Creating Whitelist for specific URLs Blocking ALL others

Unanswered Question
May 9th, 2008

Hi All. I have a cisco 1711 router that I need to create a whitelist on. I need to be able to allow hundreds of allowed websites and block ALL others.

I have no problem creating the allowed website list. My question is How do I block ALL other websites?

My other question is How many websites is it possible to allow? 100? 1000? Is the amount I can allow or permit based on the routers memory?

Any help in this matter is greatly appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
joseph.derrick Sun, 05/11/2008 - 00:10


Routers do not know the actual payload of data. What it basically does is to route packets without having an interest on what data it is.

Though it's possible to create access lists on the router to do this (packet filter), but time will come that you will encounter problem on sites that often change ip addresses/ports.

My suggestion is to create an access list to intercept all packets destined to port 80 (http) and redirect it to a proxy server. The proxy server will check on the sites if it's allowed or not.

I have tried setting this up on the following setup:

Operating System: Linux/Any NIX based system

Proxy Software: Squid

Filtering (blacklisting/whitelisting/graylisting): Dansguardian

Please rate if it helps.


Joseph Derrick

httptrashcan Wed, 05/28/2008 - 19:11

I will respond to my own inquiry since I have found the answers.

You can block ALL websites by using the wildcard *.*.*

I did this through the Security Device Manager. You can also use the SDM to import and export URL lists.

Cisco IOS URL Filtering supports up to 256 static URLs.

You can find a wealth of information about Cisco IOS Filtering on the Cisco website:

httptrashcan Wed, 05/28/2008 - 19:20

I would also like to ask another question for those who may know the answer.

I am able to whitelist websites for all computers on the network but I need to be able to exclude specific computers from the whitelist and I am not sure how to do this.

Right now I have the whitelist setup to inspect all traffic coming into vlan1.

interface vlan1

ip address

ip inspect myiosurlfilter in

I need to be able to exclude at least 1 to 3 ip addresses from being whitelisted.

Thanks in Advance for any help.

httptrashcan Sat, 09/06/2008 - 10:49

Would a VLAN solve this issue? Would it be possible for me to divide the 4 port switch into 2 VLAN's. A vlan for filtered traffic and a vlan for unfiltered traffic. If this sounds feasible can anyone show me how to set it up properly? I would need both VLANS to be on the same network so they could communicate with each other. Just trying to find a solution here but I'm not too experienced. Hoping someone can help me out.


This Discussion