02-02-2021 04:31 AM
Hello, I tried to configure http url filtering on ISR 4321 router as i did on the 2911 router. But it seems that some commands are missing and other methods to filter URL that works on 2911 router are not work on ISR 4321 router.
ADV-R(config-cmap)#match protocol http
ADV-R(config-cmap)#match protocol http url
ADV-R(config-cmap)#match protocol http url ?
WORD Enter a string as the sub-protocol parameter
ADV-R(config-cmap)#match protocol http url *test*
ADV-R(config-cmap)#exit
ADV-R(config)#policy-map
ADV-R(config)#policy-map url-block
ADV-R(config)#policy-map url-block
% A policy with the same name of inspect type already exists
ADV-R(config)#
ADV-R(config)#no policy-map url-block
ADV-R(config)#policy-map
ADV-R(config)#policy-map url-block
ADV-R(config)#policy-map url-block
ADV-R(config-pmap)#
ADV-R(config-pmap)#
ADV-R(config-pmap)#class url-block
ADV-R(config-pmap)#class url-block
ADV-R(config-pmap-c)#drop
ADV-R(config-pmap-c)#drop
^
% Invalid input detected at '^' marker.
ADV-R(config-pmap-c)#drop
ADV-R(config-pmap-c)#drop
"drop" command is missing. Is there other way to configure URL filtering on ISR 4000 series?
Ps. I also tried to configure QoS policy conform-action to drop but it seems that URL classification is not work for QoS.
Solved! Go to Solution.
02-02-2021 09:04 PM
This configuration works well.
I forgot to use "host" instead of "URL"
class-map url
match protocol http host *www.cisco.com*
exit
policy-map url-block
class url
police cir per 20 conform-action drop exceed-action drop violate-action drop
exit
int g0/0/1
service-policy input url-block
02-02-2021 07:52 AM
can you post show version and show license for both the kits ?
02-02-2021 04:17 PM
ADV-R#show license
Index 1 Feature: appxk9
Period left: Not Activated
Period Used: 0 minute 0 second
License Type: EvalRightToUse
License State: Active, Not in Use, EULA not accepted
License Count: Non-Counted
License Priority: None
Index 2 Feature: uck9
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Index 3 Feature: securityk9
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Index 4 Feature: ipbasek9
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Index 5 Feature: FoundationSuiteK9
Period left: Not Activated
Period Used: 0 minute 0 second
License Type: EvalRightToUse
License State: Active, Not in Use, EULA not accepted
License Count: Non-Counted
License Priority: None
Index 6 Feature: AdvUCSuiteK9
Period left: Not Activated
Period Used: 0 minute 0 second
License Type: EvalRightToUse
License State: Active, Not in Use, EULA not accepted
License Count: Non-Counted
License Priority: None
Index 7 Feature: cme-srst
Period left: 3 weeks 5 days
Period Used: 4 weeks 5 days
License Type: EvalRightToUse
License State: Active, In Use
License Count: 6/0 (In-use/Violation)
License Priority: Low
Index 8 Feature: hseck9
Index 9 Feature: throughput
Period left: Not Activated
Period Used: 0 minute 0 second
License Type: EvalRightToUse
License State: Active, Not in Use, EULA not accepted
License Count: Non-Counted
License Priority: None
Index 10 Feature: internal_service
ADV-R#
ADV-R#show version
ADV-R#show version
Cisco IOS XE Software, Version 16.08.01
Cisco IOS Software [Fuji], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.8.1, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Tue 27-Mar-18 13:43 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2018 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
ADV-R uptime is 1 day, 18 hours, 39 minutes
Uptime for this control processor is 1 day, 18 hours, 42 minutes
System returned to ROM by Reload Command at 14:31:49 KST Mon Feb 1 2021
System restarted at 14:36:29 KST Mon Feb 1 2021
System image file is "bootflash:isr4300-universalk9.16.08.01.SPA.bin"
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Suite License Information for Module:'esg'
--------------------------------------------------------------------------------
Suite Suite Current Type Suite Next reboot
--------------------------------------------------------------------------------
FoundationSuiteK9 None None None
securityk9
appxk9
AdvUCSuiteK9 None None None
uck9
cme-srst
cube
Technology Package License Information:
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
appxk9 None None None
uck9 uck9 Permanent uck9
securityk9 securityk9 Permanent securityk9
ipbase ipbasek9 Permanent ipbasek9
cisco ISR4321/K9 (1RU) processor with 1788457K/6147K bytes of memory.
Processor board ID FDO2241A2GG
2 Gigabit Ethernet interfaces
2 Serial interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
3125247K bytes of flash memory at bootflash:.
0K bytes of WebUI ODM Files at webui:.
Configuration register is 0x2102
02-02-2021 09:04 PM
This configuration works well.
I forgot to use "host" instead of "URL"
class-map url
match protocol http host *www.cisco.com*
exit
policy-map url-block
class url
police cir per 20 conform-action drop exceed-action drop violate-action drop
exit
int g0/0/1
service-policy input url-block
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide