01-20-2013 11:25 PM - edited 03-04-2019 06:47 PM
Hi,
I have a Cisco Router up and running. I want to block some websites (facebook,twitter etc) and download of files having extensions like
*.avi, *.mp3, *.mp4, *.exe, *.wma, *.wmv and *.torrent etc..
I want to block for some users (based on MAC Address) and allow other users to have access to it on the same network.
Can any help me to do this ?
Solved! Go to Solution.
02-04-2013 05:38 AM
emm..
Thought of creating two different (class-map match-any users and class-map match-any users) with a set of 3 mac address each and after that my router got continously restarting.....
well restored to default and restoring the back up file..
emm i will post show policy-map interfasace shortly..
02-04-2013 09:53 PM
find the details below:
#show policy-map interface
Vlan1
Service-policy input: rule1
Class-map: sites-hosts (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: class-map match-any sites
Match: protocol http host "*youtube.com*"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http host "*porn*"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url "*.mp3"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http host "*.savevid.com"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url "*.flv|*.m4v|*.m4a|*.3gp|*.mov"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http host "*benaughty.com*|*benaught.*|*cinema.dinamalar.com|*download.tamiltunes.com"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http host "*pornhub.com"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http host "*donloadmin.info|*downloadsouthmp3.com|*flirt.com|*freemp3x.com"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http host "*gaana.com|*hornywife.com|*hottiesfinder.com|*phonesex.sucksex.com"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http host "*starmusiq.com|*tamiltunes.com|*wildbuddies.com"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http mime "video/flv|video/x-flv|video/mp4|video/x-m4v"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url "*cricket*"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url "*.mp4"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http mime "video/mp4|video/x-mp4"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url "video/avi|video/x-avi|video/3gp|video/x-3gp"
0 packets, 0 bytes
5 minute rate 0 bps
Match: class-map match-any hosts
Match: source-address mac 001A.4DA6.DC42
0 packets, 0 bytes
5 minute rate 0 bps
Match: source-address mac 0080.AD82.EB66
0 packets, 0 bytes
5 minute rate 0 bps
Match: source-address mac EA06.E6D2.4635
0 packets, 0 bytes
5 minute rate 0 bps
drop
Class-map: class-default (match-any)
737076 packets, 103859524 bytes
5 minute offered rate 167000 bps, drop rate 0 bps
Match: any
#Show run brief
class-map match-any sites
match protocol http host "*youtube.com*"
match protocol http mime "video/mp4|video/x-mp4"
match protocol http url "video/avi|video/x-avi|video/3gp|video/x-3gp"
class-map match-any hosts
match source-address mac 001A.4DA6.DC42
match source-address mac 0080.AD82.EB66
match source-address mac EA06.E6D2.4635
class-map match-all sites-hosts
match class-map sites
match class-map hosts
policy-map rule1
class sites-hosts
drop
interface Vlan1
description LOCAL LAN
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
service-policy input rule1
02-05-2013 01:47 AM
Hi,
classification based on source MAC is not listed in this whitepaper for serie 800 SVIs so I wonder if this is really supported and if it may be the cause of your non working configuration.
I think that you should allocate static binding from dhcp to the hosts you want to filter so you can use an IP ACL to match on IP instead of MAC and also prevent them from configuring a static IP or spoofing their MAC address otherwise they could circumvent your policy.
Regards.
Alain
Don't forget to rate helpful posts.
02-05-2013 03:00 AM
ok,
with IP ACLl i tried to restrict the users based on ip address, not able to block the some sites but the whole intertnet was getting blocked.
And with the current configuration can we at least override the policy map of droping the packets, i mean can we allow the users to full access of internet based on their ip address. as i have binded the ip address based on their mac address in dhcp poll.
or
can you help me out in IP ACL.
02-05-2013 04:11 AM
Hi,
ip access-list extended BLOCK_INTERNET
deny tcp host x.x.x.x any eq www
deny tcp host x.x.x.x any eq www
... same as before as often as number of hosts you want to block
permit ip any any
interface Vlan1
no service-policy input rule1
class BLOCKED-IPS
match access-group name BLOCK_INTERNET
no class-map match-all sites-hosts
class-map match-all sites-hosts
match class-map sites
match class-map BLOCKED-IPS
interface Vlan1
service-policy input rule1
Regards
Alain
Don't forget to rate helpful posts.
02-08-2013 02:59 AM
I dont know why its not working. I did the same as you suggested but no use, it is blocking the restricted sites but its is not allowing those sites to the allowed users, ( I mean the "class-map match-any sites" is only applied )
policy-map rule2
class sites-ip
drop
class-map match-all sites-ip
match access-group name block-ip !...... not able to found this "match class-map BLOCKED-IPS"
match class-map sites
class-map match-any sites
match protocol http host "*youtube.com*"
match protocol http host "*porn*"
match protocol http url "*.flv|*.m4v|*.m4a|*.3gp|*.mov"|.mp3"
ip access-list extended block-ip
deny tcp host 192.168.0.100 any eq www
deny tcp host 192.168.0.107 any eq www
permit ip any any
Find the show run brief for more details,
please help me out on this.
02-08-2013 04:09 AM
Hi,
ip access-list extended block-ip
deny tcp host 192.168.0.100 any eq www
deny tcp host 192.168.0.107 any eq www
permit ip any any
You must have a permit in your ACL to match but these 2 IPs haven't got a manual binding with their MAC
so do like this if you want those 2 IP addresses not to go on these sites:
ip access-list extended block-ip
permit tcp host 192.168.0.100 any eq www
permit tcp host 192.168.0.107 any eq www
Regards
Alain
Don't forget to rate helpful posts.
02-08-2013 04:45 AM
i did like this,
ip access-list extended block-ip
permit ip any any
permit tcp host 192.168.0.100 any eq www
permit tcp host 192.168.0.107 any eq www
but still the same.. the restricted sites are still blocked for all. the ip address 192.168.0.100 and 192.168.0.107 are statically assigned to the pc's.
is there any option to over ride the class-map match-any sites and to allow access for the restricted sites(for
192.168.0.100 and 192.168.0.107 as there are very less users that need access to these like MD, Managers and HR etc..)
02-08-2013 05:40 AM
but still the same.. the restricted sites are still blocked for all "
ip access-list extended block-ip
permit ip any any every IP is matched by this and so the ACL is not parsed further
permit tcp host 192.168.0.100 any eq www
permit tcp host 192.168.0.107 any eq www
I never gave you this ACL so if you don't follow what people here tell you, I can't do much more for you.
Regards
Alain
Don't forget to rate helpful posts.
02-08-2013 05:52 AM
In your previous reply you mentioned as
"
You must have a permit in your ACL to match but these 2 IPs haven't got a manual binding with their MAC
so do like this if you want those 2 IP addresses not to go on these sites:
ip access-list extended block-ip
permit tcp host 192.168.0.100 any eq www
permit tcp host 192.168.0.107 any eq www
"
i thought you are pointing me to do this.
02-08-2013 06:11 AM
Here's what you did:
ip access-list extended block-ip
permit ip any any
permit tcp host 192.168.0.100 any eq www
permit tcp host 192.168.0.107 any eq www
Here's what I suggested you to do:
ip access-list extended block-ip
permit tcp host 192.168.0.100 any eq www
permit tcp host 192.168.0.107 any eq www
Don't you see the difference ?
Regards
Alain
Don't forget to rate helpful posts.
02-08-2013 07:26 AM
Bravo....
Thanks Alain
ip access-list extended block-ip
permit tcp host 192.168.0.100 any eq www
permit tcp host 192.168.0.107 any eq www
This blocked restricted sites to the users 192.168.0.107 and 192.168.0.100. and rest of the users can have access to those restriceted sites.
Now the problem here is to the users who want access to the restricted sites are only 10 members out of other users..
that meas i need to manually enter the rest of the 240 ip address in the access list?
is there a way to include a ip address range in the access list.
02-08-2013 10:47 AM
Hi,
so you have 10 people who can't access these sites or all other users can't access these sites ?
who can access and who can't ?
Regards
Alain
Don't forget to rate helpful posts.
02-08-2013 10:54 PM
out of 240 hosts is got only 10 members want access to it and rest of the 230 users should have restriction to the restricted sites.
02-09-2013 02:18 AM
Hi,
ok so
1) 10 permitted users should have a manual binding in the DHCP server
2) use ACL with permit statements for the IPs of these users
3) create a class-map to match this ACL
4) create a class-map for the sites
5) create a new class-map matching class for sites and not class for ACL ( with match not class-map command)
6) create a policy dropping packets for the new class-map
7) apply this policy inbound on your interface
Regards
Alain
Don't forget to rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide