Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need a "Whitelist Only" solution

Looking fora Cisco Router for 75 users.

The Number 1 solution we need is a "Whitelist only" URL filtering.  A call to Cisco sales didn't help.

Is this possible with any Cisco router?


Re: Need a "Whitelist Only" solution


I don't think there's a Cisco router specialized in web filtering.

You can however use FPM to match and filter URLs on the router.

Normally, Cisco routers can work with a websense device for example to redirect URL requests.


Cisco Employee

Re: Need a "Whitelist Only" solution

You can use NBAR to "not block" a url and block everything else. An example (Method A) that does it for various nimda virus urls is here But you will do the same using your urls. Whatever you match a good whitelisted website you will set the dhscp value to something, say x. And then for whatever else website you will set dscp to something else, say y. The you will drop value with dscp y as it is done in the example.

Another way of doing it is to use the IOS URL filtering feature. It is licensable, but very efficient. It can blacklist, white list and URL filter based on reputation and categories. Here is the link for your reference

I hope it helps.


Cisco Employee

Re: Need a "Whitelist Only" solution

ip inspect name FW ftp
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW http java-list 1 urlfilter
ip urlfilter server vendor websense timeout 2 retransmit 3 ---> just configure some random ip.
ip urlfilter allow-mode on
ip urlfilter exclusive-domain permit ----------------> will only allow and and deny allother sites.
ip urlfilter exclusive-domain permit

access-list 1 permit any -------> Java filter required for URL filtering

interface GigabitEthernet0/1
description Public internet facing ISP
  ip address
ip access-group 111 in   ------------------------------------> this acl will allow all inbound traffic
ip inspect FW out

Is is an old cbac style config.  With no additional expense or license you can just allow a few domain names and deny every other domain.
That websense server IP address can be anything. I believe the config would work even without that line.

CreatePlease to create content