Showing results for 
Search instead for 
Did you mean: 

Blocking Youtube


I'm trying to block this site ( for the LAN users. I found an option in the class-map configuration that seems to allow me to do this but it's not working. the configuration is below:

class-map Youtube-Class

match protocol youtube

policy-map NoYoutube-Policy

class Youtube-class


interface g0/0.10

!-- Ommited--

service-policy output NoYoutube-Policy

service-policy input NoYoutube-Policy

I guess it should be necessary to set the policy only in one way but since that wasn't working I tried both.

Am I missing something? or the "match protocol youtube" command is intended for other purposes.

By the way, I'm using a router as specified:

    • Model CISCO2921/K9.
    • No additional license installed.
    • System image: c2900-universalk9-mz.SPA.151-4.M2.bin



JIC: there are some Uppercase/Lowercase mistakes in the previous post, but it is correctly configured in the router.


Just use an ACL and that will make it easier.


Hi Ricardo,

It is better to apply the policies to the interface that your users are using as their default gateway.

With this policies you are using NBAR.

In order to be sure that the NBAR works fine just configure the ip nbar protocol-discovery under the interface.

This will enable nbar discovery on your router.

If you use the next command "show ip nbar protocol-discovery stats bit-rate top-n 10" it will show you the top 10

bandwidth-eating applications . (just attention with nbar command since may increase the CPU/Memory needs of the router)

In this way you can see if the youtube appears in the list and then to block/restrict traffic with appropriate QoS policy.

If this does not work, I do not think that the ACL could work since ACL also uses NBAR to match youtube traffic.

Hope that helps!



I meant an IP address ACL.

OP can let us know later his luck with other methods.


Thanks to all for te replies.

        1. I think using an IP address ACL is not possible because as far as I know, youtube shares the same IP address range with google and may be even gmail, which must remain allowed.
        2. I am applying the policy-map to the default gateway interface.
          • I saw in other post that NBAR doesn't work when applied to subinterfaces, I tried that in a 2911 and it displayed an error to confirm it, with the 2921 however, there was no error message, even so I used the workaround suggested that was using the NBAR policy as a child inside a Parent policy.
          • I used the "show policy-map interface g0/0.10" command and there was some matches for the Youtube-Class class-map at the input.
          • Besides I noticed that sometimes, youtube was blocked (while other sites remain open) but sometimes it was still accessible without any changes.
        3. Any way, I'll try as Basileios says, see how it works.
        4. Paolo, you pointed out that you meant an IP address ACL... just for curiosity, is there another kind of ACL besides IP and MAC (those are all I know).
        5. And finally... could somebody explain to me how the "mathc protocol youtube" command works?
          • As far as I know, youtube doesn't use any particular protocol other than HTTP.
          • Is there a difference between using "match protocol youtube" and a combination of "match protocol http" with a filter on the URL *
          • I ask this because that second one is what I was using before, until I noticed that accesing youtube was still possible just by changing the "http" protocol to "https" in the browser window. And the same thing happens when using the "match protocol youtube" command, sometimes it blocks "http://" but it never blocks "".

Would this be easier with an ASA firewall? may be I'm just trying to setup a feature in the wrong device. Would it be possible to filter specific DNS queries? (just for some users while others still have access)

Thanks for all your help.


Does NBAR actually block the site? I would expect it only to block the video content apps. There is probably a much easier way to simply block the domain name. But then I suppose the NBAR would also pick up on other sites with embedded YouTube vids which might not match the domain filter.

Sent from Cisco Technical Support iPhone App



Using an ASA to block is not going to solve the problem. An ASA is unable to inspect encrypted traffic.

One alternative is to use a site like whois to find out all the IP addresses used by Youtube. Then write an ACL to block all these IP addresses. This will also block HTTPS traffic. However this can be a big task if Youtube keep registering new addresses for their site.

The simplest solution would be to install a proxy server. Direct all Internet traffic through this server. Then create a rule on this server to block Youtube.