Today, while I was trying to keep my students awake during a CCNA1 presentation, I noticed that two of them were looking at 9Gag and they ignored me. Not that I was saying something so deep and meaningful but it was a little bit frustrating for me. So, as soon I finished my presentation, I opened a console to the local router (a Cisco 2821 ) and began to filter 9gag.
Obviously you cannot do that with ACLs when you want to filter a website running on multiple addresses like 9gag. Even if you use hostname instead of an IP address, that hostname is resolved once using dns servers defined in your configuration and that’s it.
So I used a policy and five minutes later those two were the frustrated ones. This is how I did it :
! class-map match-any URLFILTER match protocol http host *9gag.com ! policy-map DROPURL class URLFILTER drop ! ! interface FastEthernet 0/1 desc Internal service-policy input DROPURL !
And that was it. Next time, facebook, prepare your url, I wanna filter you.
Or, using CBAC (Context-Based Access Control) :
! ip inspect name WEBFILTER http urlfilter ip urlfilter allow-mode on ip urlfilter exclusive-domain deny .9gag.com ! ! interface FastEthernet 0/1 desc Internal ip inspect WEBFILTER in !
Oh, and if you’re wondering how to do url filtering with linux the answer is “it’s complicated”. You need either a proxy (squid, privoxy) or, if you are shameless, you can do it using DNS hijacking.
Published on CCIELAB.