09-28-2017 07:45 AM - edited 03-08-2019 12:12 PM
Hello everyone,
I need to validate this configuration. I have an 2901 ISR router and I am trying to allow skype and mail only to a specific vlan (172.16.4.0/24). The vlan 172.16.20.0/24 has no restrictions. Topology attached.
This is what I've done (please tell me if something is wrong):
R1(config)# ip access-list extended ACL-Correo
R1(config-ext-nacl)# permit ip host 172.16.1.10 any
R1(config-ext-nacl)# permit ip 172.16.20.0 0.0.0.255 any
R1(config-ext-nacl)# permit udp 172.16.4.0 0.0.0.255 any eq domain
R1(config-ext-nacl)# permit tcp 172.16.4.0 0.0.0.255 any eq pop3
R1(config-ext-nacl)# permit tcp 172.16.4.0 0.0.0.255 any eq 143
R1(config-ext-nacl)# permit tcp 172.16.4.0 0.0.0.255 any eq smtp
R1(config-ext-nacl)# permit tcp 172.16.4.0 0.0.0.255 any eq 26
R1(config-ext-nacl)# deny ip any any
R1(config)# ip access-list extended ACL-Corp
R1(config-ext-nacl)# permit ip 172.16.4.0 0.0.0.255 any
R1(config-ext-nacl)# deny ip any any
R1(config)# class-map match-all Correo
R1(config-cmap)# match access-group name ACL-Correo
R1(config)# class-map match-all Skype
R1(config-cmap)# match protocol Skype
R1(config-cmap)# match access-group name ACL-Corp
R1(config)# class-map match-all Bloquear
R1(config-cmap)# match access-group name ACL-Corp
R1(config)# Policy Map Correo
R1(config-pmap)# class SKYPE
R1(config-pmap-c)# exit
R1(config-pmap)# class SKYPE
R1(config-pmap-c)# exit
R1(config-pmap)# class Bloquear
R1(config-pmap-c)# drop
R1(config-pmap-c)# exit
R1(config-pmap)# class class-default
R1(config-pmap-c)# police rate 8000 conform-action transmit exceed-action drop
R1(config-pmap-c)# exit
R1(config-pmap)# exit
R1(config)# int gig 0/1
R1(config-if)#service-policy output Correo
I hope you can help me guys
Regards
09-28-2017 08:07 AM
Hi
What is the problem what you are having?
09-28-2017 08:41 AM
09-28-2017 09:08 AM - edited 09-28-2017 10:21 AM
Hi
Your configuration looks fine
Also fix this line:
policy-map Correo
it should be:
class-map match-all Correo
match access-group name ACL-Correo
class-map match-all Bloquear
match access-group name ACL-Corp
class-map match-all Skype
match protocol skype
match access-group name ACL-Corp
!
policy-map Correo
class Correo
class Skype
class Bloquear
drop
class class-default
police rate 8000 conform-action transmit exceed-action drop
Other way is use PBR or ACL but you need to know the ports used by SKYPE.
I suggest use that after business hours to avoid any impact and request an approved maintenance window.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: