Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
684
Views
5
Helpful
3
Replies

Skype & mail only through ISR router

banst8801
Level 1
Level 1

‎09-28-2017 07:45 AM - edited ‎03-08-2019 12:12 PM

Hello everyone,

I need to validate this configuration. I have an 2901 ISR router and I am trying to allow skype and mail only to a specific vlan (172.16.4.0/24). The vlan 172.16.20.0/24 has no restrictions. Topology attached.

 

This is what I've done (please tell me if something is wrong):

R1(config)# ip access-list extended ACL-Correo
R1(config-ext-nacl)# permit ip host 172.16.1.10 any
R1(config-ext-nacl)# permit ip 172.16.20.0 0.0.0.255 any
R1(config-ext-nacl)# permit udp 172.16.4.0 0.0.0.255 any eq domain
R1(config-ext-nacl)# permit tcp 172.16.4.0 0.0.0.255 any eq pop3
R1(config-ext-nacl)# permit tcp 172.16.4.0 0.0.0.255 any eq 143
R1(config-ext-nacl)# permit tcp 172.16.4.0 0.0.0.255 any eq smtp
R1(config-ext-nacl)# permit tcp 172.16.4.0 0.0.0.255 any eq 26
R1(config-ext-nacl)# deny ip any any

R1(config)# ip access-list extended ACL-Corp
R1(config-ext-nacl)# permit ip 172.16.4.0 0.0.0.255 any
R1(config-ext-nacl)# deny ip any any

R1(config)# class-map match-all Correo
R1(config-cmap)# match access-group name ACL-Correo

R1(config)# class-map match-all Skype
R1(config-cmap)# match protocol Skype
R1(config-cmap)# match access-group name ACL-Corp

R1(config)# class-map match-all Bloquear
R1(config-cmap)# match access-group name ACL-Corp

R1(config)# Policy Map Correo
R1(config-pmap)# class SKYPE
R1(config-pmap-c)# exit
R1(config-pmap)# class SKYPE
R1(config-pmap-c)# exit
R1(config-pmap)# class Bloquear
R1(config-pmap-c)# drop
R1(config-pmap-c)# exit
R1(config-pmap)# class class-default
R1(config-pmap-c)# police rate 8000 conform-action transmit exceed-action drop
R1(config-pmap-c)# exit
R1(config-pmap)# exit
R1(config)# int gig 0/1
R1(config-if)#service-policy output Correo

 

I hope you can help me guys

Regards

Labels:
Preview file
29 KB
0 Helpful
3 Replies 3

Julio E. Moisa
VIP
VIP

‎09-28-2017 08:07 AM

Hi

What is the problem what you are having? 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

banst8801
Level 1
Level 1
In response to Julio E. Moisa

‎09-28-2017 08:41 AM

Hello Julio,

I want to know if my configuration it will work before aplying it because I am newbie with class-maps. I pretend to allow skype and mail traffic only to a specific vlan, rest of the traffic must be dropped.
0 Helpful

Julio E. Moisa
VIP
VIP
In response to banst8801

‎09-28-2017 09:08 AM - edited ‎09-28-2017 10:21 AM

Hi

Your configuration looks fine

 

Also fix this line:

policy-map Correo

 

it should be:

class-map match-all Correo
match access-group name ACL-Correo
class-map match-all Bloquear
match access-group name ACL-Corp
class-map match-all Skype
match protocol skype
match access-group name ACL-Corp


!
policy-map Correo
class Correo
class Skype
class Bloquear
drop

class class-default
police rate 8000 conform-action transmit exceed-action drop

 

 

Other way is use PBR or ACL but you need to know the ports used by SKYPE. 

 

I suggest use that after business hours to avoid any impact and request an approved maintenance window. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card