Cisco IOS Content Filtering Modes
Subscription-based Cisco IOS content filtering operates in one of threemodes: local filtering mode, URL database filtering mode, and allowmode.
Local Filtering Mode
In this mode, the Cisco IOS contentfiltering service first tries to match the requested URL with the locallists of trusted domains (white list), untrusted domains (black list),and blocked keywords. If a match is not found, the Cisco IOS contentfiltering service forwards the lookup request to the URL filteringserver as specified in the policy. If the Cisco IOS content filteringservice cannot establish communication with the URL filtering server,the system enters allow mode.
The system is in local filtering modewhen a URL filtering policy for a URL filtering server has not beenspecified and when the system cannot establish a connection with theURL filtering server.
URL Database Filtering Mode
In this mode, the Cisco IOS contentfiltering service has connectivity with the URL filtering server; itcan send URL lookup requests to and receive URL lookup responses fromthe URL filtering server.
In the case of a TRPS, the Cisco IOScontent filtering service sends a URL category lookup request to theTRPS and the TRPS responds with the URL category and the URLreputation. Based on the policy set for the URL category andreputation, the HTTP request is allowed, denied, or logged. If a policyhas not been configured for the URL category or reputation, the defaultis to permit the HTTP response.
In the case of SmartFilter and Websenseservers, the Cisco IOS content filtering service sends a URL lookuprequest to the URL database server and the server responds with eithera permit or deny message. URL filtering policies for SmartFilter andWebsense servers specify a server-based action.
Allow Mode
When the Cisco IOS content filteringservice is unable to communicate with the URL filtering server, thesystem enters allow mode. The default setting for allow mode is off,and all HTTP requests that pass through local filtering mode areblocked. When allow mode is on, all HTTP requests that passed throughlocal filtering mode are allowed.
When both local filtering and URLdatabase filtering modes fail, the system goes into allow mode. If theallow mode action is set to on, all URL requests are allowed.Otherwise, all HTTP requests are blocked.
默认 ip urlfilter allow-mode 是 off 的。开启 url 过滤后,所有的 url 都被阻止。
1 、建立白名单
ip inspect name web http java-list 5 urlfilter
开启 inspect http ,过滤 url
ip urlfilter exclusive-domain permit .sohu.com
ip urlfilter exclusive-domain permit .cisco.com
添加允许条件
interface FastEthernet0/1
内网接口上调用
ip inspect web in
2 、建立黑名单
ip inspect name web http java-list 5 urlfilter
开启 inspect http ,过滤 url
ip urlfilter allow-mode on
缺省为 off, 改变成 on, 默认打开网页时允许通过
ip urlfilter exclusive-domain deny .sohu.com
ip urlfilter exclusive-domain deny .cisco.com
添加拒绝条件
interface FastEthernet0/1
内网接口上调用
ip inspect web in
Subscription-based Cisco IOS content filtering operates in one of threemodes: local filtering mode, URL database filtering mode, and allowmode.
Local Filtering Mode
In this mode, the Cisco IOS contentfiltering service first tries to match the requested URL with the locallists of trusted domains (white list), untrusted domains (black list),and blocked keywords. If a match is not found, the Cisco IOS contentfiltering service forwards the lookup request to the URL filteringserver as specified in the policy. If the Cisco IOS content filteringservice cannot establish communication with the URL filtering server,the system enters allow mode.
The system is in local filtering modewhen a URL filtering policy for a URL filtering server has not beenspecified and when the system cannot establish a connection with theURL filtering server.
URL Database Filtering Mode
In this mode, the Cisco IOS contentfiltering service has connectivity with the URL filtering server; itcan send URL lookup requests to and receive URL lookup responses fromthe URL filtering server.
In the case of a TRPS, the Cisco IOScontent filtering service sends a URL category lookup request to theTRPS and the TRPS responds with the URL category and the URLreputation. Based on the policy set for the URL category andreputation, the HTTP request is allowed, denied, or logged. If a policyhas not been configured for the URL category or reputation, the defaultis to permit the HTTP response.
In the case of SmartFilter and Websenseservers, the Cisco IOS content filtering service sends a URL lookuprequest to the URL database server and the server responds with eithera permit or deny message. URL filtering policies for SmartFilter andWebsense servers specify a server-based action.
Allow Mode
When the Cisco IOS content filteringservice is unable to communicate with the URL filtering server, thesystem enters allow mode. The default setting for allow mode is off,and all HTTP requests that pass through local filtering mode areblocked. When allow mode is on, all HTTP requests that passed throughlocal filtering mode are allowed.
When both local filtering and URLdatabase filtering modes fail, the system goes into allow mode. If theallow mode action is set to on, all URL requests are allowed.Otherwise, all HTTP requests are blocked.
默认 ip urlfilter allow-mode 是 off 的。开启 url 过滤后,所有的 url 都被阻止。
1 、建立白名单
ip inspect name web http java-list 5 urlfilter
开启 inspect http ,过滤 url
ip urlfilter exclusive-domain permit .sohu.com
ip urlfilter exclusive-domain permit .cisco.com
添加允许条件
interface FastEthernet0/1
内网接口上调用
ip inspect web in
2 、建立黑名单
ip inspect name web http java-list 5 urlfilter
开启 inspect http ,过滤 url
ip urlfilter allow-mode on
缺省为 off, 改变成 on, 默认打开网页时允许通过
ip urlfilter exclusive-domain deny .sohu.com
ip urlfilter exclusive-domain deny .cisco.com
添加拒绝条件
interface FastEthernet0/1
内网接口上调用
ip inspect web in
转载于:https://blog.51cto.com/cisco130/980513
590
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
