topic Creating Whitelist with MQC in Routing and SD-WAN

Creating Whitelist with MQC

petrutz_21 — Tue, 05 Mar 2019 03:33:44 GMT

Hi,

There is one client

192.168.1.10

and i want that this cklient to have web acces just on www.xxx.org and www.xxx.com and the others users have a web full access.

I have made this:

class-map match-any AUTHORIZED_URLS

match protocol http url "*.xxx.org"

match protocol http url " *.xxx.com"

ip access-list extended RESTRICTED_USERS

permit tcp host 192.168.1.10 any eq www

class-map match-all USER_URLS

match access-group name RESTRICTED_USERS

match not class AUTHORIZED_URL

policy-map URL_POLICY

class USER_URLS

drop

interface Vlan1

service-policy input URL_POLICY

The problem is that the client

192.168.1.10

doesn't have any web acces.

Where is the problem ?

Regards

Re: Creating Whitelist with MQC

Velimir Filipov — Thu, 11 Apr 2013 08:04:27 GMT

Inside the class AUTHORIZED_URLS try altering the syntax. I guess its using regex.

match protocol http url ".*\.xxx.org"

match protocol http url ".*\.xxx.org.*"

match protocol http url ".*xxx.org"

or just

match protocol http url "xxx.org"

and maybe try matching host not url, as actually host stands for the portion of the URL that responds to the actual hostname of the website, and URI stands for the actual resource your looking on the particular website.

Re: Creating Whitelist with MQC

petrutz_21 — Thu, 11 Apr 2013 08:59:48 GMT

I have tried all :

match protocol http url ".*\.xxx.org"

match protocol http url ".*\.xxx.org.*"

match protocol http url ".*xxx.org"

or just

match protocol http url "xxx.org"

and

match protocol http host ".*\.xxx.org"

match protocol http host ".*\.xxx.org.*"

match protocol http host ".*xxx.org"

or just

match protocol http host "xxx.org"

but still not working.

I don't have any web acces on my host 192.168.1.10.

Creating Whitelist with MQC

Velimir Filipov — Thu, 11 Apr 2013 09:02:44 GMT

Ok let me make some tests and I will get back to you in 2 hours or so.

Creating Whitelist with MQC

Velimir Filipov — Thu, 11 Apr 2013 13:32:29 GMT

Ok, sorry for the delay.

It seems its not regex. It's just the way you did it, only that as I supposed you need to match host not url.

So the right syntax would be:

match protocol http host "*.xxx.org"

match protocol http host "*.xxx.com"

also its probably best to drop the . also cus it could be open the website without www. infront, so "*xxx.org" and "*xxx.com" is the best thing you could go with.

Best regards.

Creating Whitelist with MQC

petrutz_21 — Thu, 11 Apr 2013 13:54:51 GMT

class-map match-any AUTHORIZED_URLS

match protocol http host "facebook.com"

class-map match-all USER_URLS

match access-group name RESTRICTED_USERS

match not class AUTHORIZED_URLS

policy-map URL_POLICY

class USER_URLS

drop

...

ip access-list extended RESTRICTED_USERS

permit tcp host 192.168.1.56 any eq www

interface Vlan1

service-policy input URL_POLICY

Still don't have any web access from 192.168.1.56. I'm tring to acces www.facebook.com and it doesen't work.

Creating Whitelist with MQC

Velimir Filipov — Thu, 11 Apr 2013 14:07:45 GMT

put * infront of facebook.com

Creating Whitelist with MQC

petrutz_21 — Tue, 16 Apr 2013 09:32:18 GMT

Nop !! Not working !!