Solved: How To Block Facebook and Youtube for Cisco 2801 Router

ThomasMull9000 · ‎05-14-2012

Dear All

I Want To Block Facebook And Youtube for Cisco 2801 Router , we have small Bussiness Company so we don't want to our Staff go more time for this websites . Please can any one Help me for that idea

John Blakley · ‎05-14-2012

Thomas,

In addition to what Paolo suggested, you might also (depending on if your IOS supports it) be able to use nbar to match and drop the traffic. You'd probably need to deny executives from being classified in this so they can still get to it though.

Executive IP address: 192.168.1.50

access-list 10 deny host 192.168.1.50

access-list 10 permit any

class-map BlockSites

match protocol http url "*facebook*"

match access-group 10

policy-map BlockSites

class BlockSites

drop

Int s0/0 (outside interface toward WAN)

service-policy output BlockSites

If this doesn't work, you'll need to do just as Paolo stated with finding the addresses that the sites you want to block owns and block each of them manually.

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

paolo bevilacqua · ‎05-14-2012

ACL for their addresses.

Simple and effective.

Note that immediately after you have blocked everybody, you will have to configure exceptions for managers/owners.

It is also possible that employees will find other websites to spedn time one.

ThomasMull9000 · ‎05-14-2012

Dear Paolo Bivlacqua

that's very nice idea , but how i can do that , addition for exception that will be fantastic

i have no idea how i can restric by access list give me example please

paolo bevilacqua · ‎05-14-2012

Do you configure you Cisco devices by yourself?

If you do, you need to study and learn every subject, ACL in this case.

Otherwise give the job to a knowledgeable person, and he/she will do everything for you.

John Blakley · ‎05-14-2012

Thomas,

In addition to what Paolo suggested, you might also (depending on if your IOS supports it) be able to use nbar to match and drop the traffic. You'd probably need to deny executives from being classified in this so they can still get to it though.

Executive IP address: 192.168.1.50

access-list 10 deny host 192.168.1.50

access-list 10 permit any

class-map BlockSites

match protocol http url "*facebook*"

match access-group 10

policy-map BlockSites

class BlockSites

drop

Int s0/0 (outside interface toward WAN)

service-policy output BlockSites

If this doesn't work, you'll need to do just as Paolo stated with finding the addresses that the sites you want to block owns and block each of them manually.

HTH,

John

HTH, John *** Please rate all useful posts ***

nourosgeorgios · ‎01-15-2013

"*facebook*" is not correct. it's gonna include sites like facebook.whatever.com and also sites like www.facebooksucks.com which does exist. According to cisco the keyword "host" should be used:

match protocol http host "*facebook.com"

This is obviously wrong too, although it's copy-pasted from cisco's online documentation, because it would include a site like howtogetstartedwithfacebook.com

I think the optimal syntax is: match protocol http host "*.facebook.com|*.youtube.com" where the vertical bar works like a logical any.

But the syntax of the regular expressions is not the matter here. What good will it bring to apply a service-policy droping all http traffic towards facebook and youtube, since both two sites support https? Well, you guessed it, cisco does not support selective match for secure-http, meaning you either cut every single site for https (useless and impractical) or nothing; so there is no need to cut http either in the first place...

Of course there is still the solution using local content filtering but it requires zone-based policy firewall, so no thanks, I'll go with the plain old proxy server...