Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need a "Whitelist Only" solution

Looking fora Cisco Router for 75 users.

The Number 1 solution we need is a "Whitelist only" URL filtering.  A call to Cisco sales didn't help.

Is this possible with any Cisco router?

3 REPLIES

Re: Need a "Whitelist Only" solution

Hi,

I don't think there's a Cisco router specialized in web filtering.

You can however use FPM to match and filter URLs on the router.

www.cisco.com/go/fpm

Normally, Cisco routers can work with a websense device for example to redirect URL requests.

Federico.

Cisco Employee

Re: Need a "Whitelist Only" solution

You can use NBAR to "not block" a url and block everything else. An example (Method A) that does it for various nimda virus urls is here http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00800fc176.shtml But you will do the same using your urls. Whatever you match a good whitelisted website you will set the dhscp value to something, say x. And then for whatever else website you will set dscp to something else, say y. The you will drop value with dscp y as it is done in the example.

Another way of doing it is to use the IOS URL filtering feature. It is licensable, but very efficient. It can blacklist, white list and URL filter based on reputation and categories. Here is the link for your reference http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/white_paper_c89-492776.html

I hope it helps.

PK

Cisco Employee

Re: Need a "Whitelist Only" solution

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b0e.html

ip inspect name FW ftp
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW http java-list 1 urlfilter
ip urlfilter server vendor websense 192.168.100.16 timeout 2 retransmit 3 ---> just configure some random ip.
ip urlfilter allow-mode on
ip urlfilter exclusive-domain permit .yahoo.com ----------------> will only allow yahoo.com and google.com and deny allother sites.
ip urlfilter exclusive-domain permit .google.com


access-list 1 permit any -------> Java filter required for URL filtering

interface GigabitEthernet0/1
description Public internet facing ISP
  ip address 1.1.1.1 255.255.255.0
ip access-group 111 in   ------------------------------------> this acl will allow all inbound traffic
ip inspect FW out

Is is an old cbac style config.  With no additional expense or license you can just allow a few domain names and deny every other domain.
That websense server IP address can be anything. I believe the config would work even without that line.

-KS
1650
Views
0
Helpful
3
Replies
CreatePlease to create content