Showing results for 
Search instead for 
Did you mean: 
Dev Vishwakarma
Cisco Employee
Cisco Employee




The purpose of this document is to provide you an example of how to block any website, like facebook, using the local content filtering on Cisco IOS based routers.


Problem Description

We are faced with a challenge of blocking the social media/any website on the router towards the edge of the network so that no one from inside the network can connect to the blocked site. Generally you would be using a websense or n2h2 or trend micro server to filter out the traffic, however, you want to configure this locally on the IOS of the router.


The following example considers that you have a fair understanding of configuring zone based firewall (ZBF) on the Cisco IOS routers. Please enter the following configurations to block the website "facebook" based on pattern "*" or "".


This section specifies content filtering to be "local" on the IOS. The other options are to use "trend", "n2h2", and "websense".

parameter-map type urlfpolicy local U-FILTER

  alert off

  block-page message "This webpage is blocked by the Network Admin."


This section specifies content filtering pattern to match the desired site, like, facebook.

parameter-map type urlf-glob FB


  pattern *


This section specifies content filtering pattern to match all the other sites, so that we can permit them later.

parameter-map type urlf-glob ALLOWED

  pattern *


This section specifies content filtering filter class to match the pattern that we created earlier.

class-map type urlfilter match-any BLOCK

  match  server-domain urlf-glob FB

class-map type urlfilter match-any ALLOWED

  match  server-domain urlf-glob ALLOWED


This section specifies the traffic that the Cisco IOS will inspect or match.

class-map type inspect match-any DNS

  match protocol dns

class-map type inspect match-any HTTP

  match protocol http

class-map match-all HTTPS

  match protocol secure-http

class-map type inspect match-all HTTPS1

  match protocol https


This section specifies a policy map that will tie the filter classes and the action to be taken.

policy-map type inspect urlfilter BLOCK

  parameter type urlfpolicy local U-FILTER

  class type urlfilter BLOCK



  class type urlfilter ALLOW



This section specifies the traffic class and its inspection.

policy-map type inspect INOUT

  class type inspect HTTP


   service-policy urlfilter BLOCK

  class type inspect DNS


  class type inspect HTTPS1


  class class-default



This section ties the inspection service policy to the zone-pair.

zone-pair security xxxxxx source xxxx destination yyyy

  service-policy type inspect INOUT


Related Information


For more information on content based filtering overall, please refer to:

Community Member

HI, i used that config and it worked well, but if you want to block a website that the addreses starts with "HTTPS"  (secure) does't block them.. do you have a solution for that?


Not applicable

Do we need to apply this on interface? if yes then how?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links