Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

URL Filtering

my lan office connected to internet through:

LAN---PIX----(Ethernet)Router(Serial)---Internet

My Router config is (X,Y,Z,W are all Real IP) :

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no aaa new-model

ip subnet-zero

ip cef

ip domain name my.dom

ip name-server X1.Y1.Z.W1

ip name-server X2.Y2.Z2.W2

ip ips po max-events 100

no ftp-server write-enable

!

!

interface Serial0/0

ip address X.X.X.X 255.255.255.252

!

interface FastEthernet0/1

ip address Y.Y.Y.Y 255.255.255.240

ip access-group IDS_FastEthernet0/1_out_0 out

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 Z.Z.Z.Z

!

!

ip http server

no ip http secure-server

!

ip access-list extended IDS_FastEthernet0/1_out_0

permit ip host 10.6.100.250 any

permit ip any any

I want to apply URL filtering on my router, I am thinking to apply the following

to my router, would be that correct or am I far away off?

class-map match-any http-hacks

match protocol http url "*default.ida*"

match protocol http url "*cmd.exe*"

match protocol http url "*root.exe*"

match protocol http url "*admin.dll*"

policy-map mark-inbound-http-hacks

class http-hacks

set ip dscp 1

interface serial 0/0

service-policy input mark-inbound-http-hacks

access-list 105 deny ip any any dscp 1

access-list 105 permit ip any any

interface ethernet 0/1

ip access-group 105 out

11 REPLIES
Cisco Employee

Re: URL Filtering

Hi,

The config you have in mind is good enough to filter out the mentioned url.

This should work well.

Regards,

Vivek

New Member

Re: URL Filtering

if i want to block youtube or video streaming through my,how would you do that?

or give him less priority....

Cisco Employee

Re: URL Filtering

In a class-map add :-

match protocol http url "*youtube.com*"

Now you can either drop it using a policy map as in the previous config or police the rate in the policy-map and apply it to the interface.

New Member

Re: URL Filtering

I am thinking to configure cisco nbar on my Internet Router 37xx

on the mean time I am aware that 90% of the traffic from Internet to

my LAN beside iprouting is HTTP and as you know alot of other protocol are embedded into http.

now my goal is not to block streaming and p2p but

but to limit the rate on bandwidth usage for those protocols example( ftp, youtube, yahoo media, internet music radio, p2p, torrent, Edonkey, Skype, Gnutella, Skype, Winmx, Kazaa, emule Napster ..etc)

any sample configuration could do that for me.

Cisco Employee

Re: URL Filtering

Hi,

This should help :-

class-map match-any webt

match protocol http url "*youtube.com*"

policy-map test

class webt

police rate percent 10

conform-action transmit

exceed-action drop

interface fa0/1

service-policy input test

The police option can be changed as needed. Also more url to match can be added to the class map defined.

New Member

Re: URL Filtering

>interface fa0/1

>service-policy input test

should not be on the serial interface.

Cisco Employee

Re: URL Filtering

that was just an example.

Where you apply depends on your network. If your traffic is coming into through a serial interface then you would apply it there.

New Member

Re: URL Filtering

Flr1-Router-internet(config-if)#service-policy input mark-http-limits

Policy map mark-inbound-http-hacks is already attached

why I cant add another service policy to the interface, and how can i resolve this issue regarding my above configuration.

Cisco Employee

Re: URL Filtering

There can only be one policy in each direction per interface.

You will have to modify your exisiting policy as per requirement (like with access-lists)

New Member

Re: URL Filtering

can you tell me how should it looks regarding my config

my lan office connected to internet through:

LAN---PIX----(Ethernet)Router(Serial)---Internet

My Router config is (X,Y,Z,W are all Real IP) :

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no aaa new-model

ip subnet-zero

ip cef

ip domain name my.dom

ip name-server X1.Y1.Z.W1

ip name-server X2.Y2.Z2.W2

ip ips po max-events 100

no ftp-server write-enable

!

!

interface Serial0/0

ip address X.X.X.X 255.255.255.252

!

interface FastEthernet0/1

ip address Y.Y.Y.Y 255.255.255.240

ip access-group IDS_FastEthernet0/1_out_0 out

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 Z.Z.Z.Z

!

!

ip http server

no ip http secure-server

!

ip access-list extended IDS_FastEthernet0/1_out_0

permit ip host 10.6.100.250 any

permit ip any any

I want to apply URL filtering on my router, I am thinking to apply the following

to my router, would be that correct or am I far away off?

class-map match-any http-hacks

match protocol http url "*default.ida*"

match protocol http url "*cmd.exe*"

match protocol http url "*root.exe*"

match protocol http url "*admin.dll*"

policy-map mark-inbound-http-hacks

class http-hacks

set ip dscp 1

interface serial 0/0

service-policy input mark-inbound-http-hacks

access-list 105 deny ip any any dscp 1

access-list 105 permit ip any any

interface ethernet 0/1

ip access-group 105 out

Cisco Employee

Re: URL Filtering

Its perfect.

Will work.

185
Views
8
Helpful
11
Replies
CreatePlease to create content