Block website with NBAR on Cisco Router

ReneMolenaar · December 26, 2016, 5:45pm

This topic is to discuss the following lesson:

https://networklessons.com/quality-of-service/block-website-with-nbar-on-cisco-router/

system · April 2, 2013, 6:00am

you can block http site with that, but you cannot block HTTPs sites with these

ReneMolenaar · April 2, 2013, 8:29am

Hi Sameer,

I just updated the article to show you why we can’t block HTTPS with NBAR.

Rene

system · April 25, 2013, 3:22pm

This is awesome! Thanks

system · December 10, 2013, 9:00pm

What is the limit? I tried adding a lot of websites and it only shows me 7 of them when i do a show run.

ReneMolenaar · December 17, 2013, 9:54pm

Hi Sandra,

I’m not sure but there might be a limit on the number of URLs. If you have many websites to block like facebook or youtube you might want to lookup their IP address ranges and block those instead.

Rene

system · September 11, 2014, 5:36am

Unfortunately, can’t block https (youtube, mail.ru, etc)
Instead create access-list and deny all ip for approxx 30 addresses for youtube.
Is another way to block youtube for example?

ReneMolenaar · September 11, 2014, 10:15am

Hi Vitaly,

HTTPS won’t work since NBAR can’t look into the packets. I don’t think Youtube publishes a list of all IP addresses that they use, maybe you can lookup their AS number, find the IP addresses and block those:

https://www.ultratools.com/tools/asnInfo

If you enter “Youtube” you can see that they use AS36561 and AS43515. You can lookup those IP addresses and block those.

Perhaps a better method would be to fix this using DNS. Use your DNS server so resolves youtube.com to a custom webpage and configure your firewall so users can’t use another DNS server.

Rene

adriantaranu11 · March 21, 2017, 11:59am

Hi Rene,
In order for NBAR to work, it should have been enabled previously on the router, right?
Cisco1841(config)#int vlan 1 Cisco1841(config-if)#ip nbar protocol-discovery
Thank you!

lagapidis · March 26, 2017, 7:06pm

Hello Adrian

Yes, that is correct.

I hope this has been helpful!

Laz

acoruzzi · February 6, 2020, 4:00pm

hi! i need to use the following commands to enable nbar?

match protocol ----> under #class-map
ip nbar protocol-discovery ?—> under interface?

confirm me?
thanks!

lagapidis · February 7, 2020, 8:00am

Hello Andrea

Yes, that is correct. The ip nbar protocol-discovery command must be implemented on the interface in question. You can find out more info about this at the following Cisco documentation:

Once that is done, the class map must be created using the protocol keyword in the match statement.

I hope this has been helpful!

Laz