How to Block Facebook, Orkut & youtube.com on cisco 877 router ?

Hi

I need to Block Facebook, Orkut & youtube.com, when i apply acl to block that sites,it works like this but All sites changes their site address dynamicly so acl is not working after changes its ip
Can anyone help me How to Block above websites on my cisco 877 router ?

vikrant
LVL 6
vikrantambhoreAsked:
Who is Participating?
 
vikrantambhoreConnect With a Mentor Author Commented:
It's working from this http://www.proghana.com/index.php?option=com_kunena&Itemid=123&catid=20&func=view&id=5


Thanks all
In the event the link fails, below is the applied solution:

R1>enable
R1#configure terminal

Create a traffic class called SOCIAL_NET. Use the ‘match-any’ parameter, not ‘match-all’
R1(config)#class-map match-any SOCIAL_NET

Match all HTTP traffic destined to the social networking sites of your choice. Only 3 categorized here.
R1(config-cmap)#match protocol http host www.facebook.com
R1(config-cmap)#match protocol http host www.youtube.com
R1(config-cmap)#match protocol http host www.hi5.com
R1(config-cmap)#exit

Create a policy-map called DROP_SOCIAL_NET and ‘drop’ all traffic that matches the class-map defined above. 

If you decide instead to “frustrate” your users from accessing the sites, you may choose not to ‘drop’ their traffic outright but rather allocate only 8kbps of your bandwidth to the social network websites. You cannot use the ‘drop’ and ‘police’ actions at the same time. Use either ‘drop’ or ‘police’ depending on what you want to achieve.

R1(config)#policy-map DROP_SOCIAL_NET
R1(config-pmap)#class SOCIAL_NET
R1(config-pmap-c)#drop
R1(config-pmap-c)#exit

OR

R1(config)#policy-map DROP_SOCIAL_NET
R1(config-pmap)#class SOCIAL_NET
R1(config-pmap-c)#police 8000
Router(config-pmap-c-police)#exit
R1(config-pmap-c)#exit

Now apply this policy-map action to the outside interface of your router. The outside interface refers to the part of your router that faces the Internet. We shall apply the action in the outbound direction
R1(config)#interface FastEthernet0/0
R1(config-if)#service-policy output DROP_SOCIAL_NET
R1(config-if)#end

(added by Alan Hardisty - EE Zone Advisor)

Open in new window

0
 
evil_hitmanCommented:
using a router, no chance.
setup a content filter and/or proxy and force people to go through that
setup a dns server and create false records for those sites and block outbound dns from anything but your dns server

Threaten to beat the living %#$^ out of anyone that visits those sites (ok so i'm being silly)

Long story short, a router is not a content filter.
0
 
vikrantambhoreAuthor Commented:
Can you post some helpfull links ?



vikrant
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Aaron TomoskySD-WAN SimplifiedCommented:
One way is to use a dns server that has content filtering. If you don't run your own dns, then check out dyndns.org just one of many.
0
 
mpickreignCommented:
I recommend using Trend Worry-Free Business Security.  Great network based anti-virus/anti-malware/anti-spam product that also does web content filtering. We have several hundred clients running it and it works very well.

Alternatively if you want to deploy a stand-alone content filter, then Untangle.com has a free light weight content filter that works fairly well.  www.untangle.com
0
 
robsz1Commented:
Vikrantambhore,

These are large sites which use multiple servers simultaneously to host their content.  You will need to use a tool such as nslookup to get all the addresses associated with the site.  However if they add new servers then you will have to also add those into your acl.  You would have to find the various subdomains also and get the IP addresses of those into your acl as well.  Below is an example of an nslookup from img.youtube.com




C:\Users\Rob>nslookup img.youtube.com
Server:  UnKnown
Address:  192.168.1.1

Non-authoritative answer:
Name:    ytimg.l.google.com
Addresses:  74.125.224.33
          74.125.224.34
          74.125.224.35
          74.125.224.36
          74.125.224.37
          74.125.224.38
          74.125.224.39
          74.125.224.40
          74.125.224.41
          74.125.224.42
          74.125.224.43
          74.125.224.44
          74.125.224.45
          74.125.224.46
          74.125.224.47
          74.125.224.32
Aliases:  img.youtube.com
0
 
vikrantambhoreAuthor Commented:
I am using Cisco 877 as switch also Router, I don't have DNS Server, It's not possible to install any security software each computer, please help me if possible from cisco 877, my gateway & preferred DNS is Cisco 877 for all client system


0
 
vikrantambhoreAuthor Commented:
Hello robsz1,

Can you suggest one example for apply acl ?


vikrant
0
 
evil_hitmanCommented:
It can't be done using a router..... period not ofr sites like those unless you block thousands of IP's.
you will need some sort of device to do the content filtering... be it software on the client machines or a proxy.
If you're comfortable playing with linux, then squid proxy with dansguardian content filter.
If you want a turnkey solution, try ironport, barracuda or similar.
0
 
evil_hitmanCommented:
here is a good page covering dansguardian etc
http://www.linux.com/archive/feature/113733
0
 
sumeshbnrCommented:
Why dont you create proxy server and filter based on rules? or you can use Pfsense untangle like opensource applications that you can put after the router then define rules there.

Or try openDNS and you can block sites
0
 
robsz1Commented:
It is really not an ideal method.  It would be very difficult to maintain and chances are you are going to miss an IP and the site will be accessible still.  Though to say it cannot be done is absurd.  Cannot be done and difficult to be done are very different terms.  Assuming you already have an acl, something along the lines of this would be added to your outbound acl:

access-list 110 deny   ip 192.168.100.0 0.0.0.255 74.125.224.32 0.0.0.32


That being said, you really want to use another method.  The time required to get it to work through your router, and keep it working, would be worth the investment.  With a content filter you can also get statistics on what sites are being visited the most.  Next thing you know, you are finding that 20% of your bandwidth is going to looking up sports news when people should be working.  If need be, you could go to your local pawn shop and buy a computer for cheap and turn it into your content filter.  You would then want to block all outgoing web traffic from your clients and permit only from the content filter server in your acl.  Then you can instruct your users on configuring their browsers to use the proxy server.
0
 
vikrantambhoreAuthor Commented:
Thanks all,

it's working from above link
0
 
evil_hitmanCommented:
Hi, whether it's me or someone else, you should assign points to the people who helped solve your issue.
0
 
vikrantambhoreAuthor Commented:
Dear evil_hitman,

I have NP to assign point, but it's solved by my own level, anyway if u feel i will give point,

You need to wait
0
 
vikrantambhoreAuthor Commented:
I recommended #4 & ID: 35330185 must be as a answer




Thanks
0
 
vikrantambhoreAuthor Commented:
It' solved my own level
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.