cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
844
Views
0
Helpful
4
Replies

Cisco IOS Local URL filtering - 12.4 advsecurity

NAGISWAREN2
Level 1
Level 1

Hi all,

Im encauntering a problem on adding URL domain to block . Below is my config

class-map match-any URL_LIST

  match protocol http host *youtube.com

  match protocol http host *facebook.com

  ********

  total 24 "match protocol http" command here

  ********

policy-map Block_url

  class URL_LIST

   drop

int fa0/1

service-policy input Block_url

And when I add in extra match protocol http command, cisco returns " % Exceed maximum #<24> of subport instances "    ```````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````  

After checked in cisco website, its says only support up to 24 match protocol http command regardless of how many class-map created. So here im limited to only able block 24 websites. Does anybody know any other way to block more website using Cisco IOS. Note that im not wanted for external filtering server. Thanks.

Regards, Nagis
4 Replies 4

Maykol Rojas
Cisco Employee
Cisco Employee

Hi,

I think there is an easier way to do it, avoiding the use of class maps and instead using the legacy firewall (CBAC). This is a quick example

ip urlfilter exclusive-domain deny youtube.com

ip urlfilter exclusive-domain deny facebook.com

ip urlfilter allowmode on

Ip inspect name FW http urlfilter

Int fa 0/0 --->This is the facing interntet interface

ip inspect FW out

That way, facebook and youtube will be blocked and the rest of the sites will be permitted... I think this is an easy way if you dont have Zone based firewall configured.

Hope it helps.

Mike

Mike

Hi rojas,

Thanks for the comment. I have idea of doing this, but i would need to allow those websites for Managers. This is why I deployed Class-map , so can match IP address too. Note, in above command i didnt include with match access-class command. But in actual, it does exist in my router.

Regards, Nagis

Well, That is in fact a limitation of NBAR (service policy on the interface). The other option would be deploying Zone based firewall. I never heard of a restriction with that technology. There is a good example, but its in spanish.

Mike

Mike

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_nbar/configuration/15-mt/qos-nbar-15-mt-book/clsfy-traffic-nbar.html

 

NBAR does not support the following:

    More than 24 concurrent URLs, hosts, or Multipurpose Internet Mail Extension (MIME) type matches.

Note    

For Cisco IOS Release 12.2(18)ZYA and Cisco IOS Release 15.1(2)T, the maximum number of concurrent URLs, hosts, or MIME type matches is 56.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: