how to block HTTPS sites using cisco router
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-07-2016 01:22 AM - edited 03-08-2019 08:28 AM
i need to block some sites like facebook and youtube
but they use HTTPs
so how i can block them using a policy-map to match those sites
i can match HTTP traffic only but not https traffic
any solution
thanks
- Labels:
-
Other Switching
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-15-2018 02:41 PM
I'll setup squid proxy server for handle this restriction.
Anyway thanks for trying.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-16-2018 09:19 AM
Hello,
out of curiosity and because somebody else might need it in the future, I have created the IP access list that blocks all of Facebook's global IP ranges. In case you are interested, here it is (you can replace the 'any' source by your own range if needed):
ip access-list extended BLOCK_FACEBOOK
deny ip any 103.4.96.0 0.0.3.255
deny ip any 157.240.0.0 0.0.127.255
deny ip any 157.240.10.0 0.0.0.255
deny ip any 157.240.1.0 0.0.0.255
deny ip any 157.240.11.0 0.0.0.255
deny ip any 157.240.12.0 0.0.0.255
deny ip any 157.240.13.0 0.0.0.255
deny ip any 157.240.14.0 0.0.0.255
deny ip any 157.240.15.0 0.0.0.255
deny ip any 157.240.18.0 0.0.0.255
deny ip any 157.240.19.0 0.0.0.255
deny ip any 157.240.20.0 0.0.0.255
deny ip any 157.240.2.0 0.0.0.255
deny ip any 157.240.21.0 0.0.0.255
deny ip any 157.240.22.0 0.0.0.255
deny ip any 157.240.7.0 0.0.0.255
deny ip any 157.240.8.0 0.0.0.255
deny ip any 157.240.9.0 0.0.0.255
deny ip any 173.252.64.0 0.0.31.255
deny ip any 173.252.88.0 0.0.7.255
deny ip any 173.252.96.0 0.0.31.255
deny ip any 179.60.192.0 0.0.3.255
deny ip any 179.60.192.0 0.0.0.255
deny ip any179.60.193.0 0.0.0.255
deny ip any 179.60.195.0 0.0.0.255
deny ip any 185.60.216.0 0.0.3.255
deny ip any 185.60.216.0 0.0.0.255
deny ip any 185.60.218.0 0.0.0.255
deny ip any 185.60.219.0 0.0.0.255
deny ip any 204.15.20.0 0.0.3.255
deny ip any 31.13.24.0 0.0.7.255
deny ip any 31.13.64.0 0.0.63.255
deny ip any 31.13.64.0 0.0.31.255
deny ip any 31.13.64.0 0.0.0.255
deny ip any 31.13.65.0 0.0.0.255
deny ip any 31.13.67.0 0.0.0.255
deny ip any 31.13.69.0 0.0.0.255
deny ip any 31.13.70.0 0.0.0.255
deny ip any 31.13.71.0 0.0.0.255
deny ip any 31.13.72.0 0.0.0.255
deny ip any 31.13.73.0 0.0.0.255
deny ip any 31.13.74.0 0.0.0.255
deny ip any 31.13.75.0 0.0.0.255
deny ip any 31.13.76.0 0.0.0.255
deny ip any 31.13.78.0 0.0.0.255
deny ip any 31.13.80.0 0.0.0.255
deny ip any 31.13.81.0 0.0.0.255
deny ip any 31.13.82.0 0.0.0.255
deny ip any 31.13.83.0 0.0.0.255
deny ip any 31.13.84.0 0.0.0.255
deny ip any 31.13.85.0 0.0.0.255
deny ip any 31.13.86.0 0.0.0.255
deny ip any 31.13.87.0 0.0.0.255
deny ip any 31.13.90.0 0.0.0.255
deny ip any 31.13.91.0 0.0.0.255
deny ip any 31.13.92.0 0.0.0.255
deny ip any 31.13.94.0 0.0.0.255
deny ip any 31.13.95.0 0.0.0.255
deny ip any 31.13.96.0 0.0.31.255
deny ip any 45.64.40.0 0.0.3.255
deny ip any 66.220.144.0 0.0.15.255
deny ip any 66.220.144.0 0.0.7.255
deny ip any 66.220.152.0 0.0.7.255
deny ip any 69.171.224.0 0.0.31.255
deny ip any 69.171.224.0 0.0.15.255
deny ip any 69.171.239.0 0.0.0.255
deny ip any 69.171.240.0 0.0.15.255
deny ip any 69.171.255.0 0.0.0.255
deny ip any 69.63.176.0 0.0.15.255
deny ip any 69.63.176.0 0.0.7.255
deny ip any 69.63.184.0 0.0.7.255
deny ip any 74.119.76.0 0.0.3.255
permit ip any any
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-16-2018 10:30 AM
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_nbar/configuration/xe-16/qos-nbar-xe-16-book/nbar-ssl-custom-appl-xe.html
Then you use it in a policy class, detailed in this section.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_nbar/configuration/15-mt/qos-nbar-15-mt-book/nbar-cust-protcl.html
The policy class would use the drop command.
Another approach would be to go after the DNS for facebook, and try to drop any https traffic to returned addressed. This is also detailed in the QOS NABR documentation, but the above seems more direct.

- « Previous
-
- 1
- 2
- Next »