07-12-2010 06:27 AM - edited 03-04-2019 09:02 AM
Hi,all:
my config like this:
Class Map match-all 1 (id 3)
Match protocol dns
Class Map match-all 2 (id 4)
Match protocol http host "*cisco.com*"
Class Map match-all 3 (id 5)
Match not class-map 1
Match not class-map 2
Policy Map 1
Class 1
Class 2
Class 3
drop
I want deny all web access except to cisco.com
If i not use "drop" command in class 3,i can see packets match stats in class 2 when i use command "show policy-map interface";but if i use "drop" command in class 3,all http packets will be droped,i can't access the cisco.com,and there is any packets match stats in class 2,but class 1 and class 3's match stats grow up correct,i try some other way for class 3,like:
class 3
match class class-default
or
class 3
match any
or
class 3
match access-group xxx
but all fail,the router drop all http packets as long as "drop" command be used in class3.
My equipment is 2911 router,and only ip base ios,so i must use qos to do this only.:(
please help me,thx
07-12-2010 12:02 PM
Hi,
The idea is to have class map 3 inserted into the default class and then set the action to drop the default class which not matching protocol (dns and cisco url).
your config should look like this:
class map match-all not-dns-cisco
match not protocol dns
match not http url "*cisco.com*"
policy-map dns-cisco
class not-dns-cisco
class class-default
drop
** Apply your policy map to the Interface.
with the above config, any traffic that matched protocol dns and Cisco Url will not be dropped and the rest of the traffic will be dropped
HTH
Mohamed
07-12-2010 07:15 PM
thank you very much!
But discarding packets cannot be configured for the default class.
07-12-2010 11:50 PM
Yes you are correct!
The Default class will be at the end of any policy map even if you didnt manually configured and action or policy on it.
configure it like this :
policy-map dns-cisco
class not-dns-cisco
drop
at the end of this policy, there is a default class and it should be permitting the rest of the traffic.
check this and let us know the results.
HTH
Mohamed
07-13-2010 12:06 AM
Hi:
I had checked it,but still fail.
When i ping cisco.com from pc,the domain name can be resolved,but all http traffic be drop.
07-13-2010 12:21 AM
The match statment should look like this:
class-map match-any not-dns-cisco
match not protocol dns
match not protocol http url "*cisco.com*"
Can you check this out,
Mohamed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide