Cisco IOS startup configuration

Technical Library | Support

Go to the table of contents

Go to the previous page

Go to the next page

Integrating Web Security with Cisco > Cisco IOS startup configuration

Cisco IOS startup configuration

Deployment and Installation Center | Web Security Solutions | Version 7.8.x

Web Filter and Web Security, v7.8.x

Before Websense software can filter Internet requests, the Cisco IOS router must be configured to use Filtering Service as a URL filter.

1.

Access the router's software from a console, or from a remote terminal using telnet.

2.

Enter your password.

3.

Enter enable and the enable password to put the router into enabled mode.

4.

Enter configure terminal to activate configure mode.

5.

Enter the following command to identify the Filtering Service machine that will filter HTTP requests:

ip urlfilter server vendor websense <ip-address>
[port <port-number>] [timeout <seconds>]
[retransmit <number>]


Variable	Description
<ip-address>	The IP address of the machine running Websense Filtering Service.
<port-number>	The Filtering Service port (also referred to as the integration communication port), default 15868.
<seconds>	The amount of time the Cisco IOS router waits for a response from Filtering Service. The default timeout is 5 seconds.
<number>	How many times the Cisco IOS router retransmits an HTTP request when there is no response from Filtering Service. The default is 2.

An example of this command is:

ip urlfilter server vendor websense 12.203.9.116 timeout 8 retransmit 6

To define an additional Filtering Service instance as a backup, repeat the command using the IP address of the second Filtering Service machine.

The configuration settings you create in the following steps are always applied to the primary server.

Only one Filtering Service instance (the primary server) is used at a time. If the primary server becomes unavailable, the system goes to the list of configured Filtering Service instances and attempts to activate the first one. If the first server is not available, the system attempts to activate the next one. This continues until an available server is found or the end of the list of configured servers is reached. If all servers are down, the router goes into allow mode.

6.

Enable the logging of system messages to Filtering Service by entering the following command:

ip urlfilter urlf-server-log

This setting is disabled by default. When logging is enabled, the Cisco IOS router sends a log request immediately after the URL lookup request.

7.

Tell the Cisco IOS router how to filter URL requests by entering the following commands, in sequence:

ip inspect name <inspection–name> http urlfilter

interface <type> <slot/port>

ip inspect <inspection-name> {in|out}

Examples of these commands are:

ip inspect name fw_url http urlfilter

interface FastEthernet 0/0

ip inspect fw_url in

For this sequence to function properly, you must create an inspection rule called fw_url and apply that rule to the inbound interface of the router.

See Cisco documentation for information about creating and applying inspection rules.

To improve performance, Cisco suggests disabling the Java applet scanner. Java applet scanning increases CPU processing load. To disable the Java applet scanner, use the following commands, in sequence:

access-list <num> permit any

ip inspect name <inspection–name> http java-list <num> urlfilter

See Cisco documentation for more information about these commands.

8.

To save your changes:

a.

Enter the exit command twice to leave the configure mode.

b.

Enter write memory.

These commands store the configuration settings in the Cisco IOS router's startup configuration so they are not lost if the router is shut down or loses power.

9.

Use the following commands to view various aspects of your installations:


Command	Action
show ip inspect name <inspection-name>	Displays a specific inspection rule.
show ip inspect all	Displays all available inspection information.
show ip urlfilter config	Displays all URL filtering information.
<command-name> ?	Displays help on individual commands. For example, ip inspect ? displays the complete syntax for the inspect command, and explains each argument.

10.

To discontinue filtering or to change a Filtering Service, enter the following command to remove a server configured in Step 5.

no ip urlfilter server vendor websense <ip-address>

Go to the table of contents

Go to the previous page

Go to the next page

Integrating Web Security with Cisco > Cisco IOS startup configuration

Copyright 2016 Forcepoint LLC. All rights reserved.