Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5923
Views
5
Helpful
8
Replies

how to block website on cisco 3750 switch

Go to solution
R Srivastava
Level 1
Level 1

‎08-06-2014 10:13 PM - edited ‎03-04-2019 11:29 PM

i am not able use thse firewall policy in my cisco 3750

Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

System image file is "flash:/c3750-ipservicesk9-mz.122-55.SE8.bin"

 

it only show's- match protocol http

 

host or url are not in there

 

can i have to upgarde IOS or these camands are not ther in 3750 switch.

 

how can i  use that pls tell me m w8ing for ur response

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Waqas Butt
Level 1
Level 1

‎08-07-2014 01:09 AM

Hi,

You need to upgrade your IOS to 12.2 (55)SE.

Following can might help you with:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swacl.html

 

Cheers :)

Waqas

 

View solution in original post

8 Replies 8

Go to solution
Waqas Butt
Level 1
Level 1

‎08-07-2014 01:09 AM

Hi,

You need to upgrade your IOS to 12.2 (55)SE.

Following can might help you with:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swacl.html

 

Cheers :)

Waqas

 

Go to solution
R Srivastava
Level 1
Level 1
In response to Waqas Butt

‎08-08-2014 03:26 AM

hi waqas,

 

the link you have send does not show's that 3750 switch with IOS 12.2.(55)SE has the cammand 

 

match protocol http url

or

match protocol http host

I have search it on many books i didnt find it.

as this switch is our core switch so i dont want take any risk until it is sure that on IOS 12.2(55) SE these camands are available.

regards

0 Helpful

Go to solution
Waqas Butt
Level 1
Level 1
In response to R Srivastava

‎08-10-2014 12:12 AM

Hi Srivastava,

Apologize for the late response, please have a look a the following statement from cisco on "match protocol http or url" here...

http://www.cisco.com/c/en/us/td/docs/ios/qos/command/reference/qos_book/qos_m1.html#wp1058795

   match protocol http

To configure Network-Based Application Recognition (NBAR) to match HTTP traffic by URL, host, Multipurpose Internet Mail Extension (MIME) type, or fields in HTTP packet headers, use the match protocol http command in class-map configuration mode. To disable NBAR from matching HTTP traffic by URL, host, or MIME type, or fields in HTTP packet headers, use the no form of this command.

Cisco IOS Release 12.4(24)T and Earlier Releases, Cisco IOS Release 12.2(33)SRA, Cisco IOS Release 12.2(14)S and Later Releases

match protocol http [url url-string | host hostname-string | mime MIME-type | c-header-field c-header-field-string | s-header-field s-header-field-string]

no match protocol http [url url-string | host hostname-string | mime MIME-type | c-header-field c-header-field-string | s-header-field s-header-field-string]

Cisco IOS Release 15.1(2)T, Cisco IOS XE Release 3.1S and Later Releases and Catalyst 6500 Series Switch Equipped with the Supervisor 32/PISA Engine

match protocol http [content-encoding content-encoding-name-string | from from-address-string | host hostname-string location location-name-string mime MIME-type referer referer-address-string server server-software-name-string url url-string | user-agent user-agent-software-name-string]

no match protocol http [content-encoding content-encoding-name-string | from from-address-string | host hostname-string location location-name-string mime
MIME-type referer referer-address-string server server-software-name-string url url-string | user-agent user-agent-software-name-string]

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎08-07-2014 06:08 AM

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

You might find 3750 NBAR like features rather lacking.

If so, you can also write ACLs that match against IP addresses and/or port numbers.

0 Helpful

Go to solution
R Srivastava
Level 1
Level 1
In response to Joseph W. Doherty

‎08-08-2014 03:10 AM

hi josheph,

 

i have tried to block facebook and youtube by thease access list. but it blocks all the sites. as thease are only youtube and facebook ip's

 

access-list 101 deny tcp any host 173.252.110.27 eq www
access-list 101 deny tcp any host 31.13.68.8 eq www
access-list 101 deny tcp any host 173.194.36.72 eq www
access-list 101 deny tcp any host 173.194.36.73 eq www
access-list 101 deny tcp any host 173.194.36.78 eq www
access-list 101 deny tcp any host 173.194.36.64 eq www
access-list 101 deny tcp any host 173.194.36.64 eq www
access-list 101 deny tcp any host 173.194.36.65 eq www
access-list 101 deny tcp any host 173.194.36.66 eq www
access-list 101 deny tcp any host 173.194.36.67 eq www
access-list 101 deny tcp any host 173.194.36.68 eq www
access-list 101 deny tcp any host 173.194.36.69 eq www
access-list 101 deny tcp any host 173.194.36.70 eq www
access-list 101 deny tcp any host 173.194.36.71 eq www
access-list 101 permit tcp any any eq www

 

interface gi0/1

ip access-group 101 out

 

kindly suggest whats wrong in this?

 

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to R Srivastava

‎08-09-2014 03:42 AM

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Your int g0/1 is egress facing Internet?

Did you really want to block all other outbound traffic but port 80?  If not, try a permit ip any any at the end of your list rather than the permit tcp any any eq www.

 

0 Helpful

Go to solution
Tagir Temirgaliyev
Spotlight
Spotlight
In response to R Srivastava

‎08-09-2014 10:56 PM

users can access youtube and fb using proxy.

and youtube and fb will have more IP addresses later

 

best way is nbar. but 3750 looks like not support nbar

using nbar

match protocol http host youtube

match protocol http host facebook

0 Helpful

Go to solution
asbesi001
Level 1
Level 1

‎08-07-2014 07:08 AM

 

If you are planing to do more of filtering (blocking urls, apps etc) I'd suggest to purchase a Firewall, cisco or other vendor (better than cisco for FW), because router/switch simply cannot do it :)

 

-Brj

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card