Menu

Cisco URL filtering


A short guide for URL filtering in a Cisco router, As far as I know it requires an IOS with "advanced ip services".
All we need for this to work is a class-map to define the URL's we wish to block, and a policy-map to enable the block.

The configuration will look like this :
Class-map match-any URL-filter
 match protocol http host "*domain.com*"

policy-map Inspection
 class URL-filter
   drop

on the external interface : service-policy output Inspection
or on the internal interface : service-policy output Inspection

I have tested it and found no bugs with this configuration, only intended websites gets blocked.


Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N

LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

12 comments:

  1. Should it be service-policy input Inspection on the internal interface?

    ReplyDelete
    Replies
    1. Unlike Access-list's it should work both ingress and egress,
      think of the inspection from the perspective of the router, it searches for "*domain.com*" no matter which direction,
      now witch will be more correct it's another question - I think the best will be on the internal interface facing in (just like you said ) to save some processor cycles.

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
  3. I have tried to block youtube.com, it succeed but if the user try to open with https protocol it is still can be opened.
    If I add
    class-map match-all ACL
    match protocol secure-http
    match protocol http host "*domain.com*"
    all the https web site will not be opened.
    Do you have any suggestion to block access any website that contain x domain?

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. I was able to find few more ways to filter the basic HTTP, but sadly seeing as an HTTPS packet is encrypted and just opening the packet requires a firewall smarter than a Cisco router (most firewalls achieve this with no problem, Cisco ASA is no exception) the only working methods I found is blocking by an ACL ( IP based ) but this can cause damage or using the Cisco as a DNS server and redirecting the requested site to a different location, off course this is a weak solutions seeing as the client can simply use a different DNS or the local HOST file to correct this "obstacle" but it will stop your average user.

      I just added a post on configuring the Cisco as a DNS, take a look here:
      http://www.networklabs.info/2012/10/cisco-as-dns-server.html

      Delete
  4. How to filter the DNS request on router..

    ReplyDelete
    Replies
    1. Please take a look here :
      http://www.networklabs.info/2012/10/cisco-as-dns-server.html

      Good luck :)

      Delete
  5. Maybe YouTube will turn into the #1 site where individuals need to scan for data. https://y.tools/buy-youtube-views

    ReplyDelete
  6. These merchants are then monetarily remunerated in two different ways: a) from commissions and abrogates from deals age and b) for their commitment to the structure up of the system by getting newcomers to be downline wholesalers.

    ReplyDelete
  7. I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well. Thanks... Cisco

    ReplyDelete
  8. We share these accounts to assist you with seeing how really amazing systems administration can be for any individual who is eager to gain proficiency with the standards of intensity organizing and to apply them reliably.192.168.10.1

    ReplyDelete