Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
516
Views
0
Helpful
2
Replies

problem using NBAR for filtering

szamani
Level 1
Level 1

‎02-10-2004 02:01 AM - edited ‎03-09-2019 06:22 AM

Hi,

i want to use NBAR for filtering some URLs. i did following config and it works good for LAN segment users but when i enter commanf "service-policy ..." in inteface group-async i got the error "CEF or distributed CEF switching is required for NBAR 'match protocol' command" 8 times and the filtering doesn't work for dialin users. Please help me. Thanks.

------------------------

class-map match-any xxx

match protocol http url "*sex*"

match protocol http url "*xxx*"

match protocol http url "*teen*"

match protocol http url "*anal*"

match protocol http url "*fuck*"

match protocol http host "*sex.com*"

match protocol http host "*xxx.com*"

match protocol http host "*porno*"

match protocol http host "*teen*"

match protocol http host "*anal*"

match protocol http host "*fuck*"

!

!

policy-map mark-xxx

class xxx

set ip dscp 1

interface FastEthernet0/0

ip address 192.168.100.254 255.255.255.0 secondary

ip address 213.176.67.1 255.255.255.224

ip nat inside

no ip mroute-cache

duplex auto

speed auto

service-policy input mark-xxx

!

interface Ethernet2/0

bandwidth 512

ip address 213.176.67.33 255.255.255.224

ip access-group 102 in

ip access-group 111 out

ip nat outside

half-duplex

!

interface Group-Async1

bandwidth 38

ip unnumbered FastEthernet0/0

ip wccp web-cache redirect in

encapsulation ppp

ip tcp header-compression

async mode interactive

service-policy input mark-xxx

peer default ip address pool pool1

ppp authentication pap callin

group-range 33 48

!

access-list 111 deny ip any any dscp 1 log

access-list 111 permit ip any any

...

--------------------------------------------

Labels:
0 Helpful
2 Replies 2

d-garnett
Level 3
Level 3

‎02-10-2004 12:46 PM

you need to enable cef (Cisco Express Fowarding) in global configuration mode. You should also enable cef accounting on the interface if your processor can handle it. Also know that NBAR can have a perfomance effect on your router if many match statements are in place (I'd feel safe using at least a 3700 if their is heavy traffic). 

XXXXXXXX(config)#ip cef ?
  accounting          Enable CEF accounting
  load-sharing        Load sharing
  table               Set CEF forwarding table characteristics
  traffic-statistics  Enable collection of traffic statistics
  
XXXXX(config)#ip cef

					
				
			
			
				
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
			
		
	
				
		
			
					
		
	
				
		
			
					
				
		
			
		
			
					
			
		
				
		
	
	


		

	

		

			

	
		
			
					

	
			

				
		
			
		
			
				

					
						
	
			0
		

	Helpful

					
				

			
			
		

	
		
    	
		

			
				
					
				
				
			
		

	
    
			

		

	

	

	

    

	

	


				
		
	
	


		

			

	
		
			
					
				
		
			
		
			
		
	
	


		

	

		

			

	
		
			
					
				
		
			
					
				
		
			
					
		
	
				
		
			
					
		
	
				
		
	
	


		

	



		

	

	

	




			
		
    
            

                

            

        

	
		

		
	

	

	



	
                

                
				
            
                
                    
        

	
	

		
	

	


		
	
		

			

	 
	 
	
	

	

	

	
		

			

			
	

	

		


	

	
		

			
			

	

		

			

	
		
			

		


	

	
			

	
	
	 
	
	
	
				
		

			
				
					
					
				
			
		

	
			
	
	
	
	
	


		

	

	

	

	

	

	

	
			
					
				
		

	


	

		
	
	


		

	

		

			

	
		

			
		
			
			
		
		
	
		

	
	


		

	

		

			

	
		

			
		
			

	
			
					afilandro
					
				
		


		
	
		

	
	

	
		

			
		
				
		
	

	

	
			
				
		
		
			
		
		
		Level 1
		
		
		
		
		
	
			
		

		
			
					
		

			Level 1
		

	
				
		
			
					

	
		
	
	


				
		
	
		

	
	


		

			

	
		
			
		
			
					
		

			
    

	
		
		
		‎10-25-2004
	
		
		06:35 AM
	
	

	
	
	
	
	
	
	
	
	
	
	
	

		

	
				
		
	
	


		

	

		

			

	
		
			
					
		

	
		

			
				
					
					
						
type "ip cef" in your config

					
				
			
			
				
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
			
		
	
				
		
			
					
		
	
				
		
			
					
				
		
			
		
			
					
			
		
				
		
	
	


		

	

		

			

	
		
			
					

	
			

				
		
			
		
			
				

					
						
	
			0
		

	Helpful

					
				

			
			
		

	
		
    	
		

			
				
					
				
				
			
		

	
    
			

		

	

	

	

    

	

	


				
		
	
	


		

			

	
		
			
					
				
		
			
		
			
		
	
	


		

	

		

			

	
		
			
					
				
		
			
					
				
		
			
					
		
	
				
		
			
					
		
	
				
		
	
	


		

	



		

	

	

	




			
		
    
            

                

            

        

	
		

		
	

	

	



	
                

                
				
            
        
    

    
        


	
			
				

					
						

							
		

			

	
			
				
					
				
				
			
		


		

	
							

								
								
							

							

								

	
									
								


							

						

					
				

			
		
	


    
    
        
        
            
        
        
	
    

	

	

	

	

	



				
			
		
		
	
	


		

			

	
		
			        

		
				

        

	


		
			
 
 

		
			
		
			

		
			



  

    

      

        

          
Customers Also Viewed These Support Documents