Menu

Cisco URL filtering


A short guide for URL filtering in a Cisco router, As far as I know it requires an IOS with "advanced ip services".
All we need for this to work is a class-map to define the URL's we wish to block, and a policy-map to enable the block.

The configuration will look like this :
Class-map match-any URL-filter
 match protocol http host "*domain.com*"

policy-map Inspection
 class URL-filter
   drop

on the external interface : service-policy output Inspection
or on the internal interface : service-policy output Inspection

I have tested it and found no bugs with this configuration, only intended websites gets blocked.


Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N

LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

8 comments:

  1. Should it be service-policy input Inspection on the internal interface?

    ReplyDelete
    Replies
    1. Unlike Access-list's it should work both ingress and egress,
      think of the inspection from the perspective of the router, it searches for "*domain.com*" no matter which direction,
      now witch will be more correct it's another question - I think the best will be on the internal interface facing in (just like you said ) to save some processor cycles.

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
  3. I have tried to block youtube.com, it succeed but if the user try to open with https protocol it is still can be opened.
    If I add
    class-map match-all ACL
    match protocol secure-http
    match protocol http host "*domain.com*"
    all the https web site will not be opened.
    Do you have any suggestion to block access any website that contain x domain?

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. I was able to find few more ways to filter the basic HTTP, but sadly seeing as an HTTPS packet is encrypted and just opening the packet requires a firewall smarter than a Cisco router (most firewalls achieve this with no problem, Cisco ASA is no exception) the only working methods I found is blocking by an ACL ( IP based ) but this can cause damage or using the Cisco as a DNS server and redirecting the requested site to a different location, off course this is a weak solutions seeing as the client can simply use a different DNS or the local HOST file to correct this "obstacle" but it will stop your average user.

      I just added a post on configuring the Cisco as a DNS, take a look here:
      http://www.networklabs.info/2012/10/cisco-as-dns-server.html

      Delete
  4. How to filter the DNS request on router..

    ReplyDelete
    Replies
    1. Please take a look here :
      http://www.networklabs.info/2012/10/cisco-as-dns-server.html

      Good luck :)

      Delete