Configuration Example, Firewalling, Routing
NBAR and smart filtering
NBAR (Network Based Application Recognition) is a cool Cisco tool to identify and classify content flowing through a router. You can identify applications as mission critical, business-related, non-critical or unwanted. Once these mission critical applications are classified they can be guaranteed a minimum amount of bandwidth, policy routed, and marked for preferential treatment. Non-critical applications including Internet gaming applications and MP3 file sharing applications can also be classified using NBAR and marked for best effort service, policed, or blocked as required.
In the following example you will see how to block access to YouTube and block the extension .exe. I will block the content when it tries to “enter” the router on the internal interface Vlan1. To start with you need to enable NBAR on the interface.
RTR#configure terminal
RTR(config)#interface Vlan 1
RTR(config-if)#ip nbar protocol-discovery
Create a class-map to identify the content which needs to be blocked.
RTR#configure terminal
RTR(config)#class-map match-any cm-blocked-content
RTR(config-cmap)#match protocol http url “*.exe”
RTR(config-cmap)#match protocol http host “*youtube*”
The following step involves creating a policy-map to block the traffic matching the previous class-map.
RTR#configure terminal
RTR(config)#policy-map pm-blocked-content
RTR(config-pmap)#class cm-blocked-content
RTR(config-pmap-c)#drop
You can also police or shape the identified content so it cannot “consume” all the available bandwidth. The final steps is to apply the policy-map to the internal interface in the input direction.
RTR#configure terminal
RTR(config)#int Vlan 1
RTR(config-if)#service-policy input pm-blocked-content
To verify the operation of NBAR you need to try to browse to the YouTube website or download a file with the .exe extension. Check the operation with the show policy-map interface vlan 1 command, like shown below.
RTR#sh policy-map interface vlan 1 input
Vlan1
Service-policy input: pm-blocked-content
Class-map: cm-blocked-content (match-any)
228 packets, 121574 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http url “*.exe”
9 packets, 7090 bytes
5 minute rate 0 bps
Match: protocol http host “*youtube*”
24 packets, 12813 bytes
5 minute rate 0 bps
dropClass-map: class-default (match-any)
111703 packets, 12021043 bytes
5 minute offered rate 33000 bps, drop rate 0 bps
Match: any
RTR#
From now on your users aren’t able to browse to YouTube or download .exe files over HTTP. With NBAR you can also block a specific content type, like streaming media. I use WireShark to retrieve the content-type I would like to block. By following the TCP stream from a WireShark session you can find the exact content-type or other useful information.
Use the match protocol http mime command to classify a content-type. In MIME type matching, NBAR classifies the packet that contains the MIME type and all subsequent packets, which are sent to the source of the HTTP request. This means that the corresponding policy-map should be applied inbound (input) on the external interface or outbound (output) on the internal interface. For MIME type matching, the MIME type can contain any user-specified text string. A list of the Internet Assigned Numbers Authority (IANA)-supported MIME types can be found here.
René Jorissen
Latest posts by René Jorissen (see all)
- MacOS Big Sur and SSLKEYFILELOG - November 23, 2021
- ClearPass, Azure AD, SSO and Object ID - August 12, 2021
- ClearPass – custom MPSK - July 20, 2021
What if i typed https:\\www.yahoo.com :))
and i can’t match the secure http because the hotmail , and yahoo mails will not open , so…..
!
!
!
class-map match-all facebook
match protocol http url “*facebook*”
class-map match-any cm-blocked-content
match protocol http host “*youtube*”
!
policy-map nofacebook
class facebook
drop
policy-map pm-blocked-content
class cm-blocked-content
drop
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
spanning-tree portfast
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
spanning-tree portfast
!
interface FastEthernet4
description TVBACO FIBRA 20M
ip address 192.168.100.77 255.255.255.0
ip access-group autosec_firewall_acl in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect autosec_inspect out
ip virtual-reassembly in
ip verify unicast source reachable-via rx allow-default 100
duplex auto
speed auto
!
interface Vlan1
description LAN FAB1
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
service-policy input pm-blocked-content
!
did not work,
Software (C880DATA-UNIVERSALK9-M), Version 15.2(4)M4,FTWARE (fc2)
isco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.2(4)M4,FTW ^ARE (fc2)