Block website with NBAR on Cisco Router

When you create access-lists or QoS (Quality of Service) policies you normally use layer 1,2,3 and 4 information to match on certain criteria. NBAR (Network Based Application Recognition) adds application layer intelligence to our Cisco IOS router which means we can match and filter based on certain applications.

Let’s say you want to block a certain website like Normally you would lookup the IP addresses that youtube uses and block those using an access-list or perhaps police / shape them in your QoS policies. Using NBAR we can match on the website addresses instead of IP addresses. This makes life a lot easier. Let’s look at an example where we use NBAR to block a website (youtube for example):

R1(config)#class-map match-any BLOCKED
R1(config-cmap)#match protocol http host "**"

First I will create a class-map called “BLOCKED” and I will use match protocol to use NBAR. As you can see I match on the hostname “”. The * means “any character”. Effectively this will block all sub-domains of, for example “” will also be blocked. Now we need to create a policy-map:

R1(config)#policy-map DROP 
R1(config-pmap)#class BLOCKED

The policy-map above matches our class-map BLOCKED and when this matches the traffic will be dropped. Last but not least we need to apply the policy-map to the interface:

R1(config)#interface fastEthernet 0/1  
R1(config-if)#service-policy output DROP

I will apply the policy-map to the interface that is connected to the Internet. Now whenever someone tries to reach their traffic will be dropped. You can verify this on your router using the following command:

R1#show policy-map interface fastEthernet 0/1

  Service-policy output: DROP

    Class-map: BLOCKED (match-any)
      1 packets, 500 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http host "**"
        1 packets, 500 bytes
        5 minute rate 0 bps

    Class-map: class-default (match-any)
      6101 packets, 340841 bytes
      5 minute offered rate 10000 bps, drop rate 0 bps
      Match: any 

Above you see that we have a match for our class-map BLOCKED. Apparently someone tried to reach The class-map class-default matches all other traffic and it is permitted.

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 439 Lessons. More Lessons Added Every Week!
  • Personal Support by Rene Molenaar (CCIE #41726)


Already 173 New Members signed up the last 30 days!


100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Digiprove sealCopyright protected by Digiprove © 2013 Rene Molenaar

Rate this Lesson:

Tags: , , ,

7 Responses to “Block website with NBAR on Cisco Router”

  1. Sameer April 2, 2013 at 06:00 #

    you can block http site with that, but you cannot block HTTPs sites with these

    • Rene Molenaar April 2, 2013 at 08:29 #

      Hi Sameer,

      I just updated the article to show you why we can’t block HTTPS with NBAR.


  2. raza April 25, 2013 at 15:22 #

    This is awesome! Thanks

  3. sandra December 10, 2013 at 21:00 #

    What is the limit? I tried adding a lot of websites and it only shows me 7 of them when i do a show run.

    • Rene Molenaar December 17, 2013 at 21:54 #

      Hi Sandra,

      I’m not sure but there might be a limit on the number of URLs. If you have many websites to block like facebook or youtube you might want to lookup their IP address ranges and block those instead.


  4. Vitaliy September 11, 2014 at 05:36 #

    Unfortunately, can’t block https (youtube,, etc)
    Instead create access-list and deny all ip for approxx 30 addresses for youtube.
    Is another way to block youtube for example?

    • Rene Molenaar September 11, 2014 at 10:15 #

      Hi Vitaly,

      HTTPS won’t work since NBAR can’t look into the packets. I don’t think Youtube publishes a list of all IP addresses that they use, maybe you can lookup their AS number, find the IP addresses and block those:

      If you enter “Youtube” you can see that they use AS36561 and AS43515. You can lookup those IP addresses and block those.

      Perhaps a better method would be to fix this using DNS. Use your DNS server so resolves to a custom webpage and configure your firewall so users can’t use another DNS server.


Leave a Reply