Block Youtube.com

Unanswered Question
May 9th, 2007

Hi,

I'm trying to block youtube.com using NBAR. I can see on the show policy-map interface that it matches the class-map but the router won't drop the packet. Here's my config.

class-map match-any Class_NBAR

match protocol bittorrent

match protocol gnutella

match protocol kazaa2

match protocol gopher

match protocol napster

match protocol rtp video

match protocol http url "*.youtube.com*"

policy-map Policy_NBAR

class Class_NBAR

drop

interface FastEthernet0/1

ip nbar protocol-discovery

service-policy output Policy_NBAR

Is this a correct configuration? Thanks.

Regards,

John

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Pari Thiagasundaram Wed, 05/09/2007 - 15:10

You need to enable Cisco Express Forwarding (CEF) in order to use Network-Based Application Recognition (NBAR).

Could you check if it is enabled ?

dbellaze Wed, 05/09/2007 - 15:17

It might be easier to do this with an ACL if YouTube only uses their registered IP's. You can go to www.arin.net and find all YouTube's ranges and block those.

NBAR has been a hit and miss for me for certain applications. I also found that just using the drop command wasn't always successful either. Try using the police statement instead and set all the actions to drop that might work for you.

Daniel

John Patrick Lopez Wed, 05/09/2007 - 15:26

I forgot to post this, I am also using rate-limit command on the interface.

rate-limit input 1048000 131072 131072 conform-action transmit exceed-action drop

rate-limit output 1048000 131072 131072 conform-action transmit exceed-action drop

dbellaze Wed, 05/09/2007 - 15:33

You can move your interface rate limiting to the MQC policy.

policy-map Policy_NBAR

class class_NBAR

police 8000 conform-ac drop exceed-act drop violate-act drop

class class-default

police 1048000 131072 131072 conform-action transmit exceed-action drop violate-action drop

policy-map Policy_Inbound

class class-default

police 1048000 131072 131072 conform-action transmit exceed-action drop violate-action drop

int fa 0/1

service-policy input Policy_Inbound

service-policy output Policy_NBAR

Daniel

John Patrick Lopez Wed, 05/09/2007 - 15:48

I can see the conformed packets increment and the action to drop but still the website can pass thru. I already tried setting a DSCP value of 1 awhile ago and drop all output packets using access-list matching a value of 1 in DSCP. Im losing hope right now. By the way, it's a 2600 router.

dbellaze Wed, 05/09/2007 - 15:58

The match-all will require matching all match statements which will not work unless you remove all the other match commands.

I ran into this same problem for gnutella and bitorrent. I got with Cisco and pretty much got no where with it. Your best best for now maybe to just block their ranges or get more clever with what you want to match to try to block it.

Daniel

John Patrick Lopez Wed, 05/09/2007 - 17:19

I applied it on Fa0/1 as service-policy output. I already tried to apply it in all directions but still the same. I can still access youtube.com.

John Patrick Lopez Thu, 05/10/2007 - 10:15

I tried to monitor the policy-map and there very minimal packets. Do you guys have any other idea on how to do this except for using ACL blocking the IP address of www.youtube.com?

mohammedrafiq Thu, 05/10/2007 - 10:58

Hi,

Can you try to block this range and then try.

208.65.152.0 - 208.65.155.255

Regards,

Actions

This Discussion