router harus support fasilitas NBAR
ada 2 cara blok yaitu :
1. dengan menggunakan HTTP
buat class
R1(config)#class-map match-any BLOCKED
R1(config-cmap)#match protocol http host "*youtube.com"
R1(config-cmap)#exit buat policy
R1(config)#policy-map DROP
R1(config-pmap)#class BLOCKED
R1(config-pmap-c)#drop
R1(config-pmap-c)#exit
aplikasikan ke interface yg akan di blok
R1(config)#interface fastEthernet 0/1
R1(config)#ip nbar protocol-discovery R1(config-if)#service-policy output DROP melihat konfigurasi
R1#show policy-map interface fastEthernet 0/1
FastEthernet0/1
Service-policy output: DROP
Class-map: BLOCKED (match-any)
1 packets, 500 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http host "*youtube.com*"
1 packets, 500 bytes
5 minute rate 0 bps
drop
Class-map: class-default (match-any)
6101 packets, 340841 bytes
5 minute offered rate 10000 bps, drop rate 0 bps
Match: any
2. Dengan fasilitas cisco perbedaan pada difinisi classR1(config)#class-map match-any BLOCKED R1(config-cmap)#match protocol youtube R1(config-cmap)#exit
contoh yang lainnya :
Example to match based on Host and URL
This example will match the page "cisco.com/go/nbar", as well as www.cisco.com/go/nbar and other variants.
class-map match-all
match protocol http host "*cisco.com"
match protocol http url "/go/nbar"
Example to match based on host or URL
This example is similar to the previous one except that it matches
on either the host name or the URL. Note the "match-any" statement:
class-map
match-any
match protocol http host "www.cisco.com"
match protocol http url "*.exe"
Example to block Facebook traffic
This example will block HTTP traffic to the social network site Facebook.
class-map match-all facebook
match protocol http host "*facebook.com"
!
policy-map nofacebook
class facebook
drop
!
interface FastEthernet4
service-policy output nofacebook
