×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Blocking Youtube

Unanswered Question
Apr 2nd, 2012
User Badges:

Hi,


I'm trying to block this site (youtube.com) for the LAN users. I found an option in the class-map configuration that seems to allow me to do this but it's not working. the configuration is below:


class-map Youtube-Class

match protocol youtube


policy-map NoYoutube-Policy

class Youtube-class

   drop


interface g0/0.10

!-- Ommited--

service-policy output NoYoutube-Policy

service-policy input NoYoutube-Policy


I guess it should be necessary to set the policy only in one way but since that wasn't working I tried both.

Am I missing something? or the "match protocol youtube" command is intended for other purposes.


By the way, I'm using a router as specified:

    • Model CISCO2921/K9.
    • No additional license installed.
    • System image: c2900-universalk9-mz.SPA.151-4.M2.bin


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
Ricardo Munioz ... Mon, 04/02/2012 - 08:40
User Badges:

JIC: there are some Uppercase/Lowercase mistakes in the previous post, but it is correctly configured in the router.

paolo bevilacqua Mon, 04/02/2012 - 14:00
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Just use an ACL and that will make it easier.

Vasileios Boulo... Mon, 04/02/2012 - 14:21
User Badges:
  • Silver, 250 points or more

Hi Ricardo,


It is better to apply the policies to the interface that your users are using as their default gateway.

With this policies you are using NBAR.

In order to be sure that the NBAR works fine just configure the ip nbar protocol-discovery under the interface.

This will enable nbar discovery on your router.

If you use the next command "show ip nbar protocol-discovery stats bit-rate top-n 10" it will show you the top 10

bandwidth-eating applications . (just attention with nbar command since may increase the CPU/Memory needs of the router)


In this way you can see if the youtube appears in the list and then to block/restrict traffic with appropriate QoS policy.


If this does not work, I do not think that the ACL could work since ACL also uses NBAR to match youtube traffic.


Hope that helps!

Vasilis

paolo bevilacqua Mon, 04/02/2012 - 14:28
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

I meant an IP address ACL.


OP can let us know later his luck with other methods.

Ricardo Munioz ... Mon, 04/02/2012 - 23:08
User Badges:

Thanks to all for te replies.

        1. I think using an IP address ACL is not possible because as far as I know, youtube shares the same IP address range with google and may be even gmail, which must remain allowed.
        2. I am applying the policy-map to the default gateway interface.
          • I saw in other post that NBAR doesn't work when applied to subinterfaces, I tried that in a 2911 and it displayed an error to confirm it, with the 2921 however, there was no error message, even so I used the workaround suggested that was using the NBAR policy as a child inside a Parent policy.
          • I used the "show policy-map interface g0/0.10" command and there was some matches for the Youtube-Class class-map at the input.
          • Besides I noticed that sometimes, youtube was blocked (while other sites remain open) but sometimes it was still accessible without any changes.
        3. Any way, I'll try as Basileios says, see how it works.
        4. Paolo, you pointed out that you meant an IP address ACL... just for curiosity, is there another kind of ACL besides IP and MAC (those are all I know).
        5. And finally... could somebody explain to me how the "mathc protocol youtube" command works?
          • As far as I know, youtube doesn't use any particular protocol other than HTTP.
          • Is there a difference between using "match protocol youtube" and a combination of "match protocol http" with a filter on the URL *.youtube.com
          • I ask this because that second one is what I was using before, until I noticed that accesing youtube was still possible just by changing the "http" protocol to "https" in the browser window. And the same thing happens when using the "match protocol youtube" command, sometimes it blocks "http:// www.youtube.com/..." but it never blocks "https://www.youtube.com/".

Would this be easier with an ASA firewall? may be I'm just trying to setup a feature in the wrong device. Would it be possible to filter specific DNS queries? (just for some users while others still have access)


Thanks for all your help.

jamiegrive Mon, 04/02/2012 - 23:18
User Badges:

Does NBAR actually block the site? I would expect it only to block the video content apps. There is probably a much easier way to simply block the domain name. But then I suppose the NBAR would also pick up on other sites with embedded YouTube vids which might not match the domain filter.


Sent from Cisco Technical Support iPhone App

sean_evershed Tue, 04/03/2012 - 00:32
User Badges:
  • Gold, 750 points or more

Hi,

Using an ASA to block https://www.youtube.com is not going to solve the problem. An ASA is unable to inspect encrypted traffic.


One alternative is to use a site like whois to find out all the IP addresses used by Youtube. Then write an ACL to block all these IP addresses. This will also block HTTPS traffic. However this can be a big task if Youtube keep registering new addresses for their site.


The simplest solution would be to install a proxy server. Direct all Internet traffic through this server. Then create a rule on this server to block Youtube.


Cheers

Sean

Actions

This Discussion

Related Content