05-09-2007 03:01 PM - edited 03-03-2019 04:54 PM
Hi,
I'm trying to block youtube.com using NBAR. I can see on the show policy-map interface that it matches the class-map but the router won't drop the packet. Here's my config.
class-map match-any Class_NBAR
match protocol bittorrent
match protocol gnutella
match protocol kazaa2
match protocol gopher
match protocol napster
match protocol rtp video
match protocol http url "*.youtube.com*"
policy-map Policy_NBAR
class Class_NBAR
drop
interface FastEthernet0/1
ip nbar protocol-discovery
service-policy output Policy_NBAR
Is this a correct configuration? Thanks.
Regards,
John
05-09-2007 03:10 PM
You need to enable Cisco Express Forwarding (CEF) in order to use Network-Based Application Recognition (NBAR).
Could you check if it is enabled ?
05-09-2007 03:12 PM
Thanks for the reply. Yes it is enabled.
05-09-2007 03:17 PM
It might be easier to do this with an ACL if YouTube only uses their registered IP's. You can go to www.arin.net and find all YouTube's ranges and block those.
NBAR has been a hit and miss for me for certain applications. I also found that just using the drop command wasn't always successful either. Try using the police statement instead and set all the actions to drop that might work for you.
Daniel
05-09-2007 03:23 PM
Ok. I'll try the police command. Give me a minute. Thanks.
05-09-2007 03:26 PM
I forgot to post this, I am also using rate-limit command on the interface.
rate-limit input 1048000 131072 131072 conform-action transmit exceed-action drop
rate-limit output 1048000 131072 131072 conform-action transmit exceed-action drop
05-09-2007 03:33 PM
You can move your interface rate limiting to the MQC policy.
policy-map Policy_NBAR
class class_NBAR
police 8000 conform-ac drop exceed-act drop violate-act drop
class class-default
police 1048000 131072 131072 conform-action transmit exceed-action drop violate-action drop
policy-map Policy_Inbound
class class-default
police 1048000 131072 131072 conform-action transmit exceed-action drop violate-action drop
int fa 0/1
service-policy input Policy_Inbound
service-policy output Policy_NBAR
Daniel
05-09-2007 03:36 PM
OK let me try that one too. Just a minute.
05-09-2007 03:48 PM
I can see the conformed packets increment and the action to drop but still the website can pass thru. I already tried setting a DSCP value of 1 awhile ago and drop all output packets using access-list matching a value of 1 in DSCP. Im losing hope right now. By the way, it's a 2600 router.
05-09-2007 03:54 PM
can you change :
class-map match-any Class_NBAR
to :
class-map match-all Class_NBAR
and check again ?
05-09-2007 03:58 PM
The match-all will require matching all match statements which will not work unless you remove all the other match commands.
I ran into this same problem for gnutella and bitorrent. I got with Cisco and pretty much got no where with it. Your best best for now maybe to just block their ranges or get more clever with what you want to match to try to block it.
Daniel
05-09-2007 04:11 PM
My bad. I couldnt find a "delete" option once i posted it.
Where is fa0/1 connected to ?
05-09-2007 04:37 PM
Fa0/1 is connected to inside network and Fa0/0 is the one facing the internet.
05-09-2007 04:52 PM
Shouldnt that be applied on the outbound interface?
05-09-2007 05:19 PM
I applied it on Fa0/1 as service-policy output. I already tried to apply it in all directions but still the same. I can still access youtube.com.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: