Configure 2811 to block access to specific websites

Unanswered Question
Sep 7th, 2009
User Badges:


I have been trying to block access to specific websites on a client's 2811 running C2800NM-ADVENTERPRISEK9-M, Version 12.4(24)T.

I initially tried using ACL but the sites just keeps coming up. I followed instructions on this link, created the ACL, searched as much as i could the IPs linked to the domains I want to block, and then applied the ACL in the outbound direction on the WAN interface, but still no luck.

I was trying to use the SDM to configure the firewall, but i ended up blocking HTTP access to all websites :-(

Any advice will be much appreciated.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richardsma Mon, 09/07/2009 - 03:22
User Badges:

Post a copy of the ACL so others can see how you've configured it, substitute IP's if necessary.

femi.agboade Wed, 09/16/2009 - 02:41
User Badges:


I have been able to successfully block the websites, only after upgrading my IOS though. See below the commands used, note that you would need an AdvSec IOS on the router to be able to do this:

You can use the URL Filter functions

\\ set the url filter to a bogus websense IP address

ip urlfilter server vendor websense

\\-- set filter to bypass vendor server if it can't be reached (it can't)

ip urlfilter allow-mode on

\\-- setup a BLACKLIST that gets blocked before ever sending to vendor server

ip inspect name BLACKLIST http urlfilter

ip urlfilter exclusive-domain deny

ip urlfilter exclusive-domain deny

ip urlfilter exclusive-domain deny

\\-- apply filter to LAN interface

interface Fast 0/0

ip inspect BLACKLIST in



Joseph Adekoya Wed, 09/23/2009 - 12:26
User Badges:


can i just ask why you want to use a router for http content filtering? dont you have mcaffe or ISA or pix with websense?

femi.agboade Wed, 09/23/2009 - 14:54
User Badges:

Hi Adekoya,

Thank you for our comments. However, if I had any of the appliances/software that you have mentioned, I would have used it dont you think???

Before ISA, PIX or McAfee, there was plain old Cisco IOS CLI and it worked pretty well...




This Discussion