Monday, September 24, 2007

Cisco IOS URL Filtering

What is Cisco IOS URL Filtering?
The Cisco IOS URL Filtering solution monitors and regulates all web activities by blocking specific websites or restricting access to certain websites. The Cisco IOS URL Filtering is a simple and easy to deploy solution. It is fully integrated with Cisco IOS.

FACTS
Supports up to 256 static URLs that can be configured in the router's NVRAM.
Supports Complete or Partical Domain name
Complete domain name : www.yahoo.com
Partial domain name: .yahoo.com

Cisco IOS URL Filtering without External Filtering Servers
Step One: URLFilter Rule
Gateway(config)#ip inspect name UserInspect http urlfilter
Gateway(config)#ip urlfilter allow-mode on
Gateway(config)#ip urlfilter exclusive-domain deny www.whitehouse.com
//Cisco IOS Software will not make a lookup request to any external filtering servers for the HTTP traffice that is destined to one of the domains in the exclusive list specified

Step Two: Apply URLfilter to interface
Gateway(config)#interface fastEthernet 0/1.10
Gateway(config-subif)#ip inspect UserInspect in
Gateway(config-subif)#exit

Step Three: Disable Java applet scanner and Save
Gateway(config)#ip inspect name UserInspect http java-list 2
Gateway(config)#access-list 2 permit any
Gateway(config)#access-list 2 remark UsedByUserInspect Rule
Gateway#wr
//Write to NVRAM, otherwise Urlfilter may not work.
//Enabling HTTP inspection with or without any option triggers a Java applet scanner, which is very CPU-intensive. The only way to stop java applet scanner is to specify the "java-list" and then configure a standard ACL to allow any traffic.


Two Methods for Standalone Cisco IOS URL Filtering
Method One: White Lists
Permit Certain WebSites and deny the rest
Gateway(config)#ip urlfilter allow-mode on
Gateway(config)#ip urlfilter exclusive-domain permit www.cisco.com

Method Two: Black Lists
Deny Certain Websites and permit the rest
Gateway(config)#ip urlfilter allow-mode on
Gateway(config)#ip urlfilter exclusive-domain deny www.whitehouse.com

// If allow-mode is on and the external servers are down(or without external servers), the HTTP requests will be allowed to pass. If the allow-mode is off and the external servers are down(or without external servers), the HTTP requests will be forbidden.
Allow mode is off by default.

Tips
After configuring URLfilter exclusive-domain, you may need to reload router,otherwise the URLfilter may not work properly.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)