How to set up URL Filtering on Cisco 2811 for certain Computers

I have a cisco 2811 router. All machines on the network have static IP's. I would like to filter the websites that certain groups of employees can access. Can I accomplish this with the Cisco 2811? If so how
noricorpAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

debuggerauCommented:
websense is the primary method of filtering, however it required a server and software to run it.
0
that1guy15Commented:
Check out this link on filtering specific web pages from your cisco router. Basically you use NBAR to filter web pages based on keywords or the web address all together.

Let me know if you have any questions and ill help you through it.

http://ardenpackeer.com/qos-voip/tutorial-how-to-use-cisco-mqc-nbar-to-filter-websites-like-youtube/
0
noricorpAuthor Commented:
that1guy15:

How do i create a group of Ip's for those policies to apply to?
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

that1guy15Commented:
You use ACLs to group your devices by IP. If you have these IP grouped in a uniform range (say .10 - .100) then you can specify a range. if not you will need to add a line for each ip.

for example:

access-list 10 permit ip host 10.0.0.10
access-list 10 permit ip host 10.0.0.11
ect...

or for a group you could use

access-list 10 permit ip 10.0.0.0 0.0.0.255

this will lump the whole 10.0.0.0 subnet into the mix

You will then add the ACL to the match statement of your class-map



R2(config)#class-map match-all MATCH-HTTP
R2(config-cmap)#match access-group 10
R2(config-cmap)#match protocol http
R2(config-cmap)#exit

Open in new window

0
that1guy15Commented:
If you would like you can give me some details of what you are trying to block and from what ip ranges and i can put something together for you. It just might take me a little time. Or i dont mind walking you through it.

let me know
0
OzNetNerdCommented:
Try this:

access-list 10 permit ip 192.168.10.0 0.0.0.255

class-map match-all BLOCKED_SITE1
 match protocol http host "*facebook.com*"
 match access-group 10


class-map match-all BLOCKED_SITE2
 match protocol http host "*youtube.com*"
 match access-group 10


class-map match-all BLOCKED_SITE3
 match protocol http host "*limewire.com*"
 match access-group 10

policy-map BLOCKED_SITES
 class BLOCKED_SITE1
   drop
 class BLOCKED_SITE2
   drop
 class BLOCKED_SITE3
   drop

interface FastEthernet0/0
 service-policy output BLOCKED_SITES

Thing you will need to change are:
- The access list - you can either block the entire subnet or just replace that line with the specific IP addresses you want to block. If you would like a more detailed answer, please let me know the specific IPs you want to block.

- The blocked sites. Replace the Facebook, YouTube and LimeWire URLs with the ones you would like to block.

- Change the "interface FastEthernet0/0" command to "interface xxx" where xxx is the interface on the router that connects you to the internet.

NOTE: If you are going to have more people that you want to block accessing these sites in the future, instead of editing the ACL every time, you could put those people in a different subnet/VLAN and then block that entire subnet from accessing the sites. That way you won't have to keep making changes.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
noricorpAuthor Commented:
Lets say I wanted to set it up so a block of IP's let say 192.168.0.40 - 192.168.0.60 these URL filters apply.

Or If I wanted to specify certain IP's not in a range how would I do that?
0
that1guy15Commented:
You would specify this in an ACL. you will not be able to block that range. This is due to the limitations of wildcard mask within the ACL. So you will need to either block a larger range (.32 - 63 with 0.0.0.31) or specify each in its own line of an ACL like so:

access-list 10 permit ip host 192.168.0.40
access-list 10 permit ip host 192.168.0.41
access-list 10 permit ip host 192.168.0.42
access-list 10 permit ip host 192.168.0.43
etc...


0
OzNetNerdCommented:
that1guy15 is correct. Your best bet is to segment the people you want blocked in to a new VLAN and then block that entire VLAN's subnet from accessing the websites, that way you won't need to muck around with wildcard masks and every time you want to block a new user, you won't need to change the ACL, you just put them in the new VLAN and your done.

It is all about automation as opposed to manual work.
0
noricorpAuthor Commented:
When I run this command :

interface FastEthernet0/1
 service-policy output BLOCKED_SITES


I get this:
Router(config-if)#service-policy output BLOCKED_SITES
 Policy map CORP_QOS is already attached

I previously had set up QOS for my IP Phones

0
that1guy15Commented:
you can only have one service-policy per interface so you will need combine the two policies.
0
noricorpAuthor Commented:
How do I accomplish that?
0
that1guy15Commented:
could you post your two policies and ill see what we can do.
0
noricorpAuthor Commented:
Router#show policy-map
  Policy Map exit

  Policy Map CORP_QOS
    Class SIP_VOIP
      priority 43 (%)
    Class class-default
      fair-queue

  Policy Map BLOCKED_SITES
    Class BLOCKED_SITE1
      drop
0
that1guy15Commented:
to combine you would just add the Class statements of one to the other. So:

Policy Map CORP_QOS
    Class SIP_VOIP
      priority 43 (%)
     Class BLOCKED_SITE1
       drop
     Class class-default
      fair-queue

 Keep in mind the order of the defined classes just like in ACLs matters.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.