Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
43636
Views
5
Helpful
3
Comments

Cisco IOS: How to block websites using local content filtering

Dev Vishwakarma
Cisco Employee
Cisco Employee

‎03-09-2012 01:14 AM - edited ‎03-08-2019 06:44 PM

 

 

Introduction

The purpose of this document is to provide you an example of how to block any website, like facebook, using the local content filtering on Cisco IOS based routers.

 

Problem Description

We are faced with a challenge of blocking the social media/any website on the router towards the edge of the network so that no one from inside the network can connect to the blocked site. Generally you would be using a websense or n2h2 or trend micro server to filter out the traffic, however, you want to configure this locally on the IOS of the router.

Solution

The following example considers that you have a fair understanding of configuring zone based firewall (ZBF) on the Cisco IOS routers. Please enter the following configurations to block the website "facebook" based on pattern "*.facebook.com" or "facebook.com".

 

This section specifies content filtering to be "local" on the IOS. The other options are to use "trend", "n2h2", and "websense".

parameter-map type urlfpolicy local U-FILTER

  alert off

  block-page message "This webpage is blocked by the Network Admin."

!

This section specifies content filtering pattern to match the desired site, like, facebook.

parameter-map type urlf-glob FB

  pattern facebook.com

  pattern *.facebook.com

!

This section specifies content filtering pattern to match all the other sites, so that we can permit them later.

parameter-map type urlf-glob ALLOWED

  pattern *

!

This section specifies content filtering filter class to match the pattern that we created earlier.

class-map type urlfilter match-any BLOCK

  match  server-domain urlf-glob FB

class-map type urlfilter match-any ALLOWED

  match  server-domain urlf-glob ALLOWED

!

This section specifies the traffic that the Cisco IOS will inspect or match.

class-map type inspect match-any DNS

  match protocol dns

class-map type inspect match-any HTTP

  match protocol http

class-map match-all HTTPS

  match protocol secure-http

class-map type inspect match-all HTTPS1

  match protocol https

!

This section specifies a policy map that will tie the filter classes and the action to be taken.

policy-map type inspect urlfilter BLOCK

  parameter type urlfpolicy local U-FILTER

  class type urlfilter BLOCK

   log

   reset

  class type urlfilter ALLOW

   allow

!

This section specifies the traffic class and its inspection.

policy-map type inspect INOUT

  class type inspect HTTP

   inspect

   service-policy urlfilter BLOCK

  class type inspect DNS

   inspect

  class type inspect HTTPS1

   inspect

  class class-default

   drop

!

This section ties the inspection service policy to the zone-pair.

zone-pair security xxxxxx source xxxx destination yyyy

  service-policy type inspect INOUT

 

Related Information

 

For more information on content based filtering overall, please refer to:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/subscrip-cont-filter.html

Labels:
Comments
CSCO12122936
Community Member
‎04-10-2013 12:48 PM

HI, i used that config and it worked well, but if you want to block a website that the addreses starts with "HTTPS"  (secure) does't block them.. do you have a solution for that?

thanks

Not applicable
‎05-31-2017 11:44 PM

Do we need to apply this on interface? if yes then how?

Wizard4777
Level 1
Level 1
‎07-10-2023 06:39 PM

This config blocks the entire internet

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents