Hello.

I implemented code bellow:

class-map match-all restricted-sites

 match protocol http host "www.facebook.com"

 match protocol secure-http

policy-map PM-V&V-out

class restricted-sites

  drop

interface dialler 0

service-policy output PM-V&V-out

but users still able to open www.facebook.com

Could you clarify?

What happens if you apply the service policy to the underlying physical interface, that is, the interface configured with 'dial-pool-number 1' ?

I implemented following code at another c891f router connected to provider by cable modem in bridge mode.

class-map match-all restricted-sites

match protocol http host "www.facebook.com"

match protocol secure-http

policy-map PM-V&V-out

class restricted-sites

  drop

interface GigabitEthernet 8

service-policy output PM-V&V-out

same results. Connected via that router users still able to browse www.facebook.com 

Hello,

what is the output of:

show ip nbar protocol-discovery

it returned my no output:

++++++++++

gate(config-pmap-c)#do show ip nbar protocol-discovery
gate(config-pmap-c)#

++++++++++

but config applied like this:

++++++++++

gate(config-pmap-c)#do sh runn class-map restricted-sites
Building configuration...

Current configuration : 120 bytes
!
class-map match-all restricted-sites
match protocol http host "www.facebook.com"
match protocol secure-http
!
end

gate(config-pmap-c)#do sh runn policy-map PM-V&V-out | s restricted-sites
class restricted-sites
drop

gate(config-pmap-c)#do sh runn int gi 8 | i PM-
service-policy output PM-V&V-out
gate(config-pmap-c)#

++++++++++

Hello,

check if you can manually enable NBAR on your GigabitEhernet8 interface:

interface GigabitEthernet8

ip nbar protocol-discovery

Which IOS version are you running ?

yep. you are right.

++++++++++++

gate(config-pmap-c)#do sh runn int gi8 | i nbar

gate(config-pmap-c)#

gate(config-pmap-c)#interface GigabitEthernet8

gate(config-if)#ip nbar protocol-discovery

gate(config-if)#do show ip nbar protocol-discovery

GigabitEthernet8

Last clearing of "show ip nbar protocol-discovery" counters 00:00:16

Input Output
----- ------
Protocol Packet Count Packet Count
Byte Count Byte Count
5min Bit Rate (bps) 5min Bit Rate (bps)
5min Max Bit Rate (bps) 5min Max Bit Rate (bps)
------------------------ ------------------------ ------------------------
ipv6inip 380 149
193144 31974

++++++++++++

IOS:

++++++++++++

gate(config-if)#do sh ver | i IOS
Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.4(3)M9, RELEASE SOFTWARE (fc1)
gate(config-if)#

++++++++++++

even after this clients who is going to inet via that router are able to reach www.facebook.com They getting unsupported browser allert but hit site:

++++++++++++

# Update Your Browser | Facebook
REFRESH(0 sec): https://www.facebook.com/unsupportedbrowser?_fb_noscript=1
#Facebook alternate alternate

Update Your Browser

You're using a web browser that isn't supported by Facebook.
To get a better experience, go to one of these sites and get the latest version of your preferred browser:
Google Chrome
Mozilla Firefox
Get Facebook on Your Phone
Stay connected anytime, anywhere.

Hello,

if you don't apply the service policy, do your clients still get the same 'unsupported browser' page ?

yes.

I think they are getting 'unsupported browser' alert because they using lynx browser but I think it doesn't matter because policy applied and ad soon as somebody from internal net it trying to reach www.facebook.com router NBAR has to catch this request and drop it. Right? so results clients will get something like "timeout" but they are getting real page content.

Hello,

Facebook uses a lot of redirects. Change your class map slightly and see if it works:

class-map match-all restricted-sites

match protocol http host "*.facebook.com"

match protocol secure-http

or

class-map match-any restricted-sites

match protocol http host "*.facebook.com"

match protocol secure-http

users can reach www.facebook.com using both configuration.

I applied policy to private interface (vlan10) outbout directions:

using this config:

gate(config-cmap)#policy-map PM-V&V-out

gate(config-pmap)#no class restricted-sites

gate(config-pmap)#policy-map restricted-sites4vlan10

gate(config-pmap)# class restricted-sites

gate(config-pmap-c)#  drop

gate(config-pmap-c)#int vlan 10

gate(config-if)#service-policy inp restricted-sites4vlan10

gate(config-if)#ip nbar protocol-discovery

gate(config-if)#

gate(config-if)#

as results:

Vlan10

Last clearing of "show ip nbar protocol-discovery" counters 00:02:50

                            Input                    Output

                            -----                    ------

   Protocol                 Packet Count             Packet Count

                            Byte Count               Byte Count

                            5min Bit Rate (bps)      5min Bit Rate (bps)

                            5min Max Bit Rate (bps)  5min Max Bit Rate (bps)

   ------------------------ ------------------------ ------------------------

   youtube                  576                      709

                            69922                    40391771

                            4000                     876000

                            4000                     876000

   ssl                      153                      249

                            16138                    7776438

                            1000                     188000

users still able to hit facebook.com :(

Hello Andriy,

the Cisco website has the below listed, but I don't think that will work either because of the HTTPS redirection.

class-map match-all facebook
match protocol http host "*facebook.com"

A better option is probably to block the entire IP range used by Facebook, which are listed in the link below. Which country are you in ?

https://ipinfo.io/AS32934