MR46 and Layer 7 Filtering youtube issue

jbates58
Comes here often

MR46 and Layer 7 Filtering youtube issue

Hello Everyone.

 

I am attempting to get my MR47 to work with the content filtering. I have setup a Layer 7 F/W rule that DENY's all "video and music", however, I am having an issue getting to to work correctly.

 

on my devices, with the DENY rule in place, i no longer have access to sites like Netflix or Spotify (so behaviour is as expected). BUT I can still access YouTube. both in the YouTube app and through the browser. something I have discovered though, is that I CAN NOT access YouTube on these devices if I use INCOGNITO mode. it seems that the firewalling works when the browser is in incognito, but not when its in normal browsing mode. I have tested this across multiple computers, and multiple devices as well, and the result is the same on them all.

 

I have even created another separate explicit DENY rule for "youtube.com" and that still does not work.

 

is there something that I have missed? as it all seems to be working other than this specific issue. I have attached a picture to show what I'm seeing.

 

Cheers,

 

Jason

Capture.PNG

8 REPLIES 8
jbates58
Comes here often

I will also add a note that looking through the information i can find on the Meraki dashboard, I cant find ANY mention of quantitative YouTube traffic. I have left a stream running for about 1 hour now, to get the data transferred up, so that I can use that to determine the IP, or URL or something. but I get nothing. 

 

I used my device to watch Netflix, and then activated the rule mid stream, and within 5 min it was cut off, same for Spotify. and the traffic to those locations shows up, but I can not get you tube to show up at all.

PhilipDAth
Kind of a big deal

Try giving your test machine a reboot so it has to fetch the DNS records again.

yes, this was my first thought. but still not resolved.

 

I have been at this for a couple of days now. The thing I don't understand, is how I can access YouTube from chrome in normal mode, but not in Incognito mode. It appears to be working as it should if I browse in Incognito.

 

Cheers,


Jason

PhilipDAth
Kind of a big deal

>The thing I don't understand, is how I can access YouTube from chrome in normal mode, but not in Incognito mode.

 

My guess is the Meraki block is acting on something your Chrome session has already cached.  In Incognito mode the browser has to request it again, and it gets blocked.

This I could understand, however, I am able to start a new different stream every time I go to YouTube. That's not something that would be cached. so my understanding is that it should block it at that level because it will have to make another call out to get the content, and this should then be blocked.

you could also try creating a layer 3 rule and block all traffic to the youtube IP's below.

 

  • 199.223.232.0 - 199.223.239.255
  • 207.223.160.0 - 207.223.175.255
  • 208.65.152.0 - 208.65.155.255
  • 208.117.224.0 - 208.117.255.255
  • 209.85.128.0 - 209.85.255.255
  • 216.58.192.0 - 216.58.223.255
  • 216.239.32.0 - 216.239.63.255

 

Longer and messier, but just another way

jbates58
Comes here often

Thanks for that mate, that idea led me down an investigative path that worked.

 

Although for the cost of the service, I feel that this isn't something that I should need to implement, especially if they have it (YouTube) specifically listed in their list of sites that can be blocked.

 

However, none of those addresses ranges worked for me. But after some more investigation, I found that I was constantly getting another IP address range back so I just created a L3 rule to stop it, and so far in my testing, it seems to have worked.

 

current working L3 rule to block YouTube is as follows

DENY ALL 142.250.0.0/15 YouTube

 

 

but for future reference, if anyone needs the other listed above, with appropriate CIDR references, they are as follows.

199.223.232.0/21
207.223.160.0/20
208.65.152.0/22
208.117.224.0/19
209.85.128.0/17
216.58.192.0/19
216.239.32.0/19

 

 

Issue resolved / Case Closed

 

Cheers,

 

Jason

no problems. sometimes it just needs another perspective when looking at how to tackle the problem

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.