Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL using FQDN?

I wish to create an ACL using the fully qualified domain name instead of IP addresses.

The problem is that my ACL will resolve only the first IP address but not the rest.

I have been using the Windows update website as my test.

When I sniffed the process, I was able to pull out five different FQDNs.

Those names resolve to at least 27 IP addresses. Ug!

I was able to write the ACL using those 27 IPs and make it work but there is no guarantee that the IPs won't change in the future.

Anyone have any ideas? Thanks!


Re: ACL using FQDN?

I think you can use NBAR to filter all traffic going to a particular website using the "match protocol http" class map option.

I'm not sure if your router can support NBAR so use the Feature Navigator to verify that.

Here is an Example of how to filter out all web

requests to any website.

Router(config)#class-map match-any block_ms_com

Router(config-cmap)#match protocol http host "**"

Router(config)#policy-map block_ms_com

Router(config-pmap)#class block_ms_com

Router(config-pmap)#set ip dscp 1


Router(config)#interface eth 0/0

Router(config-if)# description inside network

Router(config-if)#service-policy input block_ms_com

Router(config)#access-list 105 deny ip any any dscp 1

Router(config)#access-list 105 permit ip any any

Router(config)#interface serial 0/1

Router(config-if)# description connection to ISP

Router(config-if)#ip access-group 105 out


CreatePlease login to create content