HI Thanks fot the reply,

Sorry for the version and missing equipment I know better than that...

2911 C2900-UNIVERSALK9-M), Version 15.5(3)M5

Yes I did apply the NBAR please see the post configs the ip protocol-discovery ipv4  is applied and the service policy on the WAN output 

interface GigabitEthernet0/0/0

I mentioned in the post that it does not filter the matched protocols in the subibterface. For example anything that is on that interface seems to bypass the service-policy applied. Which in this case is g0/1.1 

G0/1 subnet gets filtered. 

Thank you

Hi

I don't have any 2900 right now but tested on another ISR and it works as expected. 

Here my config:

interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 10.239.20.1 255.255.255.0
service-policy output TEST

!

policy-map TEST
class NBAR
drop
!

class-map match-any NBAR
match protocol icmp
!

Here the output of show policy-map int g0/1.20

R1#sh policy-map interface gi0/1.20
GigabitEthernet0/1.20

Service-policy output: TEST

Class-map: NBAR (match-any)
2 packets, 236 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: protocol icmp
2 packets, 236 bytes
5 minute rate 0 bps
drop

Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any

You see that the traffic is classified on the right class-map.

Can you share your full config please?

When you apply your policy-map can you share output of show policy-map interf g0/1.1 ?

Also try with a simple class-map like mine (drop icmp) to validate that policy is doing its job correctly.

Thanks

Hello Francesco

Here is the complete config for this section

class-map match-any P2P
 match protocol gnutella
 match protocol kazaa2
 match protocol edonkey
 match protocol fasttrack
 match protocol winmx
 match protocol encrypted-emule
 match protocol yahoo-mail
 match protocol youtube
!
policy-map BOCK-P2P
 class P2P
  drop
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address dhcp
 ip access-group 100 in
 ip nbar protocol-discovery ipv4
 ip nat outside
 ip inspect CBAC-FIREWALL out
 ip virtual-reassembly in
 shutdown
 duplex auto
 speed auto
 no cdp enable
!
interface GigabitEthernet0/1
 description MAIN_LAN
 ip address 10.10.111.254 255.255.255.0
 ip access-group 125 in
 ip nat inside
 ip virtual-reassembly in
 duplex full
 speed 1000
!
interface GigabitEthernet0/1.1
 description VLAN 2 WIFI
 encapsulation dot1Q 2
 ip address 172.16.100.254 255.255.255.0
 ip access-group 110 in
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/1.7
 description RUCKUS VLANPOOL7
 encapsulation dot1Q 7
 ip address 192.168.7.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/1.8
 description RUCKUS VLANPOOL8
 encapsulation dot1Q 8
 ip address 192.168.8.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/1.9
 description RUCKUS VLANPOOL9
 encapsulation dot1Q 9
 ip address 192.168.9.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/2
 description ETHERNET WAN INTERFACE
 ip address dhcp
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 ip nbar protocol-discovery
 ip nat outside
 ip inspect CBAC-FIREWALL out
 ip virtual-reassembly in
 shutdown
 duplex auto
 speed auto
 no cdp enable
 service-policy output BOCK-P2P
!
interface GigabitEthernet0/0/0
 description FIBER WAN TO 3850 SWITCH
 ip address dhcp
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 ip nbar protocol-discovery ipv4
 ip nat outside
 ip inspect CBAC-FIREWALL out
 ip virtual-reassembly in
 media-type sfp
 no cdp enable
 service-policy output BOCK-P2P

As you can see I didn't place the service policy on the subinterface directly. The result is that it shoulf filter all LAN interfaces and it doesn't. It filters just the NON subs. So I decided to put youtube in there to test if it blocks accesss to youtube. 

1. If I am on subnet 10.10.111.0/24 It operates perfectly

2. If I am on subnet 172.16.100.0/24 it does not filter and I CAN surf to youtube.

 3. 

interface GigabitEthernet0/2 is shutdown 

I will create a another class map and apply it as you suggested and see what happens. In the meantime please let me know if you see any other issue with my config.

Thank you

Joseph

Hi Francesco

I tried to remove the service policy from the WAN and place it just on the subinterface and all my mobile devices can access youtube and facebook. I have samsung devices. 

When I put the policy on the Main Lan interface it stops the mobile devices and the PC's.

I was searching today a bit an saw a few posts that say NBAR doesn't work on VLAN and Subinterface. 

https://learningnetwork.cisco.com/thread/57835 read a ways down

Also ran into this today when experimenting 

MGR2911(config)#int g0/1
MGR2911(config-if)#ip nba
MGR2911(config-if)#ip nbar pro
MGR2911(config-if)#ip nbar protocol-discovery ipv4
MGR2911(config-if)#ip nba
MGR2911(config-if)#ip nbar pro
MGR2911(config-if)#ip nbar protocol-discovery ipv6
MGR2911(config-if)#serv
MGR2911(config-if)#service-p
MGR2911(config-if)#service-policy out
MGR2911(config-if)#service-policy output BOCK-P2P
Attaching service policy to main and sub-interface or tunnel and sub-interface in the same direction concurrently is not allowed

See error notes on last line

ICMP will most likely work but in production it doesn't

Not sure if NBAR does work on Subs. I cannot find a dininitive answer.

Thank you

Joseph

Hello Francesco,

Thank you very much. I do have an update. I was doing more troubleshooting by moving the service policy from different interfaces to see the results. I am using the ability to access youtube on mobile devices and PC's and Laptops. Below are my findings. 

Under this Subinterface this is the results


interface GigabitEthernet0/1.1
 description VLAN 2 WIFI
 encapsulation dot1Q 2
 ip address 172.16.100.254 255.255.255.0
 ip access-group 110 in
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly in
 service-policy output BOCK-P2P


1. Will Block PC and Mobile devices browser only
   Will not block YouTube App.

2. You need to block these domains. I added them to an OpenDNS
account that I own and nothing at all came through.
   youtube.com	
   googlevideo.com	
   ytimg.l.google.com	
   youtube.l.google.com	
   ytimg.com	
   youtu.be	
   l.google.com	
   s.ytimg.com
   
3. There is no option to match protocol for these.However
you would think that the match protocol youtube would do the
trick. Not so....

4. Adding the following has no affect on the app

 match protocol http url "youtube.l.google.com"
 match protocol http url "googlevideo.com"
 match protocol http url "ytimg.l.google.com"
 match protocol http url "ytimg.com"
 match protocol http url "s.ytimg.com"
 match protocol http url "youtu.be"
 match protocol http url "l.google.com"

So I would say that this does NOT work on subinterfaces well.

Under the Main Interface this is what I find

interface GigabitEthernet0/1
 description MAIN_LAN
 ip address 10.10.111.254 255.255.255.0
 ip access-group 125 in
 ip nbar protocol-discovery ipv4
 ip nat inside
 ip virtual-reassembly in
 duplex full
 speed 1000
 service-policy output BOCK-P2P


1. It will block both PC and App with the app visibly
   on the tablet but will not play videos. The videos just spins and timesout.

2. I still believe that these need to blocked too
   for complete blockage. However there is no way that I 
   know of without content filtering DNS
   youtube.com	
   googlevideo.com	
   ytimg.l.google.com	
   youtube.l.google.com	
   ytimg.com	
   youtu.be	
   l.google.com	
   s.ytimg.com

So yes and no that is works on subinterface for this model. However that would be awesome if you could find something on the Documents that say something about this model. 2911

Thank you 

Joseph

Hello Francesco

Thanks for the update. I will try that and create the same policy map as you. I have a question though. Did you try youtube appl on mobie device?