04-15-2010 11:53 AM - edited 03-11-2019 10:33 AM
Looking fora Cisco Router for 75 users.
The Number 1 solution we need is a "Whitelist only" URL filtering. A call to Cisco sales didn't help.
Is this possible with any Cisco router?
04-15-2010 01:46 PM
Hi,
I don't think there's a Cisco router specialized in web filtering.
You can however use FPM to match and filter URLs on the router.
Normally, Cisco routers can work with a websense device for example to redirect URL requests.
Federico.
04-16-2010 03:40 PM
You can use NBAR to "not block" a url and block everything else. An example (Method A) that does it for various nimda virus urls is here http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00800fc176.shtml But you will do the same using your urls. Whatever you match a good whitelisted website you will set the dhscp value to something, say x. And then for whatever else website you will set dscp to something else, say y. The you will drop value with dscp y as it is done in the example.
Another way of doing it is to use the IOS URL filtering feature. It is licensable, but very efficient. It can blacklist, white list and URL filter based on reputation and categories. Here is the link for your reference http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/white_paper_c89-492776.html
I hope it helps.
PK
04-16-2010 06:07 PM
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b0e.html
ip inspect name FW ftp
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW http java-list 1 urlfilter
ip urlfilter server vendor websense 192.168.100.16 timeout 2 retransmit 3 ---> just configure some random ip.
ip urlfilter allow-mode on
ip urlfilter exclusive-domain permit .yahoo.com ----------------> will only allow yahoo.com and google.com and deny allother sites.
ip urlfilter exclusive-domain permit .google.com
access-list 1 permit any -------> Java filter required for URL filtering
interface GigabitEthernet0/1
description Public internet facing ISP
ip address 1.1.1.1 255.255.255.0
ip access-group 111 in ------------------------------------> this acl will allow all inbound traffic
ip inspect FW out
Is is an old cbac style config. With no additional expense or license you can just allow a few domain names and deny every other domain.
That websense server IP address can be anything. I believe the config would work even without that line.
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide