Block specific Domain Names UC520

Answered Question
Nov 3rd, 2009

Hello Cisco!

I have a customer who needs to block access to specific Websites, like youtube.

I have tried this, with no luck. Please review config below, and advise.

CIGHYDUC520(config)# access-list 188 deny tcp any host www.youtube.com eq www Translating "www.badsite.com"...domain server (1.1.1.1) [OK] CIGHYDUC520(config)# access-list 188 permit tcp any any eq www


When I do a sh ip access-list it did the right thing, and showed me the IP address of the server youtube. However, I figured since youtube has a lot of servers, I need to add all of them. So on my PC I ran this command, nslookup www.youtube.com and youtube.com, added them all(10 of them) in the access list and applied it to the interface. No luck! It finds a new server each time. I am sure Cisco has this figured, and there must be an easier way! Has anyone tried this already?

Please let me know!

Regards,

Prasanna

I have this problem too.
0 votes
Correct Answer by Steven Smith about 7 years 2 months ago

Hi Prasanna,

In IOS, there is the concept of content filtering or URL filtering.  This however is not supported on the UC500.

For Small Business, the SA500 would be the way to go.  Either that, or you can block it with the ACL's.

2 other things you can do.  Have a proxy server on site to block content.  Use a DNS server you have control over and block the traffic that way.

Hope that helps.

-Steven

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
psingaraju Tue, 11/03/2009 - 09:12

Hello Steve,

Easy sure, but more cheese! Anything else that can be done?

I do not mind adding the access lists for each server I guess. :)

Regards,

Prasanna

Correct Answer
Steven Smith Tue, 11/03/2009 - 09:25

Hi Prasanna,

In IOS, there is the concept of content filtering or URL filtering.  This however is not supported on the UC500.

For Small Business, the SA500 would be the way to go.  Either that, or you can block it with the ACL's.

2 other things you can do.  Have a proxy server on site to block content.  Use a DNS server you have control over and block the traffic that way.

Hope that helps.

-Steven

psingaraju Tue, 11/03/2009 - 10:38

Steve,

Would this work if we had a multi-site deployment with 2 UC520s, and the SA500 was at one of the Sites?

Regards,

Prasanna

Steven Smith Tue, 11/03/2009 - 10:46

To make it work in that fashion, all traffic would have to go through the SA500.  I am not sure you would want to do that.

Steven DiStefano Wed, 11/04/2009 - 02:40

The current CCA 2.1 doesnt recognize SA500 for multisite as it does the SR520 router.   So this is an issue for Multisite deployments today.

Actions

This Discussion

Related Content