ā01-20-2013 11:25 PM - edited ā03-04-2019 06:47 PM
Hi,
I have a Cisco Router up and running. I want to block some websites (facebook,twitter etc) and download of files having extensions like
*.avi, *.mp3, *.mp4, *.exe, *.wma, *.wmv and *.torrent etc..
I want to block for some users (based on MAC Address) and allow other users to have access to it on the same network.
Can any help me to do this ?
Solved! Go to Solution.
ā02-08-2013 06:11 AM
Here's what you did:
ip access-list extended block-ip
permit ip any any
permit tcp host 192.168.0.100 any eq www
permit tcp host 192.168.0.107 any eq www
Here's what I suggested you to do:
ip access-list extended block-ip
permit tcp host 192.168.0.100 any eq www
permit tcp host 192.168.0.107 any eq www
Don't you see the difference ?
Regards
Alain
Don't forget to rate helpful posts.
ā02-09-2013 02:18 AM
Hi,
ok so
1) 10 permitted users should have a manual binding in the DHCP server
2) use ACL with permit statements for the IPs of these users
3) create a class-map to match this ACL
4) create a class-map for the sites
5) create a new class-map matching class for sites and not class for ACL ( with match not class-map command)
6) create a policy dropping packets for the new class-map
7) apply this policy inbound on your interface
Regards
Alain
Don't forget to rate helpful posts.
ā01-20-2013 11:50 PM
Hi,
Take a look at this: http://ardenpackeer.com/tutorials/security/tutorial-how-to-use-cisco-mqc-nbar-to-filter-websites-like-youtube/
For the source MAC filtering here's an example to block google.com for 0000.1111.1111 and 0000.2222.2222
class-map match-any FILTERED_MACS
match source-address mac 0000.1111.1111
match source-address mac 0000.2222.2222
class-map match-any FILTERED_HOST
match protocol http host *google.com*
class-map match-all BLOCKED
match class-map FILTERED_MACS
match class-map FILTERED_HOST
policy-map BLOCKED
class BLOCKED
drop
Regards.
Alain
Don't forget to rate helpful posts.
ā01-21-2013 12:41 AM
I did the same configuration as said but still not able to block google.com on host (00-14-A5-79-10-67)
!
class-map match-any FILTERED_MACS
match source-address mac 0014.A579.1067
class-map match-any FILTERED_HOST
match protocol http host "*google.com*"
class-map match-all BLOCKED
match class-map FILTERED_MACS
match class-map FILTERED_HOST
!
!
policy-map BLOCKED
class BLOCKED
drop
!
ā01-21-2013 12:49 AM
Hi,
You have to apply the policy-map to your inbound interface:
int vlan 1
service-policy input BLOCKED
Regards.
Alain
Don't forget to rate helpful posts.
ā01-21-2013 01:33 AM
Just worked only *.google.com* this only blocks google.com where as i can access still www.google.in
But when i update the FILTERED_HOST list to:
*.facebook.com*
*.youtube.com*
It is not at all blocking the other updated websites.
ā01-21-2013 02:10 AM
Hi,
Can you try with the match protocol http url instead of match protocol http host.
It won't work with https though.
Regards.
Alain
Don't forget to rate helpful posts.
ā01-21-2013 03:04 AM
Yap i tried url mactching too but still it allows.
Is there any other way using ACL-List..
alternatively i am trying via that but it is blocking internet foe all user on the network.
Any idea on ACL
ā01-21-2013 05:00 AM
Hi,
can you try without the dot after the star here :
*.facebook.com*
Regards.
Alain
Don't forget to rate helpful posts.
ā02-02-2013 04:05 AM
well that didnt worked as well.
But with the following configuration of class-map i am successfully able to block the restricted sites to all the users in the network.
!
class-map match-any sites
match protocol http host "*youtube.com*"
match protocol http host "*porn*"
match protocol http url "*.mp3"
match protocol http host "*.savevid.com"
match protocol http url "*.flv|*.m4v|*.m4a|*.3gp|*.mov"
match protocol http host "*pornhub.com"
match protocol http mime "video/flv|video/x-flv|video/mp4|video/x-m4v"
match protocol http url "*cricket*"
match protocol http url "*.mp4"
match protocol http mime "video/mp4|video/x-mp4"
match protocol http url "video/avi|video/x-avi|video/3gp|video/x-3gp"
!
!
policy-map rule1
class sites
drop
!
But I have to allow access to those blocked sites for some set of users based on MAC address or IP Address (Full access to the Internet).. ?
I have a CISCO router 881, IOS 15.1
ā02-02-2013 05:17 AM
Hi Amanulla
In http host you can omit ".com" that way you block not only google.com but every url with string google in it.
And as Alain advised you, to allow full access to choosen users you should use nested class-map.
class-map match-any sites
*
class-map match-any users
*
class-map match-all block
match class-map sites
match class-map users
policy-map block-traffic
class block
drop
interface Fa0/0
desc LAN
service-policy input block-traffic
This should work for you just fine, I am using it and no problem with it.
ā02-02-2013 08:50 AM
Balu
I Tried the same as before the Alain said before but didnt got any thing to get worked.. (I was not able to block the internet based on MAC)
Can u post the example configuration lines of user and sites.
class-map match-any sites
*
class-map match-any users
*
And what is desc LAN do in the interface. ?
ā02-02-2013 03:30 PM
And what is desc LAN do in the interface. ?
Puts a description or a label on an interface marked "LAN".
ā02-03-2013 05:13 AM
Amanulla
I used same config as Alain advised you:
match source-address mac xyz
match protocol http host *google*
Could you check if you set MAC address right, maybe you got there some typo.
By "description LAN" I wanted to underline fact, that policy has to be placed on LAN interface where filtered hosts are, in input direction.
Could you post entire config of class maps, policy maps, and interface where you applied service policy? Also arp table with highlighted MAC which you would like to filter.
ā02-04-2013 04:28 AM
I did the same as mentioned, Now i am able to block for the MAC adderess that are entered in the class-map match-any users and it has a entery of 7 users mac address in which i am able to block it for first three mac address entries.
But not able to block to for the rest of the MAC address.
ā02-04-2013 04:35 AM
Hi,
could you post your sh policy-map interface output.
Regards.
Alain
Don't forget to rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide