Where do I start, for blocking sites by URL? QoS/PBR/?

[GeneralDzur]

I've been looking at blocking website requests by URL, instead of IP address in an ACL, because some of the sites on my blacklist constantly change IP addresses, and some IP addresses host multiple sites.

Where do I need to start, for blocking a site by it's URL? I was reading on Cisco.com about using 'network-based application recognition' in conjuction with Policy-based Routing. If anyone could point me in the right direction, I can take it from there and do the research and reading myself.

- stephan

 

[lambent]

NBAR with policy-map is probably what you're looking for if you want to do it on routers rather than firewall/proxy.

E.g.

class-map match-all ROOT_EXPLOIT
match protocol http url "*root.exe*"
!
policy-map ROOT_EXPLOIT_IN
class ROOT_EXPLOIT
drop
!
interface f0/0
service-policy input ROOT_EXPLOIT_IN
!

As of IOS 12.2(13)T, the "drop" command is a new option in the policymap. As the command implies, any matching traffic is simply dropped. Prior to this option, traffic could be unconditionally dropped using the "police" keyword with both the "conform" and "exceed" actions set to "drop".

 

[GeneralDzur]

So drop is now a stand-alone option? I can use it without the "conform" and "exceed" of Policing?

Can this be done on a 2600 platform? I thought NBAR was only for high-end routers, E.G. 7xxx

- stephan

 

[lambent]

Yes as of 12.2(13)T you can just use "drop" with the policing commands.

You can use it on 2600 platform, but of course the performance is em..you know...

 

[GeneralDzur]

You can use it on 2600 platform, but of course the performance is em..you know..."

Lol, ok thanks for your help. I don't think I'll risk it right now, especially on our production router.

- stephan

 

[lambent]

Yes as of 12.2(13)T you can just use "drop" with the policing commands."

Sorry for the typo, it should be "without the policing commands".