Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco IOS Local URL filtering - 12.4 advsecurity

Hi all,

Im encauntering a problem on adding URL domain to block . Below is my config

class-map match-any URL_LIST

  match protocol http host *youtube.com

  match protocol http host *facebook.com

  ********

  total 24 "match protocol http" command here

  ********

policy-map Block_url

  class URL_LIST

   drop

int fa0/1

service-policy input Block_url

And when I add in extra match protocol http command, cisco returns " % Exceed maximum #<24> of subport instances "    ```````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````  

After checked in cisco website, its says only support up to 24 match protocol http command regardless of how many class-map created. So here im limited to only able block 24 websites. Does anybody know any other way to block more website using Cisco IOS. Note that im not wanted for external filtering server. Thanks.

Regards, Nagis
4 REPLIES
Cisco Employee

Cisco IOS Local URL filtering - 12.4 advsecurity

Hi,

I think there is an easier way to do it, avoiding the use of class maps and instead using the legacy firewall (CBAC). This is a quick example

ip urlfilter exclusive-domain deny youtube.com

ip urlfilter exclusive-domain deny facebook.com

ip urlfilter allowmode on

Ip inspect name FW http urlfilter

Int fa 0/0 --->This is the facing interntet interface

ip inspect FW out

That way, facebook and youtube will be blocked and the rest of the sites will be permitted... I think this is an easy way if you dont have Zone based firewall configured.

Hope it helps.

Mike

Mike
New Member

Cisco IOS Local URL filtering - 12.4 advsecurity

Hi rojas,

Thanks for the comment. I have idea of doing this, but i would need to allow those websites for Managers. This is why I deployed Class-map , so can match IP address too. Note, in above command i didnt include with match access-class command. But in actual, it does exist in my router.

Regards, Nagis
Cisco Employee

Cisco IOS Local URL filtering - 12.4 advsecurity

Well, That is in fact a limitation of NBAR (service policy on the interface). The other option would be deploying Zone based firewall. I never heard of a restriction with that technology. There is a good example, but its in spanish.

Mike

Mike
New Member

http://www.cisco.com/c/en/us

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_nbar/configuration/15-mt/qos-nbar-15-mt-book/clsfy-traffic-nbar.html

 

NBAR does not support the following:

    More than 24 concurrent URLs, hosts, or Multipurpose Internet Mail Extension (MIME) type matches.

Note    

For Cisco IOS Release 12.2(18)ZYA and Cisco IOS Release 15.1(2)T, the maximum number of concurrent URLs, hosts, or MIME type matches is 56.

 

611
Views
0
Helpful
4
Replies
CreatePlease login to create content