blocking website using NBAR still doesn't work
From: b_lamine@yahoo.fr
Date: Sat Aug 11 2007 - 03:20:21 ART
Hi all,
I�m trying to block websites by using NBAR, and I have tested a solution by Brian McGahan and other CCIE but it doesn�t work. And the drop command cannot be configured in class-default
policy-map TRAFFIC
R1(config-pmap)# class MANAGER
R1(config-pmap-c)# class ACCEPTED_WEB
R1(config-pmap-c)# class class-default
R1(config-pmap-c)# drop
Drop cannot be configured in class-default
I have tried with host rather than url but still not working:
class-map match-any ACCEPTED_WEB
match protocol http host "www.degrouptest.com"
match protocol http host "www.orange.fr"
match protocol http host "www.clubinternet.fr"
class-map match-any PHONE_CONTROL
match protocol h323
match access-group name PHONE_APP
class-map match-all MANAGER
match access-group 1
!
!
policy-map MARK_DSCP
class MANAGER
set ip dscp 1
class PHONE_CONTROL
set ip dscp 1
class ACCEPTED_WEB
set ip dscp 1
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nbar protocol-discovery
ip nat inside
service-policy input MARK_DSCP
!
interface FastEthernet0/1
ip address 196.46.253.102 255.255.255.252
ip nat outside
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
!
ip nat inside source list 102 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.5 7080 81.52.163.155 7080 extendable
ip nat inside source static tcp 192.168.0.5 22 196.46.253.102 22 extendable
ip nat inside source static tcp 192.168.0.5 80 196.46.253.102 80 extendable
ip nat inside source static udp 192.168.0.3 5808 196.46.253.102 5808 extendable
ip nat inside source static udp 192.168.0.3 5809 196.46.253.102 5809 extendable
ip nat inside source static tcp 192.168.0.10 5900 196.46.253.102 5900 extendable
ip nat inside source static tcp 192.168.0.5 7080 196.46.253.102 7080 extendable
!
ip access-list extended PHONE_APP
remark VNC Client/Server
permit tcp any any eq 5900
permit tcp any eq 5900 any
remark Agent Phonecontrol
permit tcp any any eq 14300
permit tcp any eq 14300 any
remark Administrateur Phonecontrol
permit tcp any any eq 14500
permit tcp any eq 14500 any
remark ----au cas ou----
permit udp any any eq 5808
permit udp any eq 5808 any
permit udp any any eq 5809
permit udp any eq 5809 any
remark Agent CosmoCall
permit tcp any any eq 14005
permit tcp any eq 14005 any
!
access-list 1 permit 192.168.0.90
access-list 1 permit 192.168.0.36
access-list 1 permit 192.168.0.9
access-list 1 permit 192.168.0.10
access-list 1 permit 192.168.0.14
access-list 1 permit 192.168.0.25
access-list 1 permit 192.168.0.18
access-list 102 permit ip 192.168.0.0 0.0.0.255 any dscp 1
########################################################
R1#show policy-map interface FastEthernet0/0
FastEthernet0/0
Service-policy input: MARK_DSCP
Class-map: MANAGER (match-all)
75267 packets, 11355431 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 1
QoS Set
dscp 1
Packets marked 75267
Class-map: PHONE_CONTROL (match-any)
890407 packets, 156960904 bytes
5 minute offered rate 1000 bps, drop rate 0 bps
Match: protocol h323
0 packets, 0 bytes
5 minute rate 0 bps
Match: access-group name PHONE_APP
890407 packets, 156960904 bytes
5 minute rate 1000 bps
QoS Set
dscp 1
Packets marked 890407
Class-map: ACCEPTED_WEB (match-any)
3093 packets, 1052720 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http host "www.degrouptest.com"
2552 packets, 921460 bytes
5 minute rate 0 bps
Match: protocol http host "www.orange.fr"
367 packets, 67946 bytes
5 minute rate 0 bps
Match: protocol http host "www.clubinternet.fr"
174 packets, 63314 bytes
5 minute rate 0 bps
QoS Set
dscp 1
Packets marked 3093
Any solution please?
Regards,
Lamine
This archive was generated by hypermail 2.1.4
: Sat Sep 01 2007 - 11:32:10 ART