cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
953
Views
0
Helpful
3
Replies

ISSUES WITH CLASS MAP CONFIGURATION

tomocisco
Level 1
Level 1

Hi All,

Good day to you all. Its good to be back on line with you guys and thanks for all your inputs in my career as a network engineer.

I wanted to block some social sites on my network and I added these entry to my config -

class-map match-any social-network

match protocol http host "*facebook*"

match protocol http host "*twitter*"

match protocol http host "*myspace*"

match protocol http host "*bebo*"

match protocol http host "*friendster*"

match protocol http host "*hi5*"

match protocol http host "*orkut*"

match protocol http host "*perfspot*"

match protocol http host "*zorpia*"

match protocol http host "*netlog*"

match protocol http host "*habbo*"

match protocol http host "*ladunliadi*"

match protocol http host "*badoo*"

match protocol http host "*skype*"

match protocol http host "*naijapal*"

match protocol http host "*flixster*"

match protocol http host "*linkedin*"

match protocol http host "*youtube*"

match protocol http host *irokotv*

!

!

policy-map drop-social-network

class social-network

   drop

interface Vlan1

ip address 192.168.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

service-policy input drop-social-network

I succeeded in blocking this sites but I also discovered an appreciable slowing down of my network and network dragging.

The aim of block the social sites is to restrict the bandwitdh to productive work only so that people doing legitimate company work will have enough resources for their work and to avoid unnecesary network drag. But it appears that using the class-map, policy map statement makes the network to slow down thereby defeating the purpose.

Is there any way to block these sites with minimal impact on the network (without slowing down the network to the point that users notices the drag)?

Thanks

Tom

3 Replies 3

cadet alain
VIP Alumni
VIP Alumni

Hi,

just use a proxy server like Squid along with WCCP on the routing device to do transparent proxying.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

amohaida
Level 1
Level 1

Hi,

you can block these sites on your firewall or on your ISA server (if you have ) , otherwise you can go with Alain suggestion.

Regards.

Ahmad.

Joseph W. Doherty
Hall of Fame
Hall of Fame

Disclaimer


The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

Several things you might try include: reordering match list by match frequency; avoiding "anywhere" text string matches (use the most positional specific text matches you can - e.g. perhaps "^http://www.facebook" rather than "*facebook*"); matching site IP addresses.

PS:

Regular expression matching against HTTP contents is an impressive NBAR feature, but as you've discovered it will cause the router to work much harder examining packets.

Review Cisco Networking for a $25 gift card