i don't know how that's why i'm asking

i'm using router 827 and ios 12.2

is it helpful?

you need the firewall feature set. If you want to control what extensions are being downloaded (assuming you mean java applets for example) you need to use CBAC and that's a feature of the firewall feature set. You can also block specific URLs.

Assuming you can install the FW version try using SDM to configure the router.

Hi,

you can use NBAR to match the traffic to drop, then use a solution like ACL/PBR (best for performance) to deny/route to Null0.

See that for example:

http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00800fc176.shtml

HTH

Andrea

sorry i'm not expert to do that

can u give me an example

at least

how can i block rar extension

and block www.google.com

?

Hi,

The logic is that simple, i'll try to simplfy 2 methods, and you can use any of them, the first method is to match what you want via NBAR (match protocol), and then to police it.

class-map match-any http

match protocol http url "*www.google.com*"

match protocol http url "*.rar*"

interface fastehternet 0/0

service-policy input drop-http

policy-map drop-http

class http

police 1000000 31250 31250 conform-action drop exceed-action drop violate-action drop

The second method method is to mark the traffic on the ingress on the Ethernet port and then deny it on the egress at the serial port:

class-map match-any http

match protocol http url "*www.google.com*"

match protocol http url "*.rar*"

policy-map mark-http

class http

set dscp 1

interface FastEthernet0/0

service-policy input mark-http

interface Serial1/0.1 point-to-point

ip access-group 101 in

ip access-group 101 out

access-list 103 deny ip any any dscp 1

access-list 103 permit ip any any

I hope that i've been informative, please never hesitate for further questions.

HTH, please do rate all helpful replies using the scroll box on the right,

Mohammed Mahmoud.

Just another example:

class-map match-any DropTraffic

match protocol http url "*www.google.com*"

match protocol http url "*.rar*"

policy-map mark-DropTraffic

class DropTraffic

set dscp 1

interface FastEthernet0/0

service-policy input mark-DropTraffic

interface Serial1/0.1 point-to-point

ip policy route-map null_policy_route

route-map null_policy_route 10

match ip dscp 1

set interface Null0

HTH

Andrea

this is the result

hanymanyy(config-cmap)#match protocol http url "*www.google.com*"

^

% Invalid input detected at '^' marker.

it's wrong at http

i don't know the wrong

do u?

Hi,

Can you please try this, and past the output:

hanymanyy(config-cmap)#match protocol ?

or

hanymanyy(config-cmap)#match p?

BR,

Mohammed Mahmoud.

Hi,

Unfortunately according to Cisco Feature Navigator, NBAR is not supported on your Cisco 827, please check it out:

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

HTH,

Mohammed Mahmoud.

yes correct, I've made a mistake, 8xx supports NBAR but not 827 :(

As David says, you could use a solution like that:

http://www.cisco.com/en/US/products/ps6643/products_white_paper0900aecd804abb11.shtml

"Configuring Cisco IOS URL Filtering Using the Command-Line Interface (CLI)"

HTH

Andrea

sorry again

can u give me an example?

Hi,

what about using a web proxy like squid with a url filter like squidguard, dansguardian and so on?

http://www.squid-cache.org/Misc/related-software.dyn

Probably is the easy way for you.

HTH

Andrea

sorry again

is there any acl which deny downloading some specific files? with an example

and another acl to deny some specific site?

with no tools or devices