Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
539
Views
4
Helpful
5
Replies

NBAR Filtering problem

k.a.clarke
Level 1
Level 1

‎08-15-2006 05:22 AM - edited ‎03-03-2019 01:39 PM

2691

IOS: 12.3(17)

Hi

I'm trying to restrict internet access for a subnet; only allowing access to specific sites (windows/virus updates etc) using nbar

I've had success blocking sites and allowing all others with the following:

class-map match-any url-blocking

match protocol http host "*microsoft.com*"

match protocol http host "*www.mcafee.com*"

match protocol http url "*microsoft.com*"

match protocol http url "*www.mcafee.com*"

!

!

policy-map mark-url-blocking-traffic

class url-blocking

set ip dscp 1

!

ip access 107

deny ip any any dscp 1

permit ip any any

!

interface fa 0/0.2 (Internal interface)

ip access-group 107 out

!

!

interface fa 0/1 (External interface)

service-policy input mark-url-blocking-traffic

This blocked access to *.microsoft.com and *.mcafee.com but allowed access to everything else, So I presumed that by changing the access list to:

permit ip any any dscp 1

permit udp any any eq domain

deny ip any any

Would allow sites matched within url-blocking and block everything else but this doesn't appear to be the case. All requests are being blocked by the deny ip any any rule.

Any help appreciated!

Labels:
0 Helpful
5 Replies 5

pkhatri
Level 11
Level 11

‎08-15-2006 05:31 AM

Can you change your ACL to:

permit ip any any dscp 1

permit udp any eq domain any

deny ip any any

Paresh

PS. pls rate posts that help

k.a.clarke
Level 1
Level 1
In response to pkhatri

‎08-15-2006 05:55 AM

Hi

Thanks for the fast response.

The requests are still being blocked on the deny ip any any statement within the acl though.

0 Helpful

mheusinger
Level 10
Level 10

‎08-15-2006 07:00 AM

Hi,

I would try

class-map match-any url-blocking

match protocol http host "*microsoft.com*"

match protocol http host "*www.mcafee.com*"

match protocol http url "*microsoft.com*"

match protocol http url "*www.mcafee.com*"

match protocol dns

!

!

policy-map mark-url-blocking-traffic

class url-blocking

set ip dscp 0

class class-default

drop

interface fa 0/1

service-policy input mark-url-blocking-traffic

and no ACL on the internal interface should be needed.

Hope this works for you.

Regards, Martin

k.a.clarke
Level 1
Level 1
In response to mheusinger

‎08-16-2006 01:43 AM

Hi

Thanks for the response.

I'm unable to specify drop for class-default

'Drop cannot be configured in class-default'

fa0/1 serves as an external interface for a number of subnets, not all of which i would like to restrict.

0 Helpful

mheusinger
Level 10
Level 10
In response to k.a.clarke

‎08-16-2006 03:41 AM

Hi,

sorry, you are right. But you could use:

class-map match-all RestTrafficDropped

match any

and

...

class RestTrafficDropped

drop

Hope this helps! Please rate all posts.

Regards, Martin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card