12-07-2010 03:30 AM - edited 03-04-2019 10:42 AM
Dear Friends,
I am asked to implement the security in campus Network. i.e. In this network we want to block some websites, We don't want to use any 3rd party software or proxy server and content filtering module to block theset.my router IOS is advance securityk9
How to block the website in a Cisco 2600 series router by using the command. What is the access list we need to use to block.
Assume we want to restrict,
or some website.Kindly explain and command to block for above website.
Here we are using Cisco 2600 series router and 2900 series switch. In router we are using the2Mb lease line link
12-07-2010 05:39 AM
Hi,
Which version of IOS, how much memory ?
Regards.
12-07-2010 09:21 PM
Hi,
Thank you for you quick reply,
ROM: System Bootstrap, Version 12.4(13r)T11, RELEASE SOFTWARE (fc1)
PPCL-RTR uptime is 18 hours, 25 minutes
System image file is "flash:c2800nm-advsecurityk9-mz.124-15.T7.bin"
Cisco 2821 (revision 53.51) with 249856K/12288K bytes of memory.
Processor board ID
2 Gigabit Ethernet interfaces
2 Serial(sync/async) interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
PPCL-RTR#
waiting for your reply
On Tue, Dec 7, 2010 at 7:09 PM, cadetalain <
12-08-2010 12:25 AM
Hi,
You can try MQC with NBAR. It is supported on your platform and IOS version but I don't know if you have enough RAM.
Enable this feature out of production hours because if you haven't got enough RAM it may crash your router and
furthermore I don't know your actual CPU usage.
Anyway here's the link: http://ardenpackeer.com/qos-voip/tutorial-how-to-use-cisco-mqc-nbar-to-filter-websites-like-youtube/
12-08-2010 12:31 AM
Hi,
I was faced with your situation sometime back early this year. After cracking my brain over many ideas, I finally settle on DNS-based solution. This is what you can do: create an entry in your forwarding rules on your internal DNS( i am assuming your are using windows 2003 server or higher version) , say if you want to block www.youtube.com, point the domain youtube.com to a non-existent DNS IP say 10.0.0.0 (make sure no device is using this IP) and check the box :do not use recursion on this domain. You may need to restart the DNS service after doing this change.This effectively return no IP when user's machine type www.youtube.com on their web browser hence the page will not load.Of course their machines need to point to those DNS server that are configure to return no IP for that domain you want to block.If you want to bring this further by restricting them to only use the DNS servers you assign, configure your firewall rules to only allow those DNS server you configure to query external public DNS. Doing so will prevent any client machines trying to configure any manual DNS address on their own and by passing your internal DNS.Hope this help.
12-08-2010 12:37 AM
Hi Connect,
This is really easy to circumvent with local hosts file if you got admin rights.
I think if you don't want to touch the router then using a transparent proxy is really more robust solution
12-08-2010 12:46 AM
Of course having a dedicated device like a proxy to deal with this problem is the most ideal, but if you have a management like mine who do not want to spend another dime to buy another device, we just make do with what we have.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide