Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How To Block Facebook and Youtube for Cisco 2801 Router

Dear All

I Want To Block Facebook And Youtube for Cisco 2801 Router , we have small Bussiness Company so we don't want to our Staff go more time for this websites . Please can any one Help me for that idea

1 ACCEPTED SOLUTION

Accepted Solutions

How To Block Facebook and Youtube for Cisco 2801 Router

Thomas,

In addition to what Paolo suggested, you might also (depending on if your IOS supports it) be able to use nbar to match and drop the traffic. You'd probably need to deny executives from being classified in this so they can still get to it though.

Executive IP address: 192.168.1.50

access-list 10 deny host 192.168.1.50

access-list 10 permit any

class-map BlockSites

match protocol http url "*facebook*"

match access-group 10

policy-map BlockSites

class BlockSites

drop

Int s0/0 (outside interface toward WAN)

service-policy output BlockSites

If this doesn't work, you'll need to do just as Paolo stated with finding the addresses that the sites you want to block owns and block each of them manually.

HTH,

John

HTH, John *** Please rate all useful posts ***
5 REPLIES
Hall of Fame Super Gold

Re: How To Block Facebook and Youtube for Cisco 2801 Router

ACL for their addresses.

Simple and effective.

Note that immediately after you have blocked everybody,  you will have to configure exceptions for managers/owners.

It is also possible that employees will find other websites to spedn time one.

New Member

How To Block Facebook and Youtube for Cisco 2801 Router

Dear Paolo Bivlacqua

that's very nice idea , but how i can do that , addition for exception that will be fantastic

i have no idea how i can restric by access list give me example please

Hall of Fame Super Gold

Re: How To Block Facebook and Youtube for Cisco 2801 Router

Do you configure you Cisco devices by yourself?

If you do, you need to study and learn every subject, ACL in this case.

Otherwise give the job to a knowledgeable person, and he/she will do everything for you.

How To Block Facebook and Youtube for Cisco 2801 Router

Thomas,

In addition to what Paolo suggested, you might also (depending on if your IOS supports it) be able to use nbar to match and drop the traffic. You'd probably need to deny executives from being classified in this so they can still get to it though.

Executive IP address: 192.168.1.50

access-list 10 deny host 192.168.1.50

access-list 10 permit any

class-map BlockSites

match protocol http url "*facebook*"

match access-group 10

policy-map BlockSites

class BlockSites

drop

Int s0/0 (outside interface toward WAN)

service-policy output BlockSites

If this doesn't work, you'll need to do just as Paolo stated with finding the addresses that the sites you want to block owns and block each of them manually.

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

Re: How To Block Facebook and Youtube for Cisco 2801 Router

"*facebook*" is not correct. it's gonna include sites like facebook.whatever.com and also sites like www.facebooksucks.com which does exist. According to cisco the keyword "host" should be used:

match protocol http host "*facebook.com"

This is obviously wrong too, although it's copy-pasted from cisco's online documentation, because it would include a site like howtogetstartedwithfacebook.com

I think the optimal syntax is: match protocol http host "*.facebook.com|*.youtube.com" where the vertical bar works like a logical any.

But the syntax of the regular expressions is not the matter here. What good will it bring to apply a service-policy droping all http traffic towards facebook and youtube, since both two sites support https? Well, you guessed it, cisco does not support selective match for secure-http, meaning you either cut every single site for https (useless and impractical) or nothing; so there is no need to cut http either in the first place...

Of course there is still the solution using local content filtering but it requires zone-based policy firewall, so no thanks, I'll go with the plain old proxy server...

26219
Views
10
Helpful
5
Replies