I am asked to implement the security in campus Network. i.e. In this network we want to block some websites, We don't want to use any 3rd party software or proxy server to block theset.
How to block the website in a Cisco 2600 series router by using the command. What is the access list we need to use to block.
Assume we want to restrict www.orkut.com
Kindly explain and command to block for above website.
Here we are using Cisco 2600 series router and 2900 series switch. In router we are using the BGP because for multiple ISP.
Please give the solution for this.
Here's a guide. (a well written one imho)
Basically you need to setup an Access List and deny any traffic that is destined for www.orkut.com
If you have a dns server properly configured on the router, Cisco IOS will resolve orkut.com into an IP Address on the fly.
IOS resolves the DNS name when you create the ACL and stores the IP address in the running and startup config. The router would have to send a DNS request for every single packet being processed by the ACL in order to do "on the fly" DNS resolution.
The article you posted mentions that behavior and that is why they suggest using nslookup to see all of the IPs in use at any given time for a domain name. The downside to doing this is that IP addresses to change sometimes so the ACL's can become out of date.
I have followed the instrction as you have given, i configured on my cisco 2600 router but it blocks all the other websites also, internet did not work.So i would request you please suggest me a right way with the command details.
Please see this below command which i had give in to my router,
# ip name- server 126.96.36.199 188.8.131.52 (we have given our isp dns)
#access-list 101 deny tcp any host www.orkut.com eq www
#access-list 101 permit tcp any any eq www
#interface fasteethernt 0/1 (My primary link interface)
#ip access-group 101 out (we had tried both OUT and IN )
Did we make any mistake, pl reply soon.
change your ACL to the bellow:
access-list 101 deny tcp any host www.orkut.com eq www
access-list 101 permit ip any any
Your previous ACL denyies all UDP traffic and allowing only TCP port 80. You need DNS, the DNS required tcp and udp port 53 as well.