cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
805
Views
0
Helpful
0
Replies
Highlighted
Beginner

ISR 2911 IOS Content Filtering of specific subnets

Let me start by saying that I'm not sure if I'm in the right category as I couldn't find one specifically for this issue.  Please move this if need be.

I have a Cisco 2911 Router that is currently configured to run IOS filtering for everything going from GigEth0/2 (Student network for a school) out to GigEth0/0 (WAN Link) while all traffic going from GigEth0/1 (Teacher network for the school) that goes out GigEth0/0 is completely unfiltered.

For this school, we'll be moving this 2911 to a DataCenter where it will handle Internet traffic for multiple locations converging at the DataCenter.  (The current 2911 will be replaced with another 2911 that won't have IOS Content filtering.)  All traffic from each location will be routed to the DataCenter then out to another site or to the Internet connection at the DataCenter.

I need to be able to configure the 2911 to only do content filtering based on the source subnet as each location will have multiple subnets and only specific subnets should be filtered/blocked.

In the DataCenter, GigEth0/0 will be the WAN connection, GigEth0/1 will be the LAN connection with an IP range of 10.0.0.0/16 and we'll have a virtual interface on GigEth0/0 wtih an associated VLAN that will receive all incoming traffic from the remote sites.  (The remote site communication will come in over the same connection as the WAN connection but they'll be on separate VLANs as the DataCenter is also the ISP for all of the sites.)

I've included the parts of the config that I think are needed to understand the current config.  Other than the obvious changing of the IPs on the interfaces and related ACLs and such, can someone help me figure out how to change the Content Filtering so that I can have it only match specific IP Subnets?  Specifically, we'll start out by blocking 10.2.128.0/17 and 10.6.128.0/17.

parameter-map type urlfpolicy trend g1-trend-pm

max-request 2147483647

max-resp-pak 20000

allow-mode on

truncate hostname

block-page message "You are prohibited from accessing this page."

parameter-map type trend-global global-param-map

server trps.trendmicro.com

cache-entry-lifetime 1

class-map type urlfilter trend match-any trend-block-categories

match  url category Adult-Mature-Content

match  url category Pornography

match  url category Gambling

match  url category Nudity

match  url category Gay-Lesbian

match  url category Violence-hate-racism

match  url category Personals-Dating

match  url category Social-Networking

class-map type urlfilter trend match-any trend-block-reputation

match  url reputation ADWARE

match  url reputation SPYWARE

match  url reputation HACKING

match  url reputation DIALER

match  url reputation DISEASE-VECTOR

match  url reputation PHISHING

match  url reputation VIRUS-ACCOMPLICE

class-map type inspect match-all g1-http-class

match protocol http

class-map type inspect match-any tcp-class

match protocol tcp

class-map type inspect match-all urlf-g1-c

match protocol http

match access-group name filter-acl

class-map type urlfilter match-any keyword-class

class-map type inspect match-any rest-traffic

match protocol tcp

match protocol udp

class-map type inspect match-all icmp-c

match protocol icmp

class-map type inspect match-all filtered-hosts

match protocol http

match access-group name filter-acl

policy-map type inspect in-internal

class class-default

  pass

policy-map type inspect internal-in

class class-default

  pass

policy-map type inspect urlfilter urfilter-actions

parameter type urlfpolicy trend g1-trend-pm

class type urlfilter trend trend-block-reputation

  reset

  log

class type urlfilter trend trend-block-categories

  reset

  log

policy-map type inspect in-out

class type inspect filtered-hosts

  inspect

  service-policy urlfilter urfilter-actions

class type inspect rest-traffic

  inspect

class class-default

  drop

policy-map type inspect internal-out

class class-default

  pass

policy-map type inspect out-internal

class class-default

  pass

policy-map type inspect out-in

class class-default

  pass

zone security zone_in

zone security zone_out

zone security zone_internal

zone-pair security zp_in source zone_in destination zone_out

service-policy type inspect in-out

zone-pair security zp_internal source zone_internal destination zone_out

service-policy type inspect internal-out

zone-pair security zp-out source zone_out destination zone_internal

service-policy type inspect out-internal

zone-pair security zp-out-in source zone_out destination zone_in

service-policy type inspect out-in

zone-pair security zp-in-int source zone_in destination zone_internal

service-policy type inspect in-internal

zone-pair security zp-int-in source zone_internal destination zone_in

service-policy type inspect internal-in

interface GigabitEthernet0/0

description WAN Network

ip address x.x.x.x.x 255.255.255.240

ip access-group WANIn in

ip nat outside

ip virtual-reassembly

zone-member security zone_out

duplex auto

speed auto

!

!

interface GigabitEthernet0/1

description Teacher Network

ip address 10.2.0.1 255.255.128.0

ip nat inside

ip virtual-reassembly

zone-member security zone_internal

duplex auto

speed auto

!

!

interface GigabitEthernet0/2

description Student and Guest Network

ip address 10.2.200.1 255.255.248.0

ip access-group StudenttoAny in

ip nat inside

ip virtual-reassembly

zone-member security zone_in

duplex auto

speed auto

Thanks for your help!

Everyone's tags (2)
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards