IP routes based on domains

leonnikolaou · ‎04-10-2012

Hi all,

I would like to configure few routings on my Cisco router 871 in order to allow my employees to have access only to specific websites.

However, since some websites have dynamic IPs propably the route that I will create will not work.

My question is, can I configure a route or is there any other way to configure this permission based on the hostname/domain?

For example, if I want to permit access to this website www.surveymonkey.com (75.98.93.51) instead of configuring:

ip route 75.98.93.51 255.255.255.255 192.168.10.250

is there any way to configure based on the (www.surveymonkey.com) in order to be able to recognise this host correctly??

Really appreciate any answer,

Thank you for your time,

Regards,

Leon

Mohamed Abd Elnaser Mohamed Mohamed Ali · ‎04-10-2012

Hii leonnikolaou

Well, I don’t know your network design whether you are using internal DNS or web proxy server or not.

However, From technical point of view I have an idea to partially automat it through the use of IP SLA and EEM

(the SITE IP address changes --> IP SLA fails --> you are notified with mail and through Syslog that the site is down --> you manually change the route)

Create IP SLA to monitor http access to the site:

=====================================

ip sla 10

http get http://75.98.93.51

frequency 300

ip sla schedule 10 start-time now life forever

configure tracking referencing the IP SLA:

===============================

track 1 ip sla 1 reachability

configure EEM to send mail to some@a7a.com and to generate Syslog message the IP SLA:

=====================================================================

event manager applet a7a

event track 1 state down

action 1.0 mail server "88.88.88.88" to "some@a7a.com" from "example@a7a.com" subject "surveymonkey site is down" body "anything"

action 2.0 syslog msg "surveymonkey site is down"

Finally if you know EEM Scripting then you can fully automate it:

(the SITE IP address changes --> IP SLA fails --> perform ping www.surveymonkey.com --> from output you retrieve the new IP address (programming script) --> delete old route --> add new route (programming script) --> optional you could notify you self as well

First configure you router for DNS:

==========================

ip name-server 192.168.1.100

ip domain lookup

IPSLA and Track are the same

event manager applet a7a

event track 1 state down

action 1.0 cli command "ping www.surveymonkey.com "

*******************some script command should be here to get the new IP address***************************

action 2.0 cli command "no ip route 75.98.93.51 255.255.255.255 192.168.10.250"

action 3.0 cli command " ip route <> 255.255.255.255 192.168.10.250"

action 4.0 mail server "88.88.88.88" to "some@a7a.com" from "example@a7a.com" subject " surveymonkey site IP changed" body "anything"

action 5.0 syslog msg "surveymonkey site IP changed"

Hint : sample ping www.surveymonkey.com would be :

========================================

Translating "www.cisco.com"...domain server (192.168.1.100) [OK]

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 198.133.219.25, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 224/228/236 ms

The IP address here is 198.133.219.25

I Hope this helps

rais · ‎04-10-2012

IP routes can only look at the IP Header in a given packet.

You would need some Application Layer device such as a proxy or a product like WebSense.

Thanks.