The purpose of this document is to provide you an example of how to block any website, like facebook, using the local content filtering on Cisco IOS based routers.
We are faced with a challenge of blocking the social media/any website on the router towards the edge of the network so that no one from inside the network can connect to the blocked site. Generally you would be using a websense or n2h2 or trend micro server to filter out the traffic, however, you want to configure this locally on the IOS of the router.
The following example considers that you have a fair understanding of configuring zone based firewall (ZBF) on the Cisco IOS routers. Please enter the following configurations to block the website "facebook" based on pattern "*.facebook.com" or "facebook.com".
This section specifies content filtering to be "local" on the IOS. The other options are to use "trend", "n2h2", and "websense".
parameter-map type urlfpolicy local U-FILTER
block-page message "This webpage is blocked by the Network Admin."
This section specifies content filtering pattern to match the desired site, like, facebook.
parameter-map type urlf-glob FB
This section specifies content filtering pattern to match all the other sites, so that we can permit them later.
parameter-map type urlf-glob ALLOWED
This section specifies content filtering filter class to match the pattern that we created earlier.
class-map type urlfilter match-any BLOCK
match server-domain urlf-glob FB
class-map type urlfilter match-any ALLOWED
match server-domain urlf-glob ALLOWED
This section specifies the traffic that the Cisco IOS will inspect or match.
class-map type inspect match-any DNS
match protocol dns
class-map type inspect match-any HTTP
match protocol http
class-map match-all HTTPS
match protocol secure-http
class-map type inspect match-all HTTPS1
match protocol https
This section specifies a policy map that will tie the filter classes and the action to be taken.
policy-map type inspect urlfilter BLOCK
parameter type urlfpolicy local U-FILTER
class type urlfilter BLOCK
class type urlfilter ALLOW
This section specifies the traffic class and its inspection.
policy-map type inspect INOUT
class type inspect HTTP
service-policy urlfilter BLOCK
class type inspect DNS
class type inspect HTTPS1
This section ties the inspection service policy to the zone-pair.
Cisco AnyConnect 4.10 issue after Profile XML Overwrite.We are seeing this behavior in 4.10.04071 but we did not see with 4.10.00093. I feel I must give you a flow of the install from our environment so you could see where the issue may be.- SCCM dep...
Hi guys, Dumb question How ISE validates username's password using LDAP server as the external identity store? Got unsecure (TCP/389) LDAP pcap flows between ISE and the server, doing some check and verification.I do see some search request...
Cannot install the following on red hat host: Cisco Secure Endpoint Connector Version: 22.214.171.1242 Error: [root@ ciscoamp]# sudo yum localinstall amp_haproxy_rhel-centos-8prev.rpm -yUpdating Subscription Management repositories. P...
Hi CSC, I have a 2 Node deployment - Node A - Admin (Pri) MnT (Sec), PSNNode B - Admin (Sec) MnT (Pri), PSN When using Node A for TACACs - all logs visible within ISEWhen using Node B for TACACs - Authentication etc.. is all good but logs a...
I was wondering if there is a way to automatically block IP addresses depending on traffic analysis. I see a number of attempts from an attacker and see the traffic is being blocked on the attempt but I would like to impose a temporary block on any ...