youtube blocking

Answered Question
Aug 4th, 2008

i m trying to block the youtube on my network. I have confiugred the following things on my internet router.


class-map match-any youtube

match protocol http url "*youtube*"

!

!

policy-map p2p

class youtube

drop


interface GigabitEthernet0/1

ip nbar protocol-discovery

service-policy input p2p.


But still users are able to open youtube.


I m gettin hitcount on policy but unable to drop the youtube traffic.


Class-map: youtube (match-any)

1736 packets, 1044139 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: protocol http url "*youtube*"

1736 packets, 1044139 bytes

5 minute rate 0 bps

drop

Correct Answer by Pari Thiagasundaram about 8 years 6 months ago

Its been a while for me to have run into this. Let me take a stab at it.


Can you try the following instead of wildcard mask that you have used:


match protocol http host *youtube.com



! This would match anything in youtube.com like http://www.youtube.com or http://video.youtube.com





Correct Answer by Marwan ALshawi about 8 years 6 months ago

again look at this

When specifying a URL for classification, include only the portion of the URL that follows the www.hostname.domain in the match statement. For example, for the URL www.cisco.com/latest/whatsnew.html, include only /latest/whatsnew.html


so "cisco" as "youtube" in ur case

compair and try upon the rules and file

and should work


please, if helpful Rate

good luck

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.6 (6 ratings)
Loading.
Marwan ALshawi Mon, 08/04/2008 - 19:46

When specifying a URL for classification, include only the portion of the URL that follows the www.hostname.domain in the match statement. For example, for the URL www.cisco.com/latest/whatsnew.html, include only /latest/whatsnew.html


Within NBAR, the match protocol http c-header-field command is used to specify that NBAR identify request messages (the "c" in the c-header-field portion of the command is for client). The match protocol http s-header-field command is used to specify response messages (the "s" in the s-header-field portion of the command is for server).


Examples


In the following example, any request message that contains "[email protected]" in the User-Agent, Referer, or From fields will be classified by NBAR. Typically, a term with a format similar to "[email protected]" would be found in the From header field of the HTTP request message.


match protocol http c-header-field "[email protected]"

In the following example, any request message that contains "http://www.cisco.com/routers" in the User-Agent, Referer, or From fields will be classified by NBAR. Typically, a term with a format similar to "http://www.cisco.com/routers" would be found in the Referer header field of the HTTP request message.


match protocol http c-header-field "http://www.cisco.com/routers"



and the source is as follow


http://www.cisco.com/en/US/docs/ios/12_4t/qos/configuration/guide/qsnbar1.html#wp1055866


please, Rate if helpful

and good luck

wasiimcisco Mon, 08/04/2008 - 20:27

thanks for the excellent explaination, but my question is that, why i m not able to block the desired keyword.


Nbar is enable on interface. particular keywrod exist in the the url. but still it is not working. what i m missing.

Correct Answer
Marwan ALshawi Mon, 08/04/2008 - 20:32

again look at this

When specifying a URL for classification, include only the portion of the URL that follows the www.hostname.domain in the match statement. For example, for the URL www.cisco.com/latest/whatsnew.html, include only /latest/whatsnew.html


so "cisco" as "youtube" in ur case

compair and try upon the rules and file

and should work


please, if helpful Rate

good luck

ror.sanjeev Tue, 09/02/2008 - 06:57

Hi..I have done same thing as:


class-map match-all test

match protocol http url "youtube"

!

!

policy-map test

class test

set ip dscp default


enable ip nbar protocol-discovery on Fa5/1/1


following are access-list applied on fa5/1/1

40 deny ip any any dscp default (105222matches)

50 permit ip any any log (868 matches)


But it blocks all the site not even youtube.I am unable to open any site like yahoo,google,rediff etc.


Please tell me..

Actions

This Discussion