07-02-2003 03:23 PM - edited 03-02-2019 08:35 AM
I want to give a limited class of service to 1 subnet allowing only protocols like http, pop3, smtp and blocking or limiting everything else like kazaa, etc. Im running a 3662 with IOS 12.2(15)T1 (IP Plus) What would be the best configuration to accomplish this?? also can ACLs be applied to priority-maps or class maps?? as i only want these rules to apply to 1 subnet while hosts on another subnet have full access to the internet.
07-02-2003 05:00 PM
Check this out!
To match one particular subnet, you can add multiple match statement as follows.
class-map file-transfer
match protocol kazaa2
match access-group
and Create an access-list with number = X which matches the particular subnet.
HTH
07-03-2003 06:32 PM
Thank for the help. Ive tried the ACLs and they work fine. So far i have the configuration pasted below. My question is how do i class the remaining traffic not defined in Bronze-Rules and limit it but restricting this rule to the Subnet defined by the ACL named Bronze-Networks. Also how do i allow the protocols defined by Bronze-Rules?
class-map match-all Bronze-Rules
match protocol dns
match protocol ftp
match protocol gre
match protocol http
match protocol pptp
match protocol pop3
match protocol smtp
match protocol ssh
match access-group name Bronze-Networks
!
ip access-list standard Bronze-Networks
permit 192.168.2.0 0.0.0.255
07-03-2003 08:32 PM
There are three things that need to be defined.
a) Define the traffic using Class-map command (Traffic Selection)
b) Define the policy applied to each of the above classes (Class based marking)
c) Applying the policy to an interface.
You can define multiple class maps to define different traffic. Check the example in the link that i posted before. (see at the end an example given, check out steps 1 through 5)
You need to club your traffic classes as follows.
class-map match-all Bronze-Rules-DNS
match protocol dns
match access-group name Bronze-Networks
class-map match-all Bronze-Rules-FTP
match protocol ftp
match access-group name Bronze-Networks
class-map match-all Bronze-Rules-GRE
match protocol gre
match access-group name Bronze-Networks
class-map match-all Bronze-Rules-HTTP
match protocol http
match access-group name Bronze-Networks
class-map match-all Bronze-Rules-PPTP
match protocol pptp
match access-group name Bronze-Networks
class-map match-all Bronze-Rules-POP3
match protocol pop3
match access-group name Bronze-Networks
class-map match-all Bronze-Rules-SMTP
match protocol smtp
match access-group name Bronze-Networks
class-map match-all Bronze-Rules-SSH
match protocol ssh
match access-group name Bronze-Networks
ip access-list standard Bronze-Networks
permit 192.168.2.0 0.0.0.255
Once the classes are defined, the paramaters (policy) to be set (ip precedence, rate limiting (CAR) ) etc can be set on these traffic classes using Policy map.
All traffic, that is not matched by Bronze-Rules, will fall into the default class (class-default). You need to define class-default only if you need to set any parameters for the default class.
Policy-map Restrict_Traffic
class Bronze-Rules
rate-limit output ....
rate-limit input ....
class class-default
rate-limit output .....
rate-limit input ....
Once the policy map is defined, you can apply it on an interface using "service-policy" command as follows:
int s0/0
service-policy {input | output} Restrict_Traffic -----> apply the policy map here.
Hope this helps.
07-04-2003 08:52 AM
Ok, I used the config you recomended, here is what i saw, the "class class-default" rule captured all traffic from the other subnets seen by the router (Gold and Silver Subnets) and blocked it. How do i restrict the "class class-default" rule so it only blocks "unmatched" traffic for the subnet specified in the ACL Bronze-Networks. The config i used:
!
class-map match-all Bronze-Rules-PPTP
match protocol pptp
match access-group name Bronze-Networks
class-map match-all Bronze-Rules-SMTP
match protocol smtp
match access-group name Bronze-Networks
class-map match-all Bronze-Rules-HTTP
match protocol http
match access-group name Bronze-Networks
class-map match-all Bronze-Rules-FTP
match protocol ftp
match access-group name Bronze-Networks
class-map match-all Bronze-Rules-SSH
match protocol ssh
match access-group name Bronze-Networks
class-map match-all Bronze-Rules-GRE
match protocol gre
match access-group name Bronze-Networks
class-map match-all Bronze-Rules-DNS
match protocol dns
match access-group name Bronze-Networks
class-map match-all Bronze-Rules-POP3
match protocol pop3
match access-group name Bronze-Networks
!
!
policy-map Bronze-Policy
class Bronze-Rules-DNS
set precedence 1
class Bronze-Rules-FTP
set precedence 1
class Bronze-Rules-GRE
set precedence 1
class Bronze-Rules-HTTP
set precedence 1
class Bronze-Rules-POP3
set precedence 1
class Bronze-Rules-PPTP
set precedence 1
class Bronze-Rules-SMTP
set precedence 1
class Bronze-Rules-SSH
set precedence 1
class class-default
police cir 8000 bc 1000 be 1000
conform-action drop
exceed-action drop
!
ip access-list standard Bronze-Networks
permit 192.168.2.0 0.0.0.255
!
07-09-2003 04:30 PM
Is it possible to get the "class class-default" to police only addresses specified by the ACL Bronze-Networks and ignore other subnets seen by the router??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide