A short
guide for URL filtering in a Cisco router, As far as I know it requires an IOS
with "advanced ip services".
All
we need for this to work is a class-map to define the URL's we wish to block,
and a policy-map to enable the block.
The
configuration will look like this :
Class-map
match-any URL-filter
match protocol http host "*domain.com*"
policy-map
Inspection
class URL-filter
drop
on
the external interface : service-policy output Inspection
or
on the internal interface : service-policy output Inspection
I have
tested it and found no bugs with this configuration, only intended websites
gets blocked.
Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR
Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR
Should it be service-policy input Inspection on the internal interface?
ReplyDeleteUnlike Access-list's it should work both ingress and egress,
Deletethink of the inspection from the perspective of the router, it searches for "*domain.com*" no matter which direction,
now witch will be more correct it's another question - I think the best will be on the internal interface facing in (just like you said ) to save some processor cycles.
This comment has been removed by the author.
ReplyDeleteI have tried to block youtube.com, it succeed but if the user try to open with https protocol it is still can be opened.
ReplyDeleteIf I add
class-map match-all ACL
match protocol secure-http
match protocol http host "*domain.com*"
all the https web site will not be opened.
Do you have any suggestion to block access any website that contain x domain?
This comment has been removed by the author.
DeleteI was able to find few more ways to filter the basic HTTP, but sadly seeing as an HTTPS packet is encrypted and just opening the packet requires a firewall smarter than a Cisco router (most firewalls achieve this with no problem, Cisco ASA is no exception) the only working methods I found is blocking by an ACL ( IP based ) but this can cause damage or using the Cisco as a DNS server and redirecting the requested site to a different location, off course this is a weak solutions seeing as the client can simply use a different DNS or the local HOST file to correct this "obstacle" but it will stop your average user.
DeleteI just added a post on configuring the Cisco as a DNS, take a look here:
http://www.networklabs.info/2012/10/cisco-as-dns-server.html
How to filter the DNS request on router..
ReplyDeletePlease take a look here :
Deletehttp://www.networklabs.info/2012/10/cisco-as-dns-server.html
Good luck :)
Maybe YouTube will turn into the #1 site where individuals need to scan for data. https://y.tools/buy-youtube-views
ReplyDeleteThese merchants are then monetarily remunerated in two different ways: a) from commissions and abrogates from deals age and b) for their commitment to the structure up of the system by getting newcomers to be downline wholesalers.
ReplyDeleteI would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well. Thanks... Cisco
ReplyDeleteWe share these accounts to assist you with seeing how really amazing systems administration can be for any individual who is eager to gain proficiency with the standards of intensity organizing and to apply them reliably.192.168.10.1
ReplyDeleteI am learning about IP networking, security and coding so that you written posts can help me a lot in this process. Thanks for helping us in this unique method. Assignment Writing Services
ReplyDeleteURL Filtering is a difficult process for a new person but I hope I will learn the techniques to do it in a less time.
ReplyDeleteWriters
An eye introductory post for all your scholars. Thank you so much for sharing this it is a very unique and well-written post.
ReplyDeleteHelp Me With My Writing Assignment