Cisco IOS has some wonderful set of features like restricting some websites access based on ACL or QOS which make use of the Layer 1, 2, 3 or 4 parameters to block/restrict. NBAR is a powerful tool of cisco which enables the IOS to do application level filtering.
Especially in scenario where customers have corporate site connected to internet via Cisco router and we want to block access to certain websites. The blocking of website becomes imperative in order to restrict employees from browsing social websites to increase productive official time. In normal practice this would be done using ACL on routers and then blocking the IP address of those particular websites. But we can use NBAR to match the websites exact address which makes it a lot user friendly.
Let us look at the configuration example –
We will first create a class-map and then use match protocol to use the NBAR.
In this example we will specifically block access to facebook.com and ‘*’ will be used to match all sub-domains of Facebook and restrict the access.
Next we create a policy-map which will use the class-map created above and will take the action on the matched address used in class-map.
The policy-map has an action of drop for all the http traffic destined for facebook.com from a site connected to internet.
Lastly we apply this policy-map on the ISP facing interface of the router.
R1#show policy-map interface fastEthernet 0/1