I did the same configuration as said but still not able to block google.com on host (00-14-A5-79-10-67)

!

class-map match-any FILTERED_MACS

match source-address mac 0014.A579.1067

class-map match-any FILTERED_HOST

match protocol http host "*google.com*"

class-map match-all BLOCKED

match class-map FILTERED_MACS

match class-map FILTERED_HOST

!

!

policy-map BLOCKED

class BLOCKED

  drop

!

Hi,

You have to apply the policy-map to your inbound interface:

int vlan 1

service-policy input BLOCKED

Regards.

Alain

Don't forget to rate helpful posts.

Just worked only *.google.com* this only blocks google.com where as i can access still www.google.in

But when i update the FILTERED_HOST list to:

*.facebook.com*

*.youtube.com*

It is not at all blocking the other updated websites.

Hi,

Can you try with the match protocol http url instead of match protocol http host.

It won't work with https though.

Regards.

Alain

Don't forget to rate helpful posts.

Yap i tried url mactching too but still it allows.

Is there any other way using ACL-List..

alternatively i am trying via that but it is blocking internet foe all user on the network.

Any idea on ACL

Hi,

can you try without the dot after the star here :

*.facebook.com*

Regards.

Alain

Don't forget to rate helpful posts.

well that didnt worked as well.

But with the following configuration of class-map i am successfully able to block the restricted sites to all the users in the network.

!

class-map match-any sites

match protocol http host "*youtube.com*"

match protocol http host "*porn*"

match protocol http url "*.mp3"

match protocol http host "*.savevid.com"

match protocol http url "*.flv|*.m4v|*.m4a|*.3gp|*.mov"

match protocol http host "*pornhub.com"

match protocol http mime "video/flv|video/x-flv|video/mp4|video/x-m4v"

match protocol http url "*cricket*"

match protocol http url "*.mp4"

match protocol http mime "video/mp4|video/x-mp4"

match protocol http url "video/avi|video/x-avi|video/3gp|video/x-3gp"

!

!

policy-map rule1

class sites

  drop

!

But  I have to allow access to those blocked sites for some set of users based on MAC address or IP Address (Full access to the Internet).. ?

I have a CISCO router 881, IOS 15.1

Hi Amanulla

In http host you can omit ".com" that way you block not only google.com but every url with string google in it.

And as Alain advised you, to allow full access to choosen users you should use nested class-map.

class-map match-any sites

   *

class-map match-any users

   *

class-map match-all block

   match class-map sites

   match class-map users

policy-map block-traffic

   class block

    drop

interface Fa0/0

   desc LAN

   service-policy input block-traffic

This should work for you just fine, I am using it and no problem with it.

Balu

I Tried the same as before the Alain said before but didnt got any thing to get worked.. (I was not able to block the internet based on MAC)

Can u post the example configuration lines of user and sites.

class-map match-any sites

   *

class-map match-any users

   *

And what is desc LAN do in the interface. ?

And what is desc LAN do in the interface. ?

Puts a description or a label on an interface marked "LAN".

Amanulla

I used same config as Alain advised you:

match source-address mac xyz

match protocol http host *google*

Could you check if you set MAC address right, maybe you got there some typo.

By "description LAN" I wanted to underline fact, that policy has to be placed on LAN interface where filtered hosts are, in input direction.

Could you post entire config of class maps, policy maps, and interface where you applied service policy? Also arp table with highlighted MAC which you would like to filter.

I did the same as mentioned, Now i am able to block for the MAC adderess that are entered in the class-map match-any users and it has a entery of 7 users mac address in which i am able to block it for first three mac address entries.

But not able to block to for the rest of the MAC address.

Hi,

could you post your sh policy-map interface output.

Regards.

Alain

Don't forget to rate helpful posts.