ISSUES WITH CLASS MAP CONFIGURATION

tomocisco · ‎09-04-2012

Hi All,

Good day to you all. Its good to be back on line with you guys and thanks for all your inputs in my career as a network engineer.

I wanted to block some social sites on my network and I added these entry to my config -

class-map match-any social-network

match protocol http host "*facebook*"

match protocol http host "*twitter*"

match protocol http host "*myspace*"

match protocol http host "*bebo*"

match protocol http host "*friendster*"

match protocol http host "*hi5*"

match protocol http host "*orkut*"

match protocol http host "*perfspot*"

match protocol http host "*zorpia*"

match protocol http host "*netlog*"

match protocol http host "*habbo*"

match protocol http host "*ladunliadi*"

match protocol http host "*badoo*"

match protocol http host "*skype*"

match protocol http host "*naijapal*"

match protocol http host "*flixster*"

match protocol http host "*linkedin*"

match protocol http host "*youtube*"

match protocol http host *irokotv*

!

policy-map drop-social-network

class social-network

drop

interface Vlan1

ip address 192.168.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

service-policy input drop-social-network

I succeeded in blocking this sites but I also discovered an appreciable slowing down of my network and network dragging.

The aim of block the social sites is to restrict the bandwitdh to productive work only so that people doing legitimate company work will have enough resources for their work and to avoid unnecesary network drag. But it appears that using the class-map, policy map statement makes the network to slow down thereby defeating the purpose.

Is there any way to block these sites with minimal impact on the network (without slowing down the network to the point that users notices the drag)?

Thanks

Tom

cadet alain · ‎09-04-2012

Hi,

just use a proxy server like Squid along with WCCP on the routing device to do transparent proxying.

Regards.

Alain

Don't forget to rate helpful posts.

amohaida · ‎09-04-2012

Hi,

you can block these sites on your firewall or on your ISA server (if you have ) , otherwise you can go with Alain suggestion.

Regards.

Ahmad.

Joseph W. Doherty · ‎09-04-2012

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Several things you might try include: reordering match list by match frequency; avoiding "anywhere" text string matches (use the most positional specific text matches you can - e.g. perhaps "^http://www.facebook" rather than "*facebook*"); matching site IP addresses.

PS:

Regular expression matching against HTTP contents is an impressive NBAR feature, but as you've discovered it will cause the router to work much harder examining packets.