09-02-2008 04:28 AM - edited 03-06-2019 01:07 AM
Hi..I hv cisco 7507 router as Internet gateway.I need to block the URLs on this.Can I do this and how??..please tell me .
09-02-2008 09:15 AM
Hi Sanjeev
can you calrify on which environment (like SP/enterprise etc.,) you are trying to implement url blocking ???
regds
09-02-2008 08:06 PM
Hi..I am trying to implement on enterprise network with 7507 cisco internet gateway router.
In earlier response,most of them are saying u can do with the following :
class-map match-all test
match protocol http host *youtube.com*
policy-map test
class test
drop
But there is no command like drop??
on this link http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00800fc176.shtml
it is written there,u can do with ser dscp 1,I have applied the same,but users are still able to open the site or URL.
Thanks you very much for ur corporation.
Thanks,
-Sanjeev
09-02-2008 08:21 PM
if ur ios dose not have firewall feature it wont be availabe i mean the drop
but what u might do as work aroung
policy-map test
class test
set dscp 8
then
mack ACL match source lan and distination as any eq dscp 8
this acl will be deny acl
like
access-list 100 deny [lan network] any eq dscp 8
it is not good way if u have Qos in ur network with diffrent marking methods because the way may overlav with amarked traffic
if u dont have Qos so u can do it like this
but it is cpu intensive as it is on application layer with NBAR
if helpful Rate
09-02-2008 09:25 PM
Hi..I hv tried with dscp 8 also,but not working,still site is opening.
I want to block youtube actually,is there any specific dscp value for this..
I have cisco IOS 12.3(11)T3.
Thanks,
-Sanjeev
09-02-2008 09:39 PM
i think u have problem with matching statement
try to make it like
*youtube.com
When specifying a URL for classification, include only the portion of the URL that follows the www.hostname.domain in the match statement. For example, for the URL www.cisco.com/latest/whatsnew.html, include only /latest/whatsnew.html
Within NBAR, the match protocol http c-header-field command is used to specify that NBAR identify request messages (the "c" in the c-header-field portion of the command is for client). The match protocol http s-header-field command is used to specify response messages (the "s" in the s-header-field portion of the command is for server).
have alook at the following link
http://www.cisco.com/en/US/docs/ios/12_4t/qos/configuration/guide/qsnbar1.html#wp1055866
good luck
If helpful Rate
09-02-2008 09:58 PM
Hi..following is my configuration:
class-map match-all test
match protocol http url "*youtube.com"
!
!
policy-map test
class test
set dscp cs1
ip nbar protocol-discovery on fa5/1/1 out interface.
ACLs applied:
deny ip any any dscp 8
permit ip any any log
I am getting logs match :
10 deny ip any any dscp cs1 (4031 matches)
20 permit ip any any log (50835 matches)
still the site is opening..not able to block the URL,IOS verison is 12.3(11)T3
Thanks,
-Sanjeev
09-03-2008 10:21 PM
one more thing
u need to apply the polcy that match and mark the traffic on the lan in terface in the input direction
and apply the ACL on the outbound direction on the outside interface that connected to the internet
good luck
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: