• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1840
  • Last Modified:

How to set up URL Filtering on Cisco 2811 for certain Computers

I have a cisco 2811 router. All machines on the network have static IP's. I would like to filter the websites that certain groups of employees can access. Can I accomplish this with the Cisco 2811? If so how
0
noricorp
Asked:
noricorp
  • 7
  • 5
  • 2
  • +1
5 Solutions
 
debuggerauCommented:
websense is the primary method of filtering, however it required a server and software to run it.
0
 
that1guy15Commented:
Check out this link on filtering specific web pages from your cisco router. Basically you use NBAR to filter web pages based on keywords or the web address all together.

Let me know if you have any questions and ill help you through it.

http://ardenpackeer.com/qos-voip/tutorial-how-to-use-cisco-mqc-nbar-to-filter-websites-like-youtube/
0
 
noricorpAuthor Commented:
that1guy15:

How do i create a group of Ip's for those policies to apply to?
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
that1guy15Commented:
You use ACLs to group your devices by IP. If you have these IP grouped in a uniform range (say .10 - .100) then you can specify a range. if not you will need to add a line for each ip.

for example:

access-list 10 permit ip host 10.0.0.10
access-list 10 permit ip host 10.0.0.11
ect...

or for a group you could use

access-list 10 permit ip 10.0.0.0 0.0.0.255

this will lump the whole 10.0.0.0 subnet into the mix

You will then add the ACL to the match statement of your class-map



R2(config)#class-map match-all MATCH-HTTP
R2(config-cmap)#match access-group 10
R2(config-cmap)#match protocol http
R2(config-cmap)#exit

Open in new window

0
 
that1guy15Commented:
If you would like you can give me some details of what you are trying to block and from what ip ranges and i can put something together for you. It just might take me a little time. Or i dont mind walking you through it.

let me know
0
 
OzNetNerdCommented:
Try this:

access-list 10 permit ip 192.168.10.0 0.0.0.255

class-map match-all BLOCKED_SITE1
 match protocol http host "*facebook.com*"
 match access-group 10


class-map match-all BLOCKED_SITE2
 match protocol http host "*youtube.com*"
 match access-group 10


class-map match-all BLOCKED_SITE3
 match protocol http host "*limewire.com*"
 match access-group 10

policy-map BLOCKED_SITES
 class BLOCKED_SITE1
   drop
 class BLOCKED_SITE2
   drop
 class BLOCKED_SITE3
   drop

interface FastEthernet0/0
 service-policy output BLOCKED_SITES

Thing you will need to change are:
- The access list - you can either block the entire subnet or just replace that line with the specific IP addresses you want to block. If you would like a more detailed answer, please let me know the specific IPs you want to block.

- The blocked sites. Replace the Facebook, YouTube and LimeWire URLs with the ones you would like to block.

- Change the "interface FastEthernet0/0" command to "interface xxx" where xxx is the interface on the router that connects you to the internet.

NOTE: If you are going to have more people that you want to block accessing these sites in the future, instead of editing the ACL every time, you could put those people in a different subnet/VLAN and then block that entire subnet from accessing the sites. That way you won't have to keep making changes.
0
 
noricorpAuthor Commented:
Lets say I wanted to set it up so a block of IP's let say 192.168.0.40 - 192.168.0.60 these URL filters apply.

Or If I wanted to specify certain IP's not in a range how would I do that?
0
 
that1guy15Commented:
You would specify this in an ACL. you will not be able to block that range. This is due to the limitations of wildcard mask within the ACL. So you will need to either block a larger range (.32 - 63 with 0.0.0.31) or specify each in its own line of an ACL like so:

access-list 10 permit ip host 192.168.0.40
access-list 10 permit ip host 192.168.0.41
access-list 10 permit ip host 192.168.0.42
access-list 10 permit ip host 192.168.0.43
etc...


0
 
OzNetNerdCommented:
that1guy15 is correct. Your best bet is to segment the people you want blocked in to a new VLAN and then block that entire VLAN's subnet from accessing the websites, that way you won't need to muck around with wildcard masks and every time you want to block a new user, you won't need to change the ACL, you just put them in the new VLAN and your done.

It is all about automation as opposed to manual work.
0
 
noricorpAuthor Commented:
When I run this command :

interface FastEthernet0/1
 service-policy output BLOCKED_SITES


I get this:
Router(config-if)#service-policy output BLOCKED_SITES
 Policy map CORP_QOS is already attached

I previously had set up QOS for my IP Phones

0
 
that1guy15Commented:
you can only have one service-policy per interface so you will need combine the two policies.
0
 
noricorpAuthor Commented:
How do I accomplish that?
0
 
that1guy15Commented:
could you post your two policies and ill see what we can do.
0
 
noricorpAuthor Commented:
Router#show policy-map
  Policy Map exit

  Policy Map CORP_QOS
    Class SIP_VOIP
      priority 43 (%)
    Class class-default
      fair-queue

  Policy Map BLOCKED_SITES
    Class BLOCKED_SITE1
      drop
0
 
that1guy15Commented:
to combine you would just add the Class statements of one to the other. So:

Policy Map CORP_QOS
    Class SIP_VOIP
      priority 43 (%)
     Class BLOCKED_SITE1
       drop
     Class class-default
      fair-queue

 Keep in mind the order of the defined classes just like in ACLs matters.
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 7
  • 5
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now