URL Filtering

The internet has been a unified place to access almost any information needed. But, some internet contents are not appropriate to be seen at work, it's just at the wrong time and at the wrong place. Gambling and adult sites are examples of this. But there are some sites that fall into "gray area". Sports leagues, auction, and social networking sites can reduce employees productivity. The first step of URL Filtering is to make a policy of which sites are allowed and which are denied. The policy must also put a decision to the "gray area" site.

How URL Filtering works?

URL Filtering works by making a list of restricted sites. After it is created, all HTTP request will be checked against the list. If the URL is in the list, the request is blocked and typically the employee will be given a warning screen that he/she is trying to access a restricted site. Maintaining the list can be done manually by the network administrator (this way is called black/white list), but the job can be given to a third party server. The company may subscript for the service and the list of restricted sites is maintain in a database on a third-party filtering server.

The advantages of the black/white list are:

  • It provides a basic solution if a few specific URLs need to be exempted.

  • It allows the company to directly manage the URLs it considers to be out of policy.

  • Existing network equipment can be leveraged.

While the advantages of using the third-parti filtering server are:

  • It provides a comprehensive, scalable solution.

  • Companies that specialize in appropriate web content manage the URL lists and provide updates.

  • Existing network equipment can be leveraged.

  • It covers millions of URLs (for the high-end services).

With Cisco, you can use subscription-based Cisco IOS content filtering. This feature is first integrated in IOS 12.2(15)T and offered through third-party companies, Websense, SmartFilter (N2H2), and also Trend Micro (since IOS 12.4(15)XZ and 12.4(20)T). To configure Cisco URL Filtering, first you have to register at one of those companies.The summary steps of configuring URL Filtering with Trend Micro are:

  • Configure Class Maps for Local URL Filtering

  • Configure Class Maps for Trend Micro URL Filtering

  • Configure Parameter Maps for Trend Micro URL Filtering

  • Configure URL Filtering Policies

  • Attach a URL Filtering Policy

You can see Cisco documentation to get examples.


The Control Plane (Basic)

The network is said to have two planes: a control plane and a data plane. The data plane simply refers to the information that is being transported. Beside the main function of a network to route and forward data, there's another critical function that should be provided by the network for the network administrators. The network should provide a way for network administrators to provision and maintain the network devices themselves. The functions include monitoring network throughput and performance, updating the network topology, establishing new connections, and enforcing security and service policies. These functions is performed by the control plane in a network device. The control plane is responsible to provide a clean way to the network administrator to access the device, give command, and providing response. When a network goes wrong, the control plane is critical. If somehow the control plane is compromised, the network device could be "locked up". In this state, no network changes are possible, no monitoring is available, and there is no visibility into the operational state.

Control Plane Protection

Control Plane Protection (sometimes called Control Plane Policing or CoPP) should be taken to ensure bandwidth availability for the network administrator. The actions taken involves:

  • Preserving CPU “bandwidth” as a high priority for control plane services

  • Safeguards on the data plane to prevent CPU overruns

  • Separate CPU processors for the data plane and control plane

Denial of service (DoS) and distributed denial of service (DDoS) attacks typically try to overwhelm a device with traffic to the point of instability. Control Plane Policing (CoPP) uses QoS traffic policies to restrict the amount of traffic destined for network devices. The CoPP treats the Control Plane as an independent entity, it has its own ingress and egress port, therefore a set of rules can be attached to the ingress and/or egress of the port. The rules applied to a packet after it has been determined to have the Control Plane as its destination and when a packet goes out from the Control Plane.

An example command of attaching a QoS to the control Plane is:

Router(config)# control-plane

Router(config)#service-policy {input | output} policy-map-name

The first line will enter the control plane configuration mode, while the second line will attach the QoS to the ingress or egress of the control plane port.


MultiProtocol Label Switching (MPLS) is Originally developed by Cisco in the form of tag switching, MPLS was adopted as an Internet standard by the Internet Engineering Task Force (IETF). Service providers are the primary implementers of the technology. With MPLS networks, service providers can offer services similar to traditional WAN technologies at lower costs and provide additional IP-based services previously not available.

MPLS provides an encapsulation scheme that serves as an alternative to traditional routing. When a packet comes into the service provider edge, a router assigns a tag to the packet based on the destination IP network. The tag is a type of shorthand for a traditional IP-based route. After the tag is applied, the router forwards the packet into the MPLS core. The core routers read the label, apply the appropriate services, and forward the packet based on the label. As soon as the packet reaches the destination edge of the service provider network, the MPLS label is removed, and the IP packet is forwarded onto the IP network. One of the MPLS services that service providers offer is virtual private networks. Using MPLS labels, service providers can deliver IP-based services to many customers without the complexity of traditional Frame Relay or ATM circuit management. Customers can use private or public IP addressing without concern about overlapping other customer addressing. another opportunity of MPLS is because MPLS provides any-to-any connectivity. MPLS is divided into two layers or planes, each having a specific function in the network. The layers are the Control plane and the Data plane. The Data plane handles forwarding operations. The Control plane is responsible for the exchange of routing information (including labels) between adjacent devices.

Equipment and Stuff

Three primary equipment in MPLS are:

  1. CPE: This is equipment on the customer site. All traffic leaving the local site is routed through this point. This is often called customer equipment (CE).

  2. PE: Located at the ingress point of the SP network, this is the equipment that assigns (and removes) labels. The PE can either be routers or high-end switches. This is also referred to as the Edge Label Switch Router (ELSR).

  3. P: Located in the core of the SP network, provider (P) routers forward packets based on their labels. This is also called a Label Switch Router (LSR).

MPLS Labels

MPLS uses a label to decide where and how to send packets through the network. The label is applied at the ingress to the SP network and is removed at the network egress point. The only router responsible for adding the label is the network router that needs to process the entire packet header. The information contained in the header, along with the preconfigured instructions, is used to generate the label. Labels can be based on IP destinations (this is what traditional routing uses) and other parameters, such as IP sources, QoS, VPN membership, or specific routes for traffic engineering purposes. MPLS is also designed to support forwarding mechanisms from other protocols. Label information is distributed throughout the network using the Label Distribution Protocol (LDP). The

label assigned essentially keeps that packet separated from all other customers’ packets/cells. Because there is no place where one customer can view another customer’s packet/cells, there is no danger of having someone outside the SP network snoop for packets. Obviously this would not stop someone bent on illegally accessing a company’s information, but it does remove the possibility of someone claiming that he “accidentally” received the information.

MPLS router forward packets by using the label, but the router must know the relationship between a label and path through the network. This relationship is established and communicate throughout the network using Forwarding Equivalence Classes (FEC). A FEC is a specific path through the network of LSRs and is equal to the destination network, stored in an IP routing table. The LSRs simply look at the label and forward the packet based on the contents of the FEC. This is much simpler, faster, and more flexible than traditional IP routing.