cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
8503
Views
15
Helpful
30
Replies
Amanulla Khan
Beginner

block the websites in Cisco 800 series Router

Hi,

I have a Cisco Router up and running. I want to block some websites (facebook,twitter etc) and download of files having extensions like

*.avi, *.mp3, *.mp4, *.exe, *.wma, *.wmv and *.torrent etc..

I want to block for some users (based on MAC Address) and allow other users to have access to it on the same network.

Can any help me to do this ?

30 REPLIES 30

emm..

Thought of  creating two different (class-map match-any users and class-map match-any users) with a set of 3 mac address each and after that my router got continously restarting.....

well restored to default and restoring the back up file..

emm i will post show policy-map interfasace shortly..


find the details below:

#show policy-map interface

Vlan1

  Service-policy input: rule1

    Class-map: sites-hosts (match-all)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: class-map match-any sites

        Match: protocol http host "*youtube.com*"

          0 packets, 0 bytes

          5 minute rate 0 bps

        Match: protocol http host "*porn*"

          0 packets, 0 bytes

          5 minute rate 0 bps

        Match: protocol http url "*.mp3"

          0 packets, 0 bytes

          5 minute rate 0 bps

        Match: protocol http host "*.savevid.com"

          0 packets, 0 bytes

          5 minute rate 0 bps

        Match: protocol http url "*.flv|*.m4v|*.m4a|*.3gp|*.mov"

          0 packets, 0 bytes

          5 minute rate 0 bps

        Match: protocol http host "*benaughty.com*|*benaught.*|*cinema.dinamalar.com|*download.tamiltunes.com"

          0 packets, 0 bytes

          5 minute rate 0 bps

        Match: protocol http host "*pornhub.com"

          0 packets, 0 bytes

          5 minute rate 0 bps

        Match: protocol http host "*donloadmin.info|*downloadsouthmp3.com|*flirt.com|*freemp3x.com"

          0 packets, 0 bytes

          5 minute rate 0 bps

        Match: protocol http host "*gaana.com|*hornywife.com|*hottiesfinder.com|*phonesex.sucksex.com"

          0 packets, 0 bytes

          5 minute rate 0 bps

        Match: protocol http host "*starmusiq.com|*tamiltunes.com|*wildbuddies.com"

          0 packets, 0 bytes

          5 minute rate 0 bps

        Match: protocol http mime "video/flv|video/x-flv|video/mp4|video/x-m4v"

          0 packets, 0 bytes

          5 minute rate 0 bps

        Match: protocol http url "*cricket*"

          0 packets, 0 bytes

          5 minute rate 0 bps

        Match: protocol http url "*.mp4"

          0 packets, 0 bytes

          5 minute rate 0 bps

        Match: protocol http mime "video/mp4|video/x-mp4"

          0 packets, 0 bytes

          5 minute rate 0 bps

        Match: protocol http url "video/avi|video/x-avi|video/3gp|video/x-3gp"

          0 packets, 0 bytes

          5 minute rate 0 bps

      Match: class-map match-any hosts

        Match: source-address mac 001A.4DA6.DC42

          0 packets, 0 bytes

          5 minute rate 0 bps

        Match: source-address mac 0080.AD82.EB66

          0 packets, 0 bytes

          5 minute rate 0 bps

        Match: source-address mac EA06.E6D2.4635

          0 packets, 0 bytes

          5 minute rate 0 bps

      drop

    Class-map: class-default (match-any)

      737076 packets, 103859524 bytes

      5 minute offered rate 167000 bps, drop rate 0 bps

      Match: any

#Show run brief

class-map match-any sites

match protocol http host "*youtube.com*"

match protocol http mime "video/mp4|video/x-mp4"

match protocol http url "video/avi|video/x-avi|video/3gp|video/x-3gp"

class-map match-any hosts

match source-address mac 001A.4DA6.DC42

match source-address mac 0080.AD82.EB66

match source-address mac EA06.E6D2.4635

class-map match-all sites-hosts

match class-map sites

match class-map hosts

policy-map rule1

class sites-hosts

  drop

interface Vlan1

description LOCAL LAN

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

service-policy input rule1

Hi,

classification based on source MAC is not listed in this whitepaper for serie 800 SVIs so I wonder if this is really supported and if it may be the cause of your non working configuration.

http://www.cisco.com/en/US/prod/collateral/routers/ps5853/prod_white_paper0900aecd8064c9f4_ps380_Products_White_Paper.html

I think that  you should allocate static binding from dhcp to the hosts you want to filter so you can use  an IP  ACL to match on IP instead of MAC and also prevent them from configuring a static IP or spoofing their MAC address otherwise they could circumvent your policy.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

ok,

with IP ACLl i tried to restrict the users based on ip address, not able to block the some sites but the whole intertnet was getting blocked.

And with the current configuration can we at least override the policy map of droping the packets, i mean can we allow the users to full access of internet based on their ip address. as i have binded the ip address based on their mac address in dhcp poll.

or

can you help me out in IP ACL.

Hi,

ip access-list extended BLOCK_INTERNET

deny tcp host x.x.x.x any eq www

deny tcp host x.x.x.x any eq www

...      same as before as often as number of hosts you want to block

permit ip any any

interface Vlan1

no service-policy input rule1

class  BLOCKED-IPS

match access-group name BLOCK_INTERNET

no class-map match-all sites-hosts

class-map match-all sites-hosts

match class-map sites

match class-map  BLOCKED-IPS

interface Vlan1

service-policy input rule1

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

I dont know why its not working. I did the same as you suggested but no use, it is blocking the restricted sites but its is not allowing those sites to the allowed users, ( I mean the "class-map match-any sites" is only applied )

policy-map rule2

class sites-ip

  drop

class-map match-all sites-ip

match access-group name block-ip           !...... not able to found this "match class-map  BLOCKED-IPS"

match class-map sites

class-map match-any sites

match protocol http host "*youtube.com*"

match protocol http host "*porn*"

match protocol http url "*.flv|*.m4v|*.m4a|*.3gp|*.mov"|.mp3"

ip access-list extended block-ip

deny   tcp host 192.168.0.100 any eq www

deny   tcp host 192.168.0.107 any eq www

permit ip any any

Find the show run brief for more details,

please help me out on this.

Hi,

ip access-list extended block-ip

deny   tcp host 192.168.0.100 any eq www

deny   tcp host 192.168.0.107 any eq www

permit ip any any

You must have a permit in your ACL to match but these 2 IPs haven't got a manual binding with their MAC

so do like this if you want those 2 IP addresses not to go on these sites:

ip access-list extended block-ip

permit   tcp host 192.168.0.100 any eq www

permit   tcp host 192.168.0.107 any eq www

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

i did like this,

ip access-list extended block-ip

permit ip any any

permit tcp host 192.168.0.100 any eq www

permit tcp host 192.168.0.107 any eq www

but still the same.. the restricted sites are still blocked for all. the ip address 192.168.0.100 and 192.168.0.107 are statically assigned to the pc's.

is there any option to over ride the class-map match-any sites and to allow access for the restricted sites(for

192.168.0.100 and 192.168.0.107 as there are very less users that need access to these like MD, Managers and HR etc..)

but still the same.. the restricted sites are still blocked for all "

ip access-list extended block-ip

permit ip any any                                 every IP is matched by this and so the ACL is not parsed further

permit tcp host 192.168.0.100 any eq www

permit tcp host 192.168.0.107 any eq www

I never gave you this ACL so if you don't follow what people here tell you, I can't do much more for you.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

In your previous reply you mentioned as

"

You must have a permit in your ACL to match but these 2 IPs haven't got a manual binding with their MAC

so do like this if you want those 2 IP addresses not to go on these sites:

ip access-list extended block-ip

permit   tcp host 192.168.0.100 any eq www

permit   tcp host 192.168.0.107 any eq www

"

i thought you are pointing me to do this.

Here's what you did:

ip access-list extended block-ip

permit ip any any

permit tcp host 192.168.0.100 any eq www

permit tcp host 192.168.0.107 any eq www

Here's what I suggested you to do:

ip access-list extended block-ip

permit   tcp host 192.168.0.100 any eq www

permit   tcp host 192.168.0.107 any eq www

Don't you see the difference ?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

Bravo....

Thanks Alain

ip access-list extended block-ip

permit tcp host 192.168.0.100 any eq www

permit tcp host 192.168.0.107 any eq www

This blocked restricted sites to the users 192.168.0.107 and 192.168.0.100. and rest of the users can have access to those restriceted sites.

Now the problem here is to the users who want access to the restricted sites are only 10 members out of other users..

that meas i need to manually enter the rest of the 240 ip address in the access list?

is there a way to include a ip address range in the access list.

Hi,

so you have 10 people who can't access these sites or all other users can't access these sites ?

who can access and who can't ?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

out of 240 hosts is got only 10 members want access to it and rest of the 230 users should have restriction to the restricted sites.

Hi,

ok so

1) 10 permitted users should have a manual binding in the DHCP server

2) use ACL with permit statements for the IPs of these users

3) create a class-map  to match this ACL

4) create a class-map  for the sites

5) create a new class-map matching class for sites and not class for ACL ( with match not class-map command)

6) create a policy dropping packets for the new class-map

7) apply this policy inbound on your interface

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post