cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1511
Views
4
Helpful
16
Replies

Block Youtube.com

jpl861
Level 4
Level 4

Hi,

I'm trying to block youtube.com using NBAR. I can see on the show policy-map interface that it matches the class-map but the router won't drop the packet. Here's my config.

class-map match-any Class_NBAR

match protocol bittorrent

match protocol gnutella

match protocol kazaa2

match protocol gopher

match protocol napster

match protocol rtp video

match protocol http url "*.youtube.com*"

policy-map Policy_NBAR

class Class_NBAR

drop

interface FastEthernet0/1

ip nbar protocol-discovery

service-policy output Policy_NBAR

Is this a correct configuration? Thanks.

Regards,

John

16 Replies 16

You need to enable Cisco Express Forwarding (CEF) in order to use Network-Based Application Recognition (NBAR).

Could you check if it is enabled ?

Thanks for the reply. Yes it is enabled.

dbellaze
Level 4
Level 4

It might be easier to do this with an ACL if YouTube only uses their registered IP's. You can go to www.arin.net and find all YouTube's ranges and block those.

NBAR has been a hit and miss for me for certain applications. I also found that just using the drop command wasn't always successful either. Try using the police statement instead and set all the actions to drop that might work for you.

Daniel

Ok. I'll try the police command. Give me a minute. Thanks.

I forgot to post this, I am also using rate-limit command on the interface.

rate-limit input 1048000 131072 131072 conform-action transmit exceed-action drop

rate-limit output 1048000 131072 131072 conform-action transmit exceed-action drop

You can move your interface rate limiting to the MQC policy.

policy-map Policy_NBAR

class class_NBAR

police 8000 conform-ac drop exceed-act drop violate-act drop

class class-default

police 1048000 131072 131072 conform-action transmit exceed-action drop violate-action drop

policy-map Policy_Inbound

class class-default

police 1048000 131072 131072 conform-action transmit exceed-action drop violate-action drop

int fa 0/1

service-policy input Policy_Inbound

service-policy output Policy_NBAR

Daniel

OK let me try that one too. Just a minute.

I can see the conformed packets increment and the action to drop but still the website can pass thru. I already tried setting a DSCP value of 1 awhile ago and drop all output packets using access-list matching a value of 1 in DSCP. Im losing hope right now. By the way, it's a 2600 router.

can you change :

class-map match-any Class_NBAR

to :

class-map match-all Class_NBAR

and check again ?

The match-all will require matching all match statements which will not work unless you remove all the other match commands.

I ran into this same problem for gnutella and bitorrent. I got with Cisco and pretty much got no where with it. Your best best for now maybe to just block their ranges or get more clever with what you want to match to try to block it.

Daniel

My bad. I couldnt find a "delete" option once i posted it.

Where is fa0/1 connected to ?

Fa0/1 is connected to inside network and Fa0/0 is the one facing the internet.

Shouldnt that be applied on the outbound interface?

I applied it on Fa0/1 as service-policy output. I already tried to apply it in all directions but still the same. I can still access youtube.com.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco