Comments on: Tutorial: How to use Cisco MQC & NBAR to filter websites like Youtube

By: Jack

Jack — Wed, 20 Jan 2010 18:50:08 +0000

nice read…is it possible to send me an example to block everything(streaming videos) but allowed youtube and some other video streaming website.

can this be done on nbar/qos.

ciao,
jr

By: class-map – match protocol http url command

class-map – match protocol http url command — Sat, 15 Aug 2009 04:13:18 +0000

[...] I have read this link from Arden, thanks Arden: http://ardenpackeer.com/qos-voip/tutorial-how-to-use-cisco-mqc-nbar-to-filter-websites-like-youtube/ [...]

By: Mesut Cap

Mesut Cap — Thu, 23 Jul 2009 11:16:38 +0000

Great tutorial very useful, thank you.

By: elaheh

elaheh — Tue, 14 Jul 2009 08:50:26 +0000

great tutorial.This was so benefit for me.

thank you

By: Rajitha

Rajitha — Thu, 02 Jul 2009 07:05:11 +0000

Great one. very useful. I implemented this to cater one of my customer requirement.By the way do you have any idea of blocking P2P application & instant messaging. there are options to do this by using SDM. but i don’t like that as it highly rely on IOS capabilities.

By: Arden Packeer, CCIE #20716

Arden Packeer, CCIE #20716 — Thu, 21 May 2009 10:35:57 +0000

@Broeisi: Nbar Protocol-Discovery is not required for classification

By: Broeisi

Broeisi — Sun, 17 May 2009 09:48:06 +0000

Arden,

To use nbar for classification don’t you have to turn on nbar protocol-discovery??

Cheers,

Broeisi

By: Salah

Salah — Thu, 19 Mar 2009 21:15:03 +0000

this is from the best topics I have ever read, easy well prepared.

thanks Arden

keep it up

Salah

By: Dale

Dale — Tue, 24 Feb 2009 06:12:58 +0000

In the last example, the ‘match protocol http mime’ statements, if matched, won’t be actioned with a ‘drop’.

I tested this extensively in my lab — same basic topology as yours — and found that some (not all) actions associated with a class using ‘match protocol http mime’ only worked when the policy-map was applied in the *server -> client* direction.

Using your example topology, if the policy-map was applied as an input policy on R2-s1/0, it would successfully classify the traffic but the ‘drop’ action wouldn’t take effect.

If applied as an input policy on R2-s1/1, it would work as expected.

If applied as an output policy on R2-s1/0, it would work as expected.

If applied as an output policy on R2-s1/1, it would classify the traffic but the ‘drop’ action wouldn’t take effect.

My tests were conducted using 2811s and IOS 12.4(23).

I’m interested in your thoughts on this — did you actually verify that, for example, R2 drops the HTTP response from R2 when the content type is “application/x-shockwave-flash” ?

I recreated your exact topology, then added ‘match protocol http mime “image/jpeg”‘ to the ‘INTERNET-SCUM’ class-map. I was able to copy “picture.jpg” from R3 to R1 successfully.

Cheers!

By: Roger

Roger — Mon, 09 Feb 2009 21:09:27 +0000

Hi Arden,

matching on url needs to be applied in outbound direction isn’t it? I mean in this way you can prevent the client from accessing that page.
If you want to prevent him downloading the page you need to match based on mime types, isn’t it?

regards

Roger