Re: How block the websites in Cisco 2600 series Router

Arup Dutta · ‎12-07-2010

Dear Friends,

I am asked to implement the security in campus Network. i.e. In this network we want to block some websites, We don't want to use any 3rd party software or proxy server and content filtering module to block theset.my router IOS is advance securityk9

How to block the website in a Cisco 2600 series router by using the command. What is the access list we need to use to block.

Assume we want to restrict,

1>www.orkut.com

2>www.youtube.com

or some website.Kindly explain and command to block for above website.

Here we are using Cisco 2600 series router and 2900 series switch. In router we are using the2Mb lease line link

cadet alain · ‎12-07-2010

Hi,

Which version of IOS, how much memory ?

Regards.

Don't forget to rate helpful posts.

Arup Dutta · ‎12-07-2010

Hi,

Thank you for you quick reply,

ROM: System Bootstrap, Version 12.4(13r)T11, RELEASE SOFTWARE (fc1)

PPCL-RTR uptime is 18 hours, 25 minutes

System image file is "flash:c2800nm-advsecurityk9-mz.124-15.T7.bin"

Cisco 2821 (revision 53.51) with 249856K/12288K bytes of memory.

Processor board ID

2 Gigabit Ethernet interfaces

2 Serial(sync/async) interfaces

1 Virtual Private Network (VPN) Module

DRAM configuration is 64 bits wide with parity enabled.

239K bytes of non-volatile configuration memory.

62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

PPCL-RTR#

waiting for your reply

On Tue, Dec 7, 2010 at 7:09 PM, cadetalain <

cadet alain · ‎12-08-2010

Hi,

You can try MQC with NBAR. It is supported on your platform and IOS version but I don't know if you have enough RAM.

Enable this feature out of production hours because if you haven't got enough RAM it may crash your router and

furthermore I don't know your actual CPU usage.

Anyway here's the link: http://ardenpackeer.com/qos-voip/tutorial-how-to-use-cisco-mqc-nbar-to-filter-websites-like-youtube/

Don't forget to rate helpful posts.

connect2world · ‎12-08-2010

Hi,

I was faced with your situation sometime back early this year. After cracking my brain over many ideas, I finally settle on DNS-based solution. This is what you can do: create an entry in your forwarding rules on your internal DNS( i am assuming your are using windows 2003 server or higher version) , say if you want to block www.youtube.com, point the domain youtube.com to a non-existent DNS IP say 10.0.0.0 (make sure no device is using this IP) and check the box :do not use recursion on this domain. You may need to restart the DNS service after doing this change.This effectively return no IP when user's machine type www.youtube.com on their web browser hence the page will not load.Of course their machines need to point to those DNS server that are configure to return no IP for that domain you want to block.If you want to bring this further by restricting them to only use the DNS servers you assign, configure your firewall rules to only allow those DNS server you configure to query external public DNS. Doing so will prevent any client machines trying to configure any manual DNS address on their own and by passing your internal DNS.Hope this help.

cadet alain · ‎12-08-2010

Hi Connect,

This is really easy to circumvent with local hosts file if you got admin rights.

I think if you don't want to touch the router then using a transparent proxy is really more robust solution

Don't forget to rate helpful posts.

connect2world · ‎12-08-2010

Of course having a dedicated device like a proxy to deal with this problem is the most ideal, but if you have a management like mine who do not want to spend another dime to buy another device, we just make do with what we have.