Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Block Youtube.com

Hi,

I'm trying to block youtube.com using NBAR. I can see on the show policy-map interface that it matches the class-map but the router won't drop the packet. Here's my config.

class-map match-any Class_NBAR

match protocol bittorrent

match protocol gnutella

match protocol kazaa2

match protocol gopher

match protocol napster

match protocol rtp video

match protocol http url "*.youtube.com*"

policy-map Policy_NBAR

class Class_NBAR

drop

interface FastEthernet0/1

ip nbar protocol-discovery

service-policy output Policy_NBAR

Is this a correct configuration? Thanks.

Regards,

John

16 REPLIES

Re: Block Youtube.com

You need to enable Cisco Express Forwarding (CEF) in order to use Network-Based Application Recognition (NBAR).

Could you check if it is enabled ?

Re: Block Youtube.com

Thanks for the reply. Yes it is enabled.

Bronze

Re: Block Youtube.com

It might be easier to do this with an ACL if YouTube only uses their registered IP's. You can go to www.arin.net and find all YouTube's ranges and block those.

NBAR has been a hit and miss for me for certain applications. I also found that just using the drop command wasn't always successful either. Try using the police statement instead and set all the actions to drop that might work for you.

Daniel

Re: Block Youtube.com

Ok. I'll try the police command. Give me a minute. Thanks.

Re: Block Youtube.com

I forgot to post this, I am also using rate-limit command on the interface.

rate-limit input 1048000 131072 131072 conform-action transmit exceed-action drop

rate-limit output 1048000 131072 131072 conform-action transmit exceed-action drop

Bronze

Re: Block Youtube.com

You can move your interface rate limiting to the MQC policy.

policy-map Policy_NBAR

class class_NBAR

police 8000 conform-ac drop exceed-act drop violate-act drop

class class-default

police 1048000 131072 131072 conform-action transmit exceed-action drop violate-action drop

policy-map Policy_Inbound

class class-default

police 1048000 131072 131072 conform-action transmit exceed-action drop violate-action drop

int fa 0/1

service-policy input Policy_Inbound

service-policy output Policy_NBAR

Daniel

Re: Block Youtube.com

OK let me try that one too. Just a minute.

Re: Block Youtube.com

I can see the conformed packets increment and the action to drop but still the website can pass thru. I already tried setting a DSCP value of 1 awhile ago and drop all output packets using access-list matching a value of 1 in DSCP. Im losing hope right now. By the way, it's a 2600 router.

Re: Block Youtube.com

can you change :

class-map match-any Class_NBAR

to :

class-map match-all Class_NBAR

and check again ?

Bronze

Re: Block Youtube.com

The match-all will require matching all match statements which will not work unless you remove all the other match commands.

I ran into this same problem for gnutella and bitorrent. I got with Cisco and pretty much got no where with it. Your best best for now maybe to just block their ranges or get more clever with what you want to match to try to block it.

Daniel

Re: Block Youtube.com

My bad. I couldnt find a "delete" option once i posted it.

Where is fa0/1 connected to ?

Re: Block Youtube.com

Fa0/1 is connected to inside network and Fa0/0 is the one facing the internet.

Re: Block Youtube.com

Shouldnt that be applied on the outbound interface?

Re: Block Youtube.com

I applied it on Fa0/1 as service-policy output. I already tried to apply it in all directions but still the same. I can still access youtube.com.

Re: Block Youtube.com

I tried to monitor the policy-map and there very minimal packets. Do you guys have any other idea on how to do this except for using ACL blocking the IP address of www.youtube.com?

New Member

Re: Block Youtube.com

Hi,

Can you try to block this range and then try.

208.65.152.0 - 208.65.155.255

Regards,

539
Views
4
Helpful
16
Replies