Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8885
Views
0
Helpful
4
Replies

Block Video streaming

jeevan.koganti
Level 1
Level 1

‎08-27-2012 03:33 AM - edited ‎03-07-2019 08:33 AM

Can anyone tell me how to block video streaming on LAN using cisco routers??what are all ports required exactly so that video streaming should not work in any website...It should block all like youtube streaming, facebook videos, skype video call, yahoo video call, etc...

Please let me know its urgent..

Labels:
0 Helpful
4 Replies 4

Sandeep Choudhary
VIP Alumni
VIP Alumni

‎08-27-2012 04:12 AM

Hi Jeeven,

May be it helps.

Using ACLs is the hard way actually but you can use it if you want for example open up your command prompt type nslookup www.myspace.come >>>> a list with several ip addresses would come up you need to block traffic to and from them using an ACL and to make things worse do nslookup myspace.com a different list would come up those also needs to be blocked, same applies to facebook for example So my suggestion is to use Quality of Service you need to identify whats your main office applications together with their port numbers and put those in a class with lets say 90% of the BW, and the web traffic port 80 and 8080 in a separate class with a minimal BW that way you have minimized the web problem for ever without worrying, because if users stopped using myspace they will use facebook and if they stopped facebook they can use online streaming , etc..... however this requires some design considerations. ================ example for using the ACL

R1(config)#ip access-list extended BLOCK

R1(config-ext-nacl)#deny ip host 216.178.38.131 any

R1(config-ext-nacl)#deny ip any host 216.178.38.131

R1(config-ext-nacl)#deny ip host 216.178.39.14 any

R1(config-ext-nacl)#deny ip any host 216.178.39.14 ........................... <><<<<<<< Insert all ip addresses here

R1(config-ext-nacl)#permit ip any any <<<<<<<<<< dont forget this

R1(config-if)#ip access-group BLOCK in <><<<< Apply this ACL to your LAN interface

R1(config-if)#ip access-group BLOCK out You need a router to apply this access list.

Check this link http://www.ciscoblog.com/archives/2006/11/throttling_band.html"> too

Regards

Please rate if it helps.

0 Helpful

jeevan.koganti
Level 1
Level 1
In response to Sandeep Choudhary

‎08-27-2012 04:20 AM

Hi Sandeep,

We have limited infrastructure with Cisco 871 routers, 2950 switches.....

I need to block complete video streaming for all the sites.

I cannot go for QOS as there is not budget..only way is to find and block the ports on the router using ACL.

Let me know if this is possible or any other source..

Regards,

Jeevan.

0 Helpful

nicolas herrera
Level 1
Level 1

‎07-10-2023 02:25 PM

I'm going to answer to myself because I'm going to forget how to do it.

1. USE nslookup with a site , like "www.site.com" and mobile version "m.site.com"

2 create a standar ACL and deny those IP addresses, as last sencence I use"100000 permit ANY"

3 Apply this ACL to an interface and you are ready

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to nicolas herrera

‎07-11-2023 06:27 AM

There's an issue with your, and @Sandeep Choudhary's, ACL approach, as it would block all traffic from an IP.  OP question was just to block just video streaming.

Blocking just video streams might be accomplished if they can be recognized as such, but that can be hit or miss, even using something like NBAR.  Additionally, so much today is encrypted, it might not be possible to even actually identify an active video stream.

Another approach, is to put in place bandwidth caps so something like video, especially HD video, cannot consume all your Internet bandwidth.  I.e. don't totally block video streaming, but (mostly) insure it's not disruptive to concurrent non-video traffic.

At one company I worked at, we wanted to provide priority treatment for VoIP traffic, but the question was how to insure someone didn't abuse the VoIP ToS markings.  Classically, you need to verify the sender or the traffic attributes to insure the traffic is really VoIP, but we found it easier to limit an edge port to 150 Kbps for such traffic.  If a user wanted to send FTP using DSCP EF, they could, but they were capped at 150 Kbps (which, as an aggregate, would also apply, concurrently, to any real VoIP traffic from their port too).

The OP later notes they don't have a budget for QoS, which is unclear as QoS features were likely in the IOS being use on an 871, even back in 2012.  I.e. CBWFQ and/or policers probably supported.

How such an approach might be implemented could vary.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card