Need a "Whitelist Only" solution

Unanswered Question
Apr 15th, 2010
User Badges:

Looking fora Cisco Router for 75 users.

The Number 1 solution we need is a "Whitelist only" URL filtering.  A call to Cisco sales didn't help.

Is this possible with any Cisco router?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Thu, 04/15/2010 - 13:46
User Badges:
  • Green, 3000 points or more


I don't think there's a Cisco router specialized in web filtering.

You can however use FPM to match and filter URLs on the router.

Normally, Cisco routers can work with a websense device for example to redirect URL requests.


Panos Kampanakis Fri, 04/16/2010 - 15:40
User Badges:
  • Cisco Employee,

You can use NBAR to "not block" a url and block everything else. An example (Method A) that does it for various nimda virus urls is here But you will do the same using your urls. Whatever you match a good whitelisted website you will set the dhscp value to something, say x. And then for whatever else website you will set dscp to something else, say y. The you will drop value with dscp y as it is done in the example.

Another way of doing it is to use the IOS URL filtering feature. It is licensable, but very efficient. It can blacklist, white list and URL filter based on reputation and categories. Here is the link for your reference

I hope it helps.


Kureli Sankar Fri, 04/16/2010 - 18:07
User Badges:
  • Cisco Employee,

ip inspect name FW ftp
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW http java-list 1 urlfilter
ip urlfilter server vendor websense timeout 2 retransmit 3 ---> just configure some random ip.
ip urlfilter allow-mode on
ip urlfilter exclusive-domain permit ----------------> will only allow and and deny allother sites.
ip urlfilter exclusive-domain permit

access-list 1 permit any -------> Java filter required for URL filtering

interface GigabitEthernet0/1
description Public internet facing ISP
  ip address
ip access-group 111 in   ------------------------------------> this acl will allow all inbound traffic
ip inspect FW out

Is is an old cbac style config.  With no additional expense or license you can just allow a few domain names and deny every other domain.
That websense server IP address can be anything. I believe the config would work even without that line.



This Discussion