hanymanyy Wed, 06/06/2007 - 14:22

i don't know how that's why i'm asking

i'm using router 827 and ios 12.2

is it helpful?

david.bradley Thu, 06/07/2007 - 01:02

you need the firewall feature set. If you want to control what extensions are being downloaded (assuming you mean java applets for example) you need to use CBAC and that's a feature of the firewall feature set. You can also block specific URLs.

Assuming you can install the FW version try using SDM to configure the router.

mohammedmahmoud Sat, 06/09/2007 - 04:42


The logic is that simple, i'll try to simplfy 2 methods, and you can use any of them, the first method is to match what you want via NBAR (match protocol), and then to police it.

class-map match-any http

match protocol http url "*www.google.com*"

match protocol http url "*.rar*"

interface fastehternet 0/0

service-policy input drop-http

policy-map drop-http

class http

police 1000000 31250 31250 conform-action drop exceed-action drop violate-action drop

The second method method is to mark the traffic on the ingress on the Ethernet port and then deny it on the egress at the serial port:

class-map match-any http

match protocol http url "*www.google.com*"

match protocol http url "*.rar*"

policy-map mark-http

class http

set dscp 1

interface FastEthernet0/0

service-policy input mark-http

interface Serial1/0.1 point-to-point

ip access-group 101 in

ip access-group 101 out

access-list 103 deny ip any any dscp 1

access-list 103 permit ip any any

I hope that i've been informative, please never hesitate for further questions.

HTH, please do rate all helpful replies using the scroll box on the right,

Mohammed Mahmoud.

ariela Sat, 06/09/2007 - 05:49

Just another example:

class-map match-any DropTraffic

match protocol http url "*www.google.com*"

match protocol http url "*.rar*"

policy-map mark-DropTraffic

class DropTraffic

set dscp 1

interface FastEthernet0/0

service-policy input mark-DropTraffic

interface Serial1/0.1 point-to-point

ip policy route-map null_policy_route

route-map null_policy_route 10

match ip dscp 1

set interface Null0



hanymanyy Sat, 06/09/2007 - 13:26

this is the result

hanymanyy(config-cmap)#match protocol http url "*www.google.com*"


% Invalid input detected at '^' marker.

it's wrong at http

i don't know the wrong

do u?

mohammedmahmoud Sat, 06/09/2007 - 13:39


Can you please try this, and past the output:

hanymanyy(config-cmap)#match protocol ?


hanymanyy(config-cmap)#match p?


Mohammed Mahmoud.

hanymanyy Sun, 06/10/2007 - 10:35

sorry again

is there any acl which deny downloading some specific files? with an example

and another acl to deny some specific site?

with no tools or devices

mohammedmahmoud Sun, 06/10/2007 - 23:58

Hi Hany,

Unfortunately the answer is no, you need Cisco IOS URL Filtering or NBAR to filter specific websites or specific files, or use a web proxy as Andrea suggested, ACL can't do it.


Mohammed Mahmoud.


This Discussion