cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2616
Views
10
Helpful
23
Replies

QoS question - Is this possible

John Blakley
VIP Alumni
VIP Alumni

All,

I don't think this is possible without extra equipment/software, but I wanted to ask.

Is there a way that I can create a time-based ACL and apply that policy-map to the ACL (or vice-versa)?

What I want to do is restrict flash applications between 5 - 7:30PM. I know that I can restrict URLs through a class-map, so I thought I would be able to restrict *.flv and *.swf between that time. Is there a way to do it?

I have either an 871W or an ASA that I can do this on. (The ASA is behind the 871W.)

Thanks,

John

HTH, John *** Please rate all useful posts ***
23 Replies 23

Gonna need to see your config mate, also what URL are you testing with so I can try to replicate?

Here's the config for the class-map, policy-map, and all of the interfaces:

class-map match-all NO_FLASH

match access-group 151

match protocol http mime "application/x-shockwave-flash"

policy-map OUTBOUND

class ROKU-OUTBOUND

priority percent 25

class NO_FLASH

drop

class class-default

fair-queue 256

interface FastEthernet0

description Router Trunk

switchport mode trunk

!

interface FastEthernet1

!

interface FastEthernet2

switchport access vlan 2

duplex full

speed 100

!

interface FastEthernet3

duplex full

speed 100

!

interface FastEthernet4

bandwidth 6144

ip address dhcp client-id FastEthernet4

ip access-group EXTERNAL in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip nat outside

ip inspect NEMESIS-FW out

ip virtual-reassembly

ip route-cache flow

speed 100

full-duplex

no cdp enable

service-policy output OUTBOUND

!

interface Dot11Radio0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

!

encryption vlan 1 mode ciphers tkip

!

ssid ISIS

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

infrastructure-client

ip nbar protocol-discovery

!

interface Dot11Radio0.1

description Normal WIFI

encapsulation dot1Q 1 native

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

no ip address

ip virtual-reassembly

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Vlan2

description DMZ$FW_INSIDE$

ip address 192.168.2.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

service-policy input ROKU

interface BVI1

description Internal Interface$ES_LAN$$FW_INSIDE$

ip address 10.20.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip nat inside

ip virtual-reassembly

ip route-cache flow

!

hold-queue 100 out

!

access-list 151 permit ip 10.20.1.0 0.0.0.255 any

I was trying both youtube.com and addictinggames.com. I need to be able to block any online game or video anywhere, not just these two sites.

Thanks for looking at this Adam!

John

HTH, John *** Please rate all useful posts ***

I've been playing around with this for a while this morning, and I can't get it to work. Does it have something to do with NAT?

HTH, John *** Please rate all useful posts ***

Ah Highly possible. Is your ACL matching the post or pre NAT address and have you tried it without the ACL ?

Okay,

It does start to match the traffic with the acl removed. I can still get to youtube, but addictinggames.com stopped working (which is what I want). I couldn't get it to work with the mime type under match protocol, but I got it to work with the url *.swf|*.flv|*.js.

How would I be able to get this to work using NAT?

HTH, John *** Please rate all useful posts ***

I can't get it to match the mime type though.

I pulled this from youtube's "embed this link on your site" code:

http://www.youtube.com/v/5zozqhQa29M&hl=en&fs=1">http://www.youtube.com/v/5zozqhQa29M&hl=en&fs=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="344">

The mime type that I have set on the match protocol is application/x-shockwave-flash, but I'm not seeing hits on it.

John

HTH, John *** Please rate all useful posts ***

At least we have progress.

Lets focus on the ACL first. Are you matching on the pre or post NAT, put both in the ACL and see which gets the hit, it should be the post NAT address

Okay,

Yes it matches my external address of 99.x.x.x, and it doesn't match the internal address.

Even though it was matching on it, I could still get to youtube. My match statement was like:

match protocol http url *youtube.com*

I also tried:

*.youtube.com

*youtube.com

Nothing I tried will block the traffic. I know that I'm missing something because I've seen too many documents that verify this is configured correctly.

John

HTH, John *** Please rate all useful posts ***

Hi mate

So you setup is similar to this :-

class-map match-any test

match protocol http url "*youtube.com"

match protocol http url "*youtube.com*"

!

!

policy-map test

class test

drop

Can you post the out of :-

sh policy-map interface