Introduction

This document introduces URL ACL (Enhanced) feature and provides general guidelines for its deployment. The purpose of this document is to:

  • Provide an overview of URL ACL (Enhanced) feature

  • Highlight supported Key Features

  • Provide details on deploying and managing URL ACL (Enhanced) on WLC

Pre–requisite

Customers must have AireOS 8.0 or higher release on a Wireless LAN Controller in order to upgrade to the 8.4 code.

Components Used

The information in this documentwas created from devices in a specificlab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Feature Introduction

The URL Filtering feature helps optimize network bandwidth utilization by restricting access to websites. It uses DNS snooping to snoop the DNS response sent from the DNS server to wireless clients. It is an ACL based implementation to restrict URLs for all protocol including HTTP and HTTPS.

Implementation

URL Filtering ACL is defined as set of URLs, which are associated with Allow/Deny action for all URLs. This is defined under an ACL type, either a white or black list. A mix of white and black list rules is not supported. An external server's ip address is configured which is used to redirect blocked page to client if the access URL is blocked as per configuration.

Work Flow

WLC snoops the DNS response for the client and if the URL is allowed as per the configuration (ACL rule), DNS response will be sent to the client. If the URL is not allowed as per the configuration (ACL rule), the resolved IP will be overwritten with an external server's IP (which we would have configured) and returned to the client. This external server will redirect blocked page to the clients. Counters for the allowed and denied DNS responses are viewable for an ACL as they are getting hit.

Configuration Steps

  1. Configure an ACL as either Allowed List or Blocked List to allow or deny access to domains
  2. Configure External Server IP address

  3. Tie the created URL ACL to either

  • Interface

  • WLAN

  • Local Policy (highest priority)

Browsing is now restricted to specified domains for all protocols.

Platform Support

  1. Feature support is available on 5520 and 8540. It is not supported on 5508, 8510, vWLC, 2504 and ME.

  2. Supported in Local mode and Flex central switching only.

Considerations

    • Wildcard support (e.g. *.domain.com)

      1. 10 Wildcards

      2. 5 subdomains per wildcard

  2. URL Filtering includes

    1. Support of 100 URLs

    2. No Sub-URL support (e.g. www.domain.com and www.domain.com/resources)

  3. Maximum length of 32 chars to be supported for URLs

  4. There is no AVC dependency for this feature. It is completely based on DNS snooping

  5. Radius server returning URL filtering ACL name is not supported

  6. Reverse DNS is not supported. Client access with direct IP (without doing DNS) is not allowed

  7. IPv6 is not supported

Configuring URL Filtering

URL filtering determines which URLs to permit or deny using ACLs and rules that are assigned to WLANs, Interfaces or individual client sessions by way of Local Policies. The following steps demonstrate how to create URL based ACLs and rules for two common scenarios:

  • Scenario 1–An ACL with List Type Blocked List which has rules defined to deny access to specific URLs.
  • Scenario 2–An ACL with List Type Allowed List and rules are defined to only permit access to specific URLs.

Access Control Lists

Accessing Control Lists using GUI

To acess the control list using GUI, perform the following steps:

Procedure

Step 1

From the WLC main menu select SECURITY Access > Control Lists > URL ACLs. Click New.



Step 2

Enter the URL ACL Name then click Apply . In this example a ACL named BLOCK-SITES has been defined.



Step 3

Select List Type as Blacklist from the dropdown and click Apply.



Step 4

Configure External Server IP and hit Apply. In this example, we have defined 10.10.10.10 which will redirect blocked page to the client.



Step 5

Click New to define additional ACLs.



Step 6

Enter the URL ACL Name then click Apply. In this example a second ACL named PERMIT-SITES has been defined.



Accessing Control Lists using CLI

Procedure

Step 1

Create the URL ACLs named BLOCK-SITES and PERMIT-SITES. 

(Cisco Controller)> config acl url-acl create BLOCK-SITES
(Cisco Controller)> config acl url-acl create PERMIT-SITES
Step 2

Configure BLOCK-SITES as List Type Blacklist and PERMIT-SITES as List Type Whitelist 

(Cisco Controller)> config acl url-acl list-type BLOCK-SITES blacklist
(Cisco Controller)> config acl url-acl list-type PERMIT-SITES whitelist
Step 3

Configure the external server IP, which is used to redirect the pages. 

(Cisco Controller)> config acl url-acl external-server-ip 10.10.10.10
Step 4

Verify ACL creation. Note the Applied status fields for both ACLs will display as No until rules are added and the ACLs are applied. 

(Cisco Controller) > show acl url-acl summary
   ACL Counter Status               Enabled
   External Server IP              10.10.10.10
   ----------------------------------------
   URL ACL Name       Applied       List Type
   ---------------    -------       --------------
   BLOCK-SITES          No        BlackList
   PERMIT-SITES         No        WhiteList

Rules–Blocked-List Example

The following configuration steps demonstrate how to use rules to deny access to specific URLs (blocked-listing). In this example an ordered list of URLs is defined with a deny action to block access to specific requested URLs. As the ACL itself has an implied deny, a wildcard permit rule is added as the last rule to provide access to all other requested URLs.

Blocked-Listing using GUI Procedure

Procedure

Step 1

From the WLC main menu select SECURITY > Access Control Lists > URL ACLs. Click on the URL ACL Name to add rules.



Step 2

Click Add New Rule.



Step 3

Enter a Rule Index then define a URL to match and Action. In this example the URL www.cisco.com has been defined as the first rule with the action set to Deny. Click Apply. Add additional blocked-list rules as required.



Step 4

Verify your rules are correct then click Apply All. The Status field will change from Not Applied to Applied.



Note 

The configuration steps for adding rules 2 -3 are not shown in this example, however the procedure for adding the rules is identical to what is demonstrated in step 3.

Blocked-Listing using CLI Procedure

Procedure

Step 1

Create rules for the ACL named BLOCK-SITES. 

(Cisco Controller)> config acl url-acl rule add BLOCK-SITES 1
(Cisco Controller)> config acl url-acl rule url BLOCK-SITES 1 www.cisco.com
(Cisco Controller)> config acl url-acl rule action BLOCK-SITES 1 deny
(Cisco Controller)> config acl url-acl rule add BLOCK-SITES 2
(Cisco Controller)> config acl url-acl rule url BLOCK-SITES 2 www.nba.com
(Cisco Controller)> config acl url-acl rule action BLOCK-SITES 2 deny
(Cisco Controller)> config acl url-acl rule add BLOCK-SITES 3
(Cisco Controller)> config acl url-acl rule url BLOCK-SITES 3 www.disney.com
(Cisco Controller)> config acl url-acl rule action BLOCK-SITES 3 deny
Step 2

Apply the ACL. 

(Cisco Controller)> config acl url-acl apply BLOCK-SITES
Step 3

Verify the ACL rules. 

(Cisco Controller)> show acl url-acl detailed BLOCK-SITES
RuleIndex   Action                  URL                    Hit Count
--------- ----------- ---------------------------------- -------------
     1        Deny     www.cisco.com                            0 
     2        Deny     www.nba.com                              0 
     3        Deny     www.disney.com                           0
Step 4

Verify the ACL has been applied. Note the Applied status field for the BLOCK- SITES ACL will change from No to Yes. 

(Cisco Controller)> show acl url-acl summary
ACL Counter Status               Enabled
External Server IP              10.10.10.10
----------------------------------------
URL ACL Name       Applied       List Type
---------------    -------       --------------
BLOCK-SITES          Yes       BlackList
PERMIT-SITES         No        WhiteList

Rules–Allowed-Listing Example

The following configuration steps demonstrate how to use rules to only permit access to specific URLs. In this example an ordered list of URLs is defined with a permit action to allow access to specific requested URLs. As the ACL has an implied deny, access to all other requested URLs will be blocked.

Allowed-Listing using GUI Procedure

Procedure

Step 1

From the WLC main menu select SECURITY > Access Control Lists > URL ACLs. Click on the URL ACL Name to add rules.



Step 2

Click Add New Rule.



Step 3

Enter a Rule Index then define a URL to match. In this example the URL www.cisco.com has been defined as the first rule with the action Permit. Click Apply. Add additional Permit rules as required.



Step 4

Verify your rules are correct then click Apply All. The Status field will change from Not Applied to Applied.



Allowed-Listing using CLI Procedure

Procedure

Step 1

Create rules for the ACL named PERMIT-SITES. 

(Cisco Controller)> config acl url-acl rule add PERMIT-SITES 1
(Cisco Controller)> config acl url-acl rule url PERMIT-SITES 1 www.cisco.com
(Cisco Controller)> config acl url-acl rule action PERMIT-SITES 1 permit
Step 2

Apply the ACL. 

(Cisco Controller)> config acl url-acl apply PERMIT-SITES
Step 3

Verify the ACL rules. 

(Cisco Controller)> show acl url-acl detailed PERMIT-SITES
RuleIndex   Action                  URL                    Hit Count
--------- ----------- ---------------------------------- -------------
     1      Permit     www.cisco.com                            0
Step 4

Verify the ACL has been applied. Note the Applied status field for the PERMIT-SITES ACL will change from No to Yes. 

(Cisco Controller)> show acl url-acl summary
ACL Counter Status               Enabled
External Server IP              10.10.10.10
----------------------------------------
URL ACL Name       Applied       List Type
---------------    -------       --------------
BLOCK-SITES          Yes       BlackList
PERMIT-SITES         Yes        WhiteList

Enabling Hit Counters

Hit counters can be optionally enabled to monitor the number of rule hits for each URL ACL. Hit counters are useful for troubleshooting ACLs as the counters are incremented by one as each rule is matched. The following step demonstrates how to globally enable ACL hit counters on a WLC.

Enabling Hit Counters using GUI Procedure

Procedure

Step 1

From the WLC main menu select SECURITY > Access Control Lists. Select Enable Counters then click Apply .



Step 2

From the WLC main menu select SECURITY > Access Control Lists > URL ACLs. Click on the desired URL ACL Name to view the Hit Count for each matched URL.



Enabling Hit Counters using CLI Procedure

Procedure

Step 1

Globally enable ACL Hit Counters. 

(Cisco Controller)> config acl counter start
Step 2

View the Hit Counters for a specific ACL. In this example the Hit Count for the ACL named BLOCK-SITES is displayed. 

(Cisco Controller)> show acl url-acl detailed BLOCK-SITES
RuleIndex   Action                  URL                    Hit Count
--------- ----------- ---------------------------------- -------------
     1        Deny     www.cisco.com                            41 
     2        Deny     www.nba.com                              24 
     3        Deny     www.disney.com                           7

Applying Access Control Lists

URL ACLs can be assigned dynamically to clients using Local Policies or directly to WLANs or Interfaces:

  • Local Policy–The URL ACL is applied to all clients assigned the Local Policy. URL ACLs assigned using Local Policies have the highest priority and will override URL ACLs assigned to the WLAN or Interface.
  • WLANs–The URL ACL is applied to all clients associated to the WLAN (unless a URL ACL is assigned to a client using a Local Policy). URL ACLs assigned to a WLAN will override a URL ACL assigned to an Interface.
  • Interfaces–The URL ACL is applied to all traffic forwarded specific interface.

The following steps demonstrate how to assign URL ACLs on a WLC to WLANs, Interfaces and Local Policies:

Assigning WLANs using GUI Procedure

Procedure

From the WLC main menu select WLANs > WLANs. Select a WLAN ID to modify. Access the Advanced Tab then assign the desired URL ACL. Click Apply.



Assigning WLANs using CLI Procedure

Procedure

Step 1

Disable the target WLAN. In this example WLAN id 1 is disabled. Note the WLC will not allow you to assign the ACL if the target WLAN is enabled. 

(Cisco Controller)> config wlan disable 1
Step 2

Assign the URL ACL to the WLAN. In this example the ACL named BLOCK-SITES is assigned to WLAN 1. 

(Cisco Controller)> config wlan url-acl 1 BLOCK-SITES
Step 3

Re–enable the disabled WLAN 

(Cisco Controller)> config wlan enable 1
Step 4

Verify the ACL assignment. Note if no ACL has been assigned to the WLAN, the WLAN URL ACL field will show unconfigured. 

(Cisco Controller) > show wlan 1
WLAN Identifier.................................. 1
Profile Name..................................... pod2
Network Name (SSID).............................. pod2
Status........................................... Enabled
MAC Filtering.................................... Disabled
!
! Output Suppressed
!
WLAN Layer2 ACL.................................. unconfigured
WLAN URL ACL..................................... BLOCK-SITES
mDNS Status...................................... Enabled
!
Note 

You can remove the ACL from a WLAN by issuing the config wlan url-acl <wlan-id> none command.

Assigning Interfaces using GUI Procedure

Procedure

From the WLC main menu select CONTROLLER > Interfaces. Select an Interface Name to modify, then under Access Control List assign the desired URL ACL. Click Apply.



Assigning Interfaces using CLI Procedure

Procedure

Step 1

Disable the WLANs using the target Interface. In this example WLAN id 3 is mapping client's management. Note the WLC will not allow you to assign the ACL to an Interface if there are any active WLANs using the interface 

(Cisco Controller) > config wlan disable 3
Step 2

Assign the URL ACL to the interface. 

(Cisco Controller) > config interface url-acl management BLOCK-SITES
Step 3

Re-enable the disabled WLAN. 

(Cisco Controller) > config wlan enable 3
Step 4

Verify the ACL assignment. Note if no ACL has been assigned to the Interface, the WLAN URL ACL field will show unconfigured. 

(Cisco Controller) > show interface detailed management
Interface Name................................... management
MAC Address...................................... 4c:00:82:71:4f:af
IP Address....................................... 10.10.20.2
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 10.10.20.1
!
! Output Suppressed
!
IPv4 ACL......................................... Unconfigured
URL ACL.......................................... BLOCK-SITES
!
Note 

You can remove the ACL from a Interface by issuing the config interface url-acl <interface-name> none command.

Assigning Local Policies using GUI Procedure

Procedure

From the WLC main menu select SECURITY > Local Policies. Select a Policy Name to modify, then under Action assign the desired URL ACL. Click Apply.



Note 

For additional information please reference the Wireless Device Profiling and Policy Classification Engine on WLC technical reference.

Assigning Local Policies using CLI Procedure

Procedure

Step 1

Assign the ACL to the target Local Policy. In this example the ACL named BLOCK-SITES is assigned to a Local Policy named STUDENTS. 

(Cisco Controller) > config policy STUDENTS action url-acl enable BLOCK-SITES
Step 2

Verify the ACL assignment 

(Cisco Controller) > config interface url-acl management BLOCK-SITES
Step 3

Re–enable the disabled WLAN. 

(Cisco Controller) > config wlan enable 3
Step 4

Verify the ACL assignment. Note if no ACL has been assigned to the Local Policy, the UR ACL field will show <none> . 

(Cisco Controller) > show POLICY STUDENTS
Policy Index..................................... 1
Match Role....................................... STUDENTS 
Match Eap Type................................... <none> 
IPv4 ACL......................................... <none> 
URL ACL.......................................... BLOCK-SITES 
FlexConnect Client ACL........................... <none> 
QOS.............................................. BRONZE
!
! Output Suppressed
!
Note 

You can remove the ACL from a Local Policy by issuing the config policy <policy-name> action url-acl disable command.

Migration of URL ACL Configuration

  • Upgrading from 8.3 to 8.4

    1. 8.3 config contained blocked-list ACLs comprising of all deny rules. In 8.4 config, ACL type will show up as Whitelist (which is the default) and deny rules wiped out. User would be required to manually configure new ACL list type as Blacklist and add deny rules to it .

    2. 8.3 config contained allowed-list ACLs comprising of all permit rules. In 8.4, this config remains unchanged. The ACL type shows up as allowed-list with the permit rules in it. There is no user activity required in this case.

    3. 8.3 config contained a mix of allowed-list (permit) and blocked-list (deny) rules. In 8.4 config, ACL type will show up as Whitelist (default) and deny rules wiped out while permit rules will remain.

  • Downgrading from 8.4 to 8.3

    1. No change in URL ACL rules.

    2. Only HTTP protocol support in 8.3.

    3. NBAR engine based URL Filtering and DNS snooping is not used.