Today, while I was trying to keep my students awake during a CCNA1 presentation, I noticed that two of them were looking at 9Gag and they ignored me. Not that I was saying something so deep and meaningful but it was a little bit frustrating for me. So, as soon I finished my presentation, I opened a console to the local router (a Cisco 2821 ) and began to filter 9gag.
Obviously you cannot do that with ACLs when you want to filter a website running on multiple addresses like 9gag. Even if you use hostname instead of an IP address, that hostname is resolved once using dns servers defined in your configuration and that’s it.
So I used a policy and five minutes later those two were the frustrated ones. This is how I did it :
!
class-map match-any URLFILTER
match protocol http host *9gag.com
!
policy-map DROPURL
class URLFILTER
drop
!
!
interface FastEthernet 0/1
desc Internal
service-policy input DROPURL
!
And that was it. Next time, facebook, prepare your url, I wanna filter you.
Or, using CBAC (Context-Based Access Control) :
! ip inspect name WEBFILTER http urlfilter ip urlfilter allow-mode on ip urlfilter exclusive-domain deny .9gag.com ! ! interface FastEthernet 0/1 desc Internal ip inspect WEBFILTER in !
Oh, and if you’re wondering how to do url filtering with linux the answer is “it’s complicated”. You need either a proxy (squid, privoxy) or, if you are shameless, you can do it using DNS hijacking.
Published on CCIELAB.
Meh, now rewrite that to use only CCNA level knowledge! I guess it’s simpler in Linux then? :D Now, on Linux, I saw Ubuntu comes with dnsmasq installed, as a DNS caching server so you can hijack that easily addn-hosts=/etc/hosts.dnsmasq and have 127.0.0.1 9gag.com or whatever.
ce bulangiu poti sa fii :D
nu lasi bietii studenti sa aiba o clasa de ccna placuta :D
ntzz, ntzz
Salut, cand incepe urmatoarea serie CCNA1? Iar nu am fost pe faza si am ratat inceputul :(
Haha…o meritau:D
Cred ca un redirect catre netacad i-ar fi frustrat si mai tare :))