Blocking URLS on Catalyst 2960X

tinovaera · ‎06-22-2016

Hey there,

im using a cisco Catalyst 2960X switch 24 ports, and i need to block facebook, youtube, twitter, instagram and other urls using that switch.

I tried to configure a class-map but when i type "match protocol http url "*youtube.com", it gives me a error saying "invalid input detected at marker "^".

The marker "^" is located in the "u" of URL, if i change URL to HOST, the marker goes to "H" of host.

Can anybody tell me what is happening?

Muhammad Uzair · ‎06-22-2016

Hi Tinovaera:

why don't you create extended access control list and apply on incoming interface of switch? would be more easy just get the IP(s) of website and simply block them.

ping www.facebook.com and get the IP, better block /24 block

global config

ip access-list extended Block_Access

10 deny tcp 173.252.89.0 0.0.0.255 any eq http

same way you can get the the IP(s) for twitter and youtube.

do not forget to put "permit any any" once you block all required website(s) as by default there is deny statement in every ACL end.

in the end simply apply that ACL at incoming interface

interface gi0/0(example)

ip access-group Block_Access in

hope that help.

Kindest Regards,

Uzair

Kindest regards,
Uzair
CCENT, CCNA (R&S), CCNP (R&S).

Peter Paluch · ‎06-22-2016

Hi tinovaera,

I am afraid that the Catalyst 2960X does not support this kind of functionality. The functionality you are referring to is based on NBAR (Network Based Application Recognition), and this Catalyst platform does not have the dedicated hardware to perform the necessary matching operations. While you can match on HTTP, you cannot match on URLs inside the HTTP requests.

This functionality is much more readily available on software-based routers where it is implemented in IOS.

Best regards,
Peter