Service-Policy on LAN to WAN traffic - Cisco Community

540

Views

0

Helpful

2

Replies

I would like to know how can I block sites i.e. www.xxx.com and be able to make some exceptions with some local IP's using a combination of class-maps, policy-maps and access-lists. My router is a 2801 with version 12.4 (1c)

I need a configuration example so that I can costumize it.

i.e. Block www.hotmail.com for everyone in my LAN except for 192.168.x.1 and 192.168.x.5

Something else. Does anyone know if it is possible to block MSN with the Cisco NBAR tecnology? What would the configuration be?

2 Replies 2

MSN Messenger uses the port 1863. So what you can also do is create an access-list to block traffic on port 1863. Then apply the access-list to the interface.

access-list 101 deny tcp any any eq 1863

access-list 101 permit ip any any

Interface configuration:(configured on the interface connecting to the internet)

ip access-group 101 in

Class-map match-all sample

match protocol http host www.hotmail.com

match access-group name test

ip access-list extended test

deny ip host 192.168.1.1 any

deny ip host 192.168.1.5 any

permit ip any any

Policy test

class sample

drop

Since it is set to match all both matches must be true. You may or may not have the drop option and may need to police it with all the options set to drop.

If its does not have a protocol for MSN you can add them to nbar with a "custom" option but its just as easy to use a access list.

Hope this helps and hopefully I didn't make too many errors since I didn't put in a router to check my syntax

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community