Re: url filtering on cisco 7206 router

m.athif · ‎01-05-2004

Hello,

We do not have any URL filtering software like websense, but trying to achieve the same using NBAR in router.

I need to allow only hotmail.com and yahoo.com and block all other URLs

Here is the config I am trying to do..

Router(config)#class-map match-any blockURL

Router(config-cmap)#match protocol http url"*.msn.com"

Router(config-cmap)#match protocol http url "*msn.com"

Router(config-cmap)#match protocol http url

"*.hotmail.com"

Router(config-cmap)#match protocol http url

"*hotmail.com"

Router(config)#policy-map markurl

Router(config-pmap)#class blockURL

Router(config-pmap)#set ip dscp 1

Router(config)#access-list 105 permit ip (source ip)

any dscp 1

Router(config)#access-list 105 deny ip (source ip) any

Router(config)#access-list 105 permit ip any any

Applied this accesslist on the f0/0 interface.

Unfortunately it is not working. Can I know where am I going wrong.

Your inputs are highly appreciated

h.dziewa · ‎01-05-2004

Hi, I assume you applied the ACL and the service policy in the right places ? I.e, if my users are on the fa0/0 segment and my internet conneciton is thru se0/0 then you'd apply the ACL out on the se0/0 and

the service policy inbound on the fa0/0. i.e

class-map match-any permit

match protocol http url "*hotmail.com"

match protocol http url "*yahoo.com"

policy-map mark-http-traffic

class permit

set ip dscp 1

interface fa0/0

service-policy inbound mark-http-traffic

interface se0/0

ip access-group 105 out

access-list 105 permit ip "specific" any dscp 1

access-list 105 permit ip "specific" any

This should let you do the HTTP filtering you want. However it will block any other traffic not specifically configured, so this might not be what you want. Also, an easier way here, as long as your topology allows it, would be to simply configure service policy without even marking any traffic, just based on the class you can police on anything else and wil save you some lines of the config, i.e

policy-map mark-http-traffic

class block

police 1000000 31250 31250 conform-action drop exceed-action drop violate-action drop

That will discard anything defined in the class "block" with protocol filter such as

match protocol url *

Hope that helps.

m.athif · ‎01-08-2004

Hi,

My input interface is f0/0 and the out interface ( internet ) is f0/1. I have exactly done what you have recommended, but still it is not working. I do not see any matches for access-list 105 for dscp 1.

While experimenting I changed it to "dscp default". In this case all the packets are matched ( see on the access-list 105 ). But the end user is able to browse all the web sites ( our intention is to allow only hotmail and yahoo ). We even tried dscp 2 , but no help.

Regarding your suggestion for using police and drop all the packets that matches the url, this would work for blocking hotmail and yahoo , but we want to allow hotmail and yahoo.

Can you please let me know why dscp 1 does not work.

Thanks and Regards

h.dziewa · ‎01-08-2004

Hi there, my bad.

The problem is that you should use the host option

instead of url option. So the config for the class map would look like this:

class-map match-any permit

match protocol http host hotmail*

match protocol http host yahoo*

Also, you could use the police option if you defined a class called "block", your whole config in that case would look like:

class-map match-any permit

match protocol http host hotmail*

match protocol http host yahoo*

class-map match-any block

match protocol http host *

policy-map deny-unwanted-httpraffic

class permit

class block

police 1000000 31250 31250 conform-action drop exceed-action drop violate-action drop

Therefore, no ACL would be needed, no marking.