit ip any any dscp 1
permit udp any any eq domain
deny ip any any
Would allow sites matched within url-blocking and block everything else but this doesn't appear to be the case. All requests are being blocked by the deny ip any any rule.
Any help appreciated!
08-15-2006 05:31 AM
Can you change your ACL to:
permit ip any any dscp 1
permit udp any eq domain any
deny ip any any
Paresh
PS. pls rate posts that help
08-15-2006 05:55 AM
Hi
Thanks for the fast response.
The requests are still being blocked on the deny ip any any statement within the acl though.
08-15-2006 07:00 AM
Hi,
I would try
class-map match-any url-blocking
match protocol http host "*microsoft.com*"
match protocol http host "*www.mcafee.com*"
match protocol http url "*microsoft.com*"
match protocol http url "*www.mcafee.com*"
match protocol dns
!
!
policy-map mark-url-blocking-traffic
class url-blocking
set ip dscp 0
class class-default
drop
interface fa 0/1
service-policy input mark-url-blocking-traffic
and no ACL on the internal interface should be needed.
Hope this works for you.
Regards, Martin
08-16-2006 01:43 AM
Hi
Thanks for the response.
I'm unable to specify drop for class-default
'Drop cannot be configured in class-default'
fa0/1 serves as an external interface for a number of subnets, not all of which i would like to restrict.
08-16-2006 03:41 AM
Hi,
sorry, you are right. But you could use:
class-map match-all RestTrafficDropped
match any
and
...
class RestTrafficDropped
drop
Hope this helps! Please rate all posts.
Regards, Martin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: