khaledeshah
ISP
I have a Cisco 6500 switch (IOS 12.1), I need to know how can I use it for URL filtering with IOS commands
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
URL filtering
- Thread starter khaledeshah
- Start date
- Status
newbobbys9
MIS
Filtering for what? Millions of URLs--if you want to manage web access, go with SurfControl. There are others, too, but this one works well.
- Thread starter
- #3
khaledeshah
ISP
What I want is filtering a small number of URLs (about 10 URLs) & I want to do it with the switch.
I only know of one way of achieving this with in a Cat 6500
Obtain a Firewall Services Module (FWSM). This can cooperate with popular URL filtering software from Websense and a couple of others. Cisco basically requires you have a backend filtering server that the FWSM can communicate with to determine whether a URL should be allowed or blocked. As far as I'm aware the FWSM itself cannot and does not interrogate it's own database to determine if a URL should be permitted or blocked
I think the following URL will outlines how to do this:
Alternatively, you could of course simply run an nslookup in a DOS window against all the URL's you want to block, obtain all their IP addresses (there may be several for each URL) and simply block them using an access control list (ACL). Whilst this is cheap and simple, it is a very static configuration and web server IP addresses change all the time (unlike the URL's themselves) therefore you could find yourself having to update this ACL on a regular basis. All you need to do to achieve this is as follows:
access-list 100 deny tcp any host x.x.x.x eq www
access-list 100 deny tcp any host x.x.x.x eq 443
access-list 100 deny tcp any host x.x.x.x eq ftp
int fa0/0
ip access-group 100 out
where x.x.x.x is one of the resolved IP addresses of the URL in question and gi0/0 is your internet-facing router interface. The www, 443 and ftp blocks HTTP, HTTPS and FTP respectively (deploy appropriately for what you want to achieve).
That's about it. Hope this is useful.
Obtain a Firewall Services Module (FWSM). This can cooperate with popular URL filtering software from Websense and a couple of others. Cisco basically requires you have a backend filtering server that the FWSM can communicate with to determine whether a URL should be allowed or blocked. As far as I'm aware the FWSM itself cannot and does not interrogate it's own database to determine if a URL should be permitted or blocked
I think the following URL will outlines how to do this:
Alternatively, you could of course simply run an nslookup in a DOS window against all the URL's you want to block, obtain all their IP addresses (there may be several for each URL) and simply block them using an access control list (ACL). Whilst this is cheap and simple, it is a very static configuration and web server IP addresses change all the time (unlike the URL's themselves) therefore you could find yourself having to update this ACL on a regular basis. All you need to do to achieve this is as follows:
access-list 100 deny tcp any host x.x.x.x eq www
access-list 100 deny tcp any host x.x.x.x eq 443
access-list 100 deny tcp any host x.x.x.x eq ftp
int fa0/0
ip access-group 100 out
where x.x.x.x is one of the resolved IP addresses of the URL in question and gi0/0 is your internet-facing router interface. The www, 443 and ftp blocks HTTP, HTTPS and FTP respectively (deploy appropriately for what you want to achieve).
That's about it. Hope this is useful.
- Thread starter
- #5
khaledeshah
ISP
There is a command : match protocol http url in Cisco, what is this for?
- Status