11-15-2011 08:06 PM - edited 03-11-2019 02:51 PM
Hi all,
Im encauntering a problem on adding URL domain to block . Below is my config
class-map match-any URL_LIST
match protocol http host *youtube.com
match protocol http host *facebook.com
********
total 24 "match protocol http" command here
********
policy-map Block_url
class URL_LIST
drop
int fa0/1
service-policy input Block_url
And when I add in extra match protocol http command, cisco returns " % Exceed maximum #<24> of subport instances " ```````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````
After checked in cisco website, its says only support up to 24 match protocol http command regardless of how many class-map created. So here im limited to only able block 24 websites. Does anybody know any other way to block more website using Cisco IOS. Note that im not wanted for external filtering server. Thanks.
11-15-2011 08:31 PM
Hi,
I think there is an easier way to do it, avoiding the use of class maps and instead using the legacy firewall (CBAC). This is a quick example
ip urlfilter exclusive-domain deny youtube.com
ip urlfilter exclusive-domain deny facebook.com
ip urlfilter allowmode on
Ip inspect name FW http urlfilter
Int fa 0/0 --->This is the facing interntet interface
ip inspect FW out
That way, facebook and youtube will be blocked and the rest of the sites will be permitted... I think this is an easy way if you dont have Zone based firewall configured.
Hope it helps.
Mike
11-15-2011 08:37 PM
Hi rojas,
Thanks for the comment. I have idea of doing this, but i would need to allow those websites for Managers. This is why I deployed Class-map , so can match IP address too. Note, in above command i didnt include with match access-class command. But in actual, it does exist in my router.
11-15-2011 08:52 PM
Well, That is in fact a limitation of NBAR (service policy on the interface). The other option would be deploying Zone based firewall. I never heard of a restriction with that technology. There is a good example, but its in spanish.
Mike
06-25-2015 12:23 PM
NBAR does not support the following:
More than 24 concurrent URLs, hosts, or Multipurpose Internet Mail Extension (MIME) type matches.
Note
For Cisco IOS Release 12.2(18)ZYA and Cisco IOS Release 15.1(2)T, the maximum number of concurrent URLs, hosts, or MIME type matches is 56.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: