Cisco URL filtering

A short guide for URL filtering in a Cisco router, As far as I know it requires an IOS with "advanced ip services".
All we need for this to work is a class-map to define the URL's we wish to block, and a policy-map to enable the block.

The configuration will look like this :
Class-map match-any URL-filter
 match protocol http host "**"

policy-map Inspection
 class URL-filter

on the external interface : service-policy output Inspection
or on the internal interface : service-policy output Inspection

I have tested it and found no bugs with this configuration, only intended websites gets blocked.

Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N

LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR


  1. Should it be service-policy input Inspection on the internal interface?

    1. Unlike Access-list's it should work both ingress and egress,
      think of the inspection from the perspective of the router, it searches for "**" no matter which direction,
      now witch will be more correct it's another question - I think the best will be on the internal interface facing in (just like you said ) to save some processor cycles.

  2. This comment has been removed by the author.

  3. I have tried to block, it succeed but if the user try to open with https protocol it is still can be opened.
    If I add
    class-map match-all ACL
    match protocol secure-http
    match protocol http host "**"
    all the https web site will not be opened.
    Do you have any suggestion to block access any website that contain x domain?

    1. This comment has been removed by the author.

    2. I was able to find few more ways to filter the basic HTTP, but sadly seeing as an HTTPS packet is encrypted and just opening the packet requires a firewall smarter than a Cisco router (most firewalls achieve this with no problem, Cisco ASA is no exception) the only working methods I found is blocking by an ACL ( IP based ) but this can cause damage or using the Cisco as a DNS server and redirecting the requested site to a different location, off course this is a weak solutions seeing as the client can simply use a different DNS or the local HOST file to correct this "obstacle" but it will stop your average user.

      I just added a post on configuring the Cisco as a DNS, take a look here:

  4. How to filter the DNS request on router..

    1. Please take a look here :

      Good luck :)

  5. Maybe YouTube will turn into the #1 site where individuals need to scan for data.