05-14-2012 01:57 AM - edited 03-04-2019 04:20 PM
Dear All
I Want To Block Facebook And Youtube for Cisco 2801 Router , we have small Bussiness Company so we don't want to our Staff go more time for this websites . Please can any one Help me for that idea
Solved! Go to Solution.
05-14-2012 03:45 AM
Thomas,
In addition to what Paolo suggested, you might also (depending on if your IOS supports it) be able to use nbar to match and drop the traffic. You'd probably need to deny executives from being classified in this so they can still get to it though.
Executive IP address: 192.168.1.50
access-list 10 deny host 192.168.1.50
access-list 10 permit any
class-map BlockSites
match protocol http url "*facebook*"
match access-group 10
policy-map BlockSites
class BlockSites
drop
Int s0/0 (outside interface toward WAN)
service-policy output BlockSites
If this doesn't work, you'll need to do just as Paolo stated with finding the addresses that the sites you want to block owns and block each of them manually.
HTH,
John
05-14-2012 02:08 AM
ACL for their addresses.
Simple and effective.
Note that immediately after you have blocked everybody, you will have to configure exceptions for managers/owners.
It is also possible that employees will find other websites to spedn time one.
05-14-2012 03:19 AM
Dear Paolo Bivlacqua
that's very nice idea , but how i can do that , addition for exception that will be fantastic
i have no idea how i can restric by access list give me example please
05-14-2012 03:44 AM
Do you configure you Cisco devices by yourself?
If you do, you need to study and learn every subject, ACL in this case.
Otherwise give the job to a knowledgeable person, and he/she will do everything for you.
05-14-2012 03:45 AM
Thomas,
In addition to what Paolo suggested, you might also (depending on if your IOS supports it) be able to use nbar to match and drop the traffic. You'd probably need to deny executives from being classified in this so they can still get to it though.
Executive IP address: 192.168.1.50
access-list 10 deny host 192.168.1.50
access-list 10 permit any
class-map BlockSites
match protocol http url "*facebook*"
match access-group 10
policy-map BlockSites
class BlockSites
drop
Int s0/0 (outside interface toward WAN)
service-policy output BlockSites
If this doesn't work, you'll need to do just as Paolo stated with finding the addresses that the sites you want to block owns and block each of them manually.
HTH,
John
01-15-2013 06:03 AM
"*facebook*" is not correct. it's gonna include sites like facebook.whatever.com and also sites like www.facebooksucks.com which does exist. According to cisco the keyword "host" should be used:
match protocol http host "*facebook.com"
This is obviously wrong too, although it's copy-pasted from cisco's online documentation, because it would include a site like howtogetstartedwithfacebook.com
I think the optimal syntax is: match protocol http host "*.facebook.com|*.youtube.com" where the vertical bar works like a logical any.
But the syntax of the regular expressions is not the matter here. What good will it bring to apply a service-policy droping all http traffic towards facebook and youtube, since both two sites support https? Well, you guessed it, cisco does not support selective match for secure-http, meaning you either cut every single site for https (useless and impractical) or nothing; so there is no need to cut http either in the first place...
Of course there is still the solution using local content filtering but it requires zone-based policy firewall, so no thanks, I'll go with the plain old proxy server...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide