cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5924
Views
5
Helpful
8
Replies

how to block website on cisco 3750 switch

R Srivastava
Level 1
Level 1

i am not able use thse firewall policy in my cisco 3750

Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

System image file is "flash:/c3750-ipservicesk9-mz.122-55.SE8.bin"

 

it only show's- match protocol http

 

host or url are not in there

 

can i have to upgarde IOS or these camands are not ther in 3750 switch.

 

how can i  use that pls tell me m w8ing for ur response

1 Accepted Solution

Accepted Solutions

Waqas Butt
Level 1
Level 1

Hi,

You need to upgrade your IOS to 12.2 (55)SE.

Following can might help you with:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swacl.html

 

Cheers :)

Waqas

 

View solution in original post

8 Replies 8

Waqas Butt
Level 1
Level 1

Hi,

You need to upgrade your IOS to 12.2 (55)SE.

Following can might help you with:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swacl.html

 

Cheers :)

Waqas

 

hi waqas,

 

the link you have send does not show's that 3750 switch with IOS 12.2.(55)SE has the cammand 

 

match protocol http url

or

match protocol http host

I have search it on many books i didnt find it.

as this switch is our core switch so i dont want take any risk until it is sure that on IOS 12.2(55) SE these camands are available.

regards

Hi Srivastava,

Apologize for the late response, please have a look a the following statement from cisco on "match protocol http or url" here...

http://www.cisco.com/c/en/us/td/docs/ios/qos/command/reference/qos_book/qos_m1.html#wp1058795

   match protocol http

To configure Network-Based Application Recognition (NBAR) to match HTTP traffic by URL, host, Multipurpose Internet Mail Extension (MIME) type, or fields in HTTP packet headers, use the match protocol http command in class-map configuration mode. To disable NBAR from matching HTTP traffic by URL, host, or MIME type, or fields in HTTP packet headers, use the no form of this command.

Cisco IOS Release 12.4(24)T and Earlier Releases, Cisco IOS Release 12.2(33)SRA, Cisco IOS Release 12.2(14)S and Later Releases

match protocol http [url url-string | host hostname-string | mime MIME-type | c-header-field c-header-field-string | s-header-field s-header-field-string]

no match protocol http [url url-string | host hostname-string | mime MIME-type | c-header-field c-header-field-string | s-header-field s-header-field-string]

Cisco IOS Release 15.1(2)T, Cisco IOS XE Release 3.1S and Later Releases and Catalyst 6500 Series Switch Equipped with the Supervisor 32/PISA Engine

match protocol http [content-encoding content-encoding-name-string | from from-address-string | host hostname-string location location-name-string mime MIME-type referer referer-address-string server server-software-name-string url url-string | user-agent user-agent-software-name-string]

no match protocol http [content-encoding content-encoding-name-string | from from-address-string | host hostname-string location location-name-string mime
MIME-type referer referer-address-string server server-software-name-string url url-string | user-agent user-agent-software-name-string]

Joseph W. Doherty
Hall of Fame
Hall of Fame

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

You might find 3750 NBAR like features rather lacking.

If so, you can also write ACLs that match against IP addresses and/or port numbers.

hi josheph,

 

i have tried to block facebook and youtube by thease access list. but it blocks all the sites. as thease are only youtube and facebook ip's

 

access-list 101 deny tcp any host 173.252.110.27 eq www
access-list 101 deny tcp any host 31.13.68.8 eq www
access-list 101 deny tcp any host 173.194.36.72 eq www
access-list 101 deny tcp any host 173.194.36.73 eq www
access-list 101 deny tcp any host 173.194.36.78 eq www
access-list 101 deny tcp any host 173.194.36.64 eq www
access-list 101 deny tcp any host 173.194.36.64 eq www
access-list 101 deny tcp any host 173.194.36.65 eq www
access-list 101 deny tcp any host 173.194.36.66 eq www
access-list 101 deny tcp any host 173.194.36.67 eq www
access-list 101 deny tcp any host 173.194.36.68 eq www
access-list 101 deny tcp any host 173.194.36.69 eq www
access-list 101 deny tcp any host 173.194.36.70 eq www
access-list 101 deny tcp any host 173.194.36.71 eq www
access-list 101 permit tcp any any eq www

 

interface gi0/1

ip access-group 101 out

 

kindly suggest whats wrong in this?

 

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Your int g0/1 is egress facing Internet?

Did you really want to block all other outbound traffic but port 80?  If not, try a permit ip any any at the end of your list rather than the permit tcp any any eq www.

 

users can access youtube and fb using proxy.

and youtube and fb will have more IP addresses later

 

best way is nbar. but 3750 looks like not support nbar

using nbar

match protocol http host youtube

match protocol http host facebook

asbesi001
Level 1
Level 1

 

If you are planing to do more of filtering (blocking urls, apps etc) I'd suggest to purchase a Firewall, cisco or other vendor (better than cisco for FW), because router/switch simply cannot do it :)

 

-Brj

Review Cisco Networking for a $25 gift card