Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

how to block website on cisco 3750 switch

i am not able use thse firewall policy in my cisco 3750

Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

System image file is "flash:/c3750-ipservicesk9-mz.122-55.SE8.bin"

 

it only show's- match protocol http

 

host or url are not in there

 

can i have to upgarde IOS or these camands are not ther in 3750 switch.

 

how can i  use that pls tell me m w8ing for ur response

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Hi,You need to upgrade your

Hi,

You need to upgrade your IOS to 12.2 (55)SE.

Following can might help you with:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swacl.html

 

Cheers :)

Waqas

 

8 REPLIES
New Member

Hi,You need to upgrade your

Hi,

You need to upgrade your IOS to 12.2 (55)SE.

Following can might help you with:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swacl.html

 

Cheers :)

Waqas

 

New Member

hi waqas, the link you have

hi waqas,

 

the link you have send does not show's that 3750 switch with IOS 12.2.(55)SE has the cammand 

 

match protocol http url

or

match protocol http host

I have search it on many books i didnt find it.

as this switch is our core switch so i dont want take any risk until it is sure that on IOS 12.2(55) SE these camands are available.

regards

New Member

Hi Srivastava,Apologize for

Hi Srivastava,

Apologize for the late response, please have a look a the following statement from cisco on "match protocol http or url" here...

http://www.cisco.com/c/en/us/td/docs/ios/qos/command/reference/qos_book/qos_m1.html#wp1058795

   match protocol http

To configure Network-Based Application Recognition (NBAR) to match HTTP traffic by URL, host, Multipurpose Internet Mail Extension (MIME) type, or fields in HTTP packet headers, use the match protocol http command in class-map configuration mode. To disable NBAR from matching HTTP traffic by URL, host, or MIME type, or fields in HTTP packet headers, use the no form of this command.

Cisco IOS Release 12.4(24)T and Earlier Releases, Cisco IOS Release 12.2(33)SRA, Cisco IOS Release 12.2(14)S and Later Releases

match protocol http [url url-string | host hostname-string | mime MIME-type | c-header-field c-header-field-string | s-header-field s-header-field-string]

no match protocol http [url url-string | host hostname-string | mime MIME-type | c-header-field c-header-field-string | s-header-field s-header-field-string]

Cisco IOS Release 15.1(2)T, Cisco IOS XE Release 3.1S and Later Releases and Catalyst 6500 Series Switch Equipped with the Supervisor 32/PISA Engine

match protocol http [content-encoding content-encoding-name-string | from from-address-string | host hostname-string location location-name-string mime MIME-type referer referer-address-string server server-software-name-string url url-string | user-agent user-agent-software-name-string]

no match protocol http [content-encoding content-encoding-name-string | from from-address-string | host hostname-string location location-name-string mime
MIME-type referer referer-address-string server server-software-name-string url url-string | user-agent user-agent-software-name-string]

Super Bronze

DisclaimerThe Author of this

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

You might find 3750 NBAR like features rather lacking.

If so, you can also write ACLs that match against IP addresses and/or port numbers.

New Member

hi josheph, i have tried to

hi josheph,

 

i have tried to block facebook and youtube by thease access list. but it blocks all the sites. as thease are only youtube and facebook ip's

 

access-list 101 deny tcp any host 173.252.110.27 eq www
access-list 101 deny tcp any host 31.13.68.8 eq www
access-list 101 deny tcp any host 173.194.36.72 eq www
access-list 101 deny tcp any host 173.194.36.73 eq www
access-list 101 deny tcp any host 173.194.36.78 eq www
access-list 101 deny tcp any host 173.194.36.64 eq www
access-list 101 deny tcp any host 173.194.36.64 eq www
access-list 101 deny tcp any host 173.194.36.65 eq www
access-list 101 deny tcp any host 173.194.36.66 eq www
access-list 101 deny tcp any host 173.194.36.67 eq www
access-list 101 deny tcp any host 173.194.36.68 eq www
access-list 101 deny tcp any host 173.194.36.69 eq www
access-list 101 deny tcp any host 173.194.36.70 eq www
access-list 101 deny tcp any host 173.194.36.71 eq www
access-list 101 permit tcp any any eq www

 

interface gi0/1

ip access-group 101 out

 

kindly suggest whats wrong in this?

 

Super Bronze

DisclaimerThe Author of this

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Your int g0/1 is egress facing Internet?

Did you really want to block all other outbound traffic but port 80?  If not, try a permit ip any any at the end of your list rather than the permit tcp any any eq www.

 

users can access youtube and

users can access youtube and fb using proxy.

and youtube and fb will have more IP addresses later

 

best way is nbar. but 3750 looks like not support nbar

using nbar

match protocol http host youtube

match protocol http host facebook

New Member

 If you are planing to do

 

If you are planing to do more of filtering (blocking urls, apps etc) I'd suggest to purchase a Firewall, cisco or other vendor (better than cisco for FW), because router/switch simply cannot do it :)

 

-Brj

1847
Views
0
Helpful
8
Replies
CreatePlease login to create content