Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5365
Views
15
Helpful
5
Replies

Filtering youtube with class-map statement

Go to solution
tomocisco
Level 1
Level 1

‎10-05-2011 11:20 AM - last edited on ‎06-22-2022 02:05 AM by Community Manager

Hi everybody,

 

Please can someone help me with this?

 

I wanted to block users in my company network from visiting social networking sites like facebook, youtube etc, I used the configuration below:

 

(config)# class-map match-any SOCIAL-NET

(config-cmap)# match protocol http host www.facebook.com

(config-cmap)# match protocol http host www.youtube.com

(config-cmap)# match protocol http host www.hi5.com

(config-cmap)# match protocol http host www.twitter.com

(config-cmap)# match protocol http host twitter.com

(config-cmap)# exit

(config)# policy-map DROP-SOCIAL-NET

(config -pmap)# class SOCIAL-NET

(config-pmap-c)# drop

(config)int f0/0

(config-if)# service-policy output DROP-SOCIAL-NET

 

when I applied this, it was successful in blocking these sites.

But I discovered that it appeared to be blocking www.yahoomail.com thereby making it difficult for users to check their emails on yahoo mail. What could be the reason for this and how can it be solved.

 

I also tried blocking skype by adding:

(config-cmap)#

match protocol skype

 

But it doesn't appear to be effective with skype.

 

Can someone throw light on this for me?

 

Thanks in anticipation

 

Tom

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to tomocisco

‎10-06-2011 01:48 AM - last edited on ‎06-22-2022 04:21 AM by Community Manager

Hi,

 

Please whats the difference between

match protocol http host www.youtube.com and "match protocol http url www.youtube.com.

 

Do you think it will make any difference if I use url instead of host statement?

 

yes there is a difference between the 2 but it is host "*.youtubecom*" note the asterisk ! but you could use the url command with www.youtube.com and it should work.

 

I don't think with such a

policy-map

you will slow down performance of your router but as you're using NBAR then yes it will consume memory and CPU but you have to test if you router supports this without impairing its primary use which is forwarding packets.

 

Alain.

Don't forget to rate helpful posts.

View solution in original post

5 Replies 5

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎10-05-2011 11:37 AM - last edited on ‎06-22-2022 04:34 AM by Community Manager

Hi,

 

are you sure this is this

policy-map

which is blocking yahoo? How can you ascertain this?

if this is the case one workaround woukd be doing a

class-map

for yahoo without any action in the

policy-map

and match that class first and see if it doesn't affect other class.

 

Regards.

 

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
tomocisco
Level 1
Level 1
In response to cadet alain

‎10-05-2011 11:19 PM - last edited on ‎06-22-2022 04:09 AM by Community Manager

Hi,

 

I feel this

policy-map

may be blocking yahoo because if I remove one of the lines using this statement:

 

(config-cmap)# no match protocol http host www.youtube.com

 

Yahoomails will be fine. But once I put it back, the problem will start.

 

Please can you show me how to do a

class-map

for yahoo without any action in the

policy-map

and how to apply it? Write the config statement for me to implement and see the effect.

 

Thanks for your response.

 

Tom

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to tomocisco

‎10-06-2011 12:36 AM

Hi,

could you try modifying your match statements from host www.youtube.com to host  "*.youtube.com*" ?

Do the same for all statements and let us know.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
tomocisco
Level 1
Level 1
In response to cadet alain

‎10-06-2011 01:15 AM - last edited on ‎06-22-2022 04:30 AM by Community Manager

Hi,

 

Actually, I have tried that but it didn't solve the problem. Instead I noticed that when I used host "twitter.com", users can still access www.twitter.com (i.e. if they type www.twitter.com in their browser, they will access it but if they typed twitter.com, it will be dropped). I dont know why its so.

 

Please whats the difference between

match protocol http host www.youtube.com and match protocol http url www.youtube.com

.

 

Do you think it will make any difference if I use url instead of host statement?

 

Right now, I removed the

match protocol http host www.youtube.com

so that our users can access their yahoo mail but this also mean accessing youtube which we are trying to avoid.

 

Does policy map slow down the network like access-list? I include below the sho run of my router:

 

 

Router#sho run

Building configuration...




Current configuration : 3506 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 15000

enable secret 5 $1$I8vA$J5s8ilJ.24F5mUmJEBPu3.

!

no aaa new-model

clock timezone utc+1 1

dot11 syslog

ip source-route

!

!

!

!

ip cef

ip name-server 41.x.x.x

ip name-server 41.y.y.y

ip name-server 77.x.x.x

ip name-server 77.x.x.x

ip name-server 192.t.t.t

multilink bundle-name authenticated

!

!

crypto pki trustpoint TP-self-signed-3923821603

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3923821603

revocation-check none

rsakeypair TP-self-signed-3923821603

!

!

crypto pki certificate chain TP-self-signed-3923821603

certificate self-signed 01

  3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33393233 38323136 3033301E 170D3131 31303036 30353538

  32365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39323338

  32313630 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100AFBB 9D5A40B7 9392C107 3BB26A16 3778FFF7 F87FE67E 99ADE7FA 6FBA101F

  1CFA0360 4CDBBCE9 5EF7DFF5 3436C692 317FB499 E506B8A6 1C860D53 B05E5F21

  A6DB7E1F 384029F5 D44495AA 88AD536D EC68B870 D543DF4D 0FC18028 1982DCE4

  2837D88B DEC754CA FBE8DFBC 4EA7B96C 6A953E0D 5419363C E706DDFF BA793B0D

  C7710203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603

  551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 AD15A2D9

  F243CA6F B9B7FE7F 3D20695F 3756D495 301D0603 551D0E04 160414AD 15A2D9F2

  43CA6FB9 B7FE7F3D 20695F37 56D49530 0D06092A 864886F7 0D010104 05000381

  81005602 EFA0314D 8A91D524 96FB41C4 97884672 CFF98A54 9D59DEA5 E557DD82

  DD30C4F2 6A524D0C 130E380E 4F3643E6 83E55579 46C55F16 691FFD6A 35ED9B12

  F4294ACD 88F984C1 A42CD526 5C6111BC 6FC68F13 7D816178 4F8E099D 478CD56D

  712E14B5 01E0A2A8 99F1B25F A1A61E7B DC9CEBCA 3E98D148 BAFE0405 7EF3CDFC 3965

        quit

!

!

username admin privilege 15 secret 5 $1$kvqa$wjl8NWH7GrC/fstborhbA.

archive

log config

  hidekeys

!

!

!

class-map match-any SOCIAL-NET

match protocol http host "www.facebook.com"

match protocol http host "www.youtube.com"

match protocol http host "www.hi5.com"

match protocol http host "www.twitter.com"

match protocol http host "twitter.com"

!

!

policy-map DROP-SOCIAL-NET

class SOCIAL-NET

   drop

!

!

!

!

interface FastEthernet0/0

ip address 192.t.t.t 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 41.x.x.x 255.255.255.0

ip nbar protocol-discovery

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

service-policy output DROP-SOCIAL-NET

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 41.x.d.x

!

ip http server

ip http secure-server

ip flow-top-talkers

top 20

sort-by bytes

cache-timeout 900000

!

ip nat pool internet 41.x.x.x 41.x.x.x netmask 255.255.255.0

ip nat inside source list 10 pool internet overload

!

access-list 10 permit 192.x.0.0 0.0.0.255

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

password 7 045802150C2E

login

transport input telnet ssh

line vty 5 807

password 7 01100F175804

login

transport input telnet ssh

!

scheduler allocate 20000 1000

end

 

Router#

 

Thank you.

 

Tom

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to tomocisco

‎10-06-2011 01:48 AM - last edited on ‎06-22-2022 04:21 AM by Community Manager

Hi,

 

Please whats the difference between

match protocol http host www.youtube.com and "match protocol http url www.youtube.com.

 

Do you think it will make any difference if I use url instead of host statement?

 

yes there is a difference between the 2 but it is host "*.youtubecom*" note the asterisk ! but you could use the url command with www.youtube.com and it should work.

 

I don't think with such a

policy-map

you will slow down performance of your router but as you're using NBAR then yes it will consume memory and CPU but you have to test if you router supports this without impairing its primary use which is forwarding packets.

 

Alain.

Don't forget to rate helpful posts.
Customers Also Viewed These Support Documents