I'm trying to block this site (youtube.com) for the LAN users. I found an option in the class-map configuration that seems to allow me to do this but it's not working. the configuration is below:
match protocol youtube
service-policy output NoYoutube-Policy
service-policy input NoYoutube-Policy
I guess it should be necessary to set the policy only in one way but since that wasn't working I tried both.
Am I missing something? or the "match protocol youtube" command is intended for other purposes.
By the way, I'm using a router as specified:
It is better to apply the policies to the interface that your users are using as their default gateway.
With this policies you are using NBAR.
In order to be sure that the NBAR works fine just configure the ip nbar protocol-discovery under the interface.
This will enable nbar discovery on your router.
If you use the next command "show ip nbar protocol-discovery stats bit-rate top-n 10" it will show you the top 10
bandwidth-eating applications . (just attention with nbar command since may increase the CPU/Memory needs of the router)
In this way you can see if the youtube appears in the list and then to block/restrict traffic with appropriate QoS policy.
If this does not work, I do not think that the ACL could work since ACL also uses NBAR to match youtube traffic.
Hope that helps!
Thanks to all for te replies.
Would this be easier with an ASA firewall? may be I'm just trying to setup a feature in the wrong device. Would it be possible to filter specific DNS queries? (just for some users while others still have access)
Thanks for all your help.
Does NBAR actually block the site? I would expect it only to block the video content apps. There is probably a much easier way to simply block the domain name. But then I suppose the NBAR would also pick up on other sites with embedded YouTube vids which might not match the domain filter.
Sent from Cisco Technical Support iPhone App
Using an ASA to block https://www.youtube.com is not going to solve the problem. An ASA is unable to inspect encrypted traffic.
One alternative is to use a site like whois to find out all the IP addresses used by Youtube. Then write an ACL to block all these IP addresses. This will also block HTTPS traffic. However this can be a big task if Youtube keep registering new addresses for their site.
The simplest solution would be to install a proxy server. Direct all Internet traffic through this server. Then create a rule on this server to block Youtube.