Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NBAR Filtering problem

2691

IOS: 12.3(17)

Hi

I'm trying to restrict internet access for a subnet; only allowing access to specific sites (windows/virus updates etc) using nbar

I've had success blocking sites and allowing all others with the following:

class-map match-any url-blocking

match protocol http host "*microsoft.com*"

match protocol http host "*www.mcafee.com*"

match protocol http url "*microsoft.com*"

match protocol http url "*www.mcafee.com*"

!

!

policy-map mark-url-blocking-traffic

class url-blocking

set ip dscp 1

!

ip access 107

deny ip any any dscp 1

permit ip any any

!

interface fa 0/0.2 (Internal interface)

ip access-group 107 out

!

!

interface fa 0/1 (External interface)

service-policy input mark-url-blocking-traffic

This blocked access to *.microsoft.com and *.mcafee.com but allowed access to everything else, So I presumed that by changing the access list to:

permit ip any any dscp 1

permit udp any any eq domain

deny ip any any

Would allow sites matched within url-blocking and block everything else but this doesn't appear to be the case. All requests are being blocked by the deny ip any any rule.

Any help appreciated!

5 REPLIES
Purple

Re: NBAR Filtering problem

Can you change your ACL to:

permit ip any any dscp 1

permit udp any eq domain any

deny ip any any

Paresh

PS. pls rate posts that help

New Member

Re: NBAR Filtering problem

Hi

Thanks for the fast response.

The requests are still being blocked on the deny ip any any statement within the acl though.

Re: NBAR Filtering problem

Hi,

I would try

class-map match-any url-blocking

match protocol http host "*microsoft.com*"

match protocol http host "*www.mcafee.com*"

match protocol http url "*microsoft.com*"

match protocol http url "*www.mcafee.com*"

match protocol dns

!

!

policy-map mark-url-blocking-traffic

class url-blocking

set ip dscp 0

class class-default

drop

interface fa 0/1

service-policy input mark-url-blocking-traffic

and no ACL on the internal interface should be needed.

Hope this works for you.

Regards, Martin

New Member

Re: NBAR Filtering problem

Hi

Thanks for the response.

I'm unable to specify drop for class-default

'Drop cannot be configured in class-default'

fa0/1 serves as an external interface for a number of subnets, not all of which i would like to restrict.

Re: NBAR Filtering problem

Hi,

sorry, you are right. But you could use:

class-map match-all RestTrafficDropped

match any

and

...

class RestTrafficDropped

drop

Hope this helps! Please rate all posts.

Regards, Martin

137
Views
4
Helpful
5
Replies
CreatePlease to create content