Network Based Application Recognization (NBAR)


Scenario:

As the owner of a small company you notice some of your employees are slacking off at the job and spending their time at Facebook, Twitter and some other sites. You want to configure your network so these sites are blocked. While you are at it you also want to block some of the worms that are on the Internet.

Goal:

  • All IP addresses have been preconfigured for you.
  • OSPF has been preconfigure for full connectivity.
  • Configure router Sluggish so all traffic from Twitter is dropped on the FastEthernet 1/0 interface.
  • Configure router Sluggish so it can detect the NIMDA worm and drops the traffic on the FastEthernet 1/0 interface.
  • Configure router Sluggish so it marks Youtube traffic down to DSCP 0 on the FastEthernet 1/0 interface.

IOS:

c3640-jk9s-mz.124-16.bin

Topology:

NBAR

Video Solution:

Configuration Files

You need to register to download the GNS3 topology file. (Registration is free!)

Once you are logged in you will find the configuration files right here.

Opt In Image
Do you want your CCNA or CCNP Certificate?

The How to Master series helps you to understand complex topics like spanning-tree, VLANs, trunks, OSPF, EIGRP, BGP and more.

Written by René Molenaar - CCIE #41726

You May Also Like

About the Author: Rene Molenaar

René - CCIE #41726 is the creator of GNS3Vault.com where he shares CCNA, CCNP and CCIE R&S labs. He also blogs about networking on http://networklessons.com

9 Comments

  1. Create class maps that match on protocol http url, set the appropriate policy maps to drop or set the dscp value and then nest the policy maps.

  2. idea, just enabling the ip nbar protocol discovery on the interface and creat class- map ospf and apply drop on this class under the policy map , you will find the ospf in loading state not full state 🙂

    1. [quote]dea, just enabling the ip nbar protocol discovery on the interface and creat class- map ospf and apply drop on this class under the policy map , you will find the ospf in loading state not full state[/quote]

      That’ll work but that’s a "very" quick and dirty method of getting the job done 😛 Better to keep the OSPF adjacency up and running and filter using another method 😉

  3. Hi ReneMolenaar,

    Does this work for me :
    class-map match-all YOUTUBE
    match protocol http [color=red]mime[/color] “*youtube*”
    class-map match-all TWITTER
    match protocol http mime “twitter”

    Thank you

  4. http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-122-mainline/4615-nimda.html

    After looking at a cisco page for blocking NIMDA, I configed this:

    Sluggish#sho run | s class-map
    class-map match-any YOUTUBE
    match protocol http url “*youtube*”
    class-map match-any NIMDA
    match protocol http url “*readme.eml*”
    match protocol http url “*.ida*”
    match protocol http url “*cmd.exe*”
    match protocol http url “*root.exe*”
    class-map match-any TWITTER
    match protocol http url “*twitter*”
    Sluggish#
    Sluggish#sho run | s policy-map
    policy-map INBOUND
    class YOUTUBE
    set precedence 1
    class TWITTER
    drop
    class NIMDA
    drop
    Sluggish#
    Sluggish#sho run int fa1/0
    Building configuration…

    Current configuration : 127 bytes
    !
    interface FastEthernet1/0
    ip address 192.168.23.2 255.255.255.0
    duplex auto
    speed auto
    service-policy input INBOUND
    end

    Sluggish#sho policy-map int fa1/0
    FastEthernet1/0

    Service-policy input: INBOUND

    Class-map: YOUTUBE (match-any)
    0 packets, 0 bytes
    5 minute offered rate 0 bps, drop rate 0 bps
    Match: protocol http url “*youtube*”
    0 packets, 0 bytes
    5 minute rate 0 bps
    QoS Set
    precedence 1
    Packets marked 0

    Class-map: TWITTER (match-any)
    0 packets, 0 bytes
    5 minute offered rate 0 bps, drop rate 0 bps
    Match: protocol http url “*twitter*”
    0 packets, 0 bytes
    5 minute rate 0 bps
    drop

    Class-map: NIMDA (match-any)
    0 packets, 0 bytes
    5 minute offered rate 0 bps, drop rate 0 bps
    Match: protocol http url “*readme.eml*”
    0 packets, 0 bytes
    5 minute rate 0 bps
    Match: protocol http url “*.ida*”
    0 packets, 0 bytes
    5 minute rate 0 bps
    Match: protocol http url “*cmd.exe*”
    0 packets, 0 bytes
    5 minute rate 0 bps
    Match: protocol http url “*root.exe*”
    0 packets, 0 bytes
    5 minute rate 0 bps
    drop

    Class-map: class-default (match-any)
    8 packets, 752 bytes
    5 minute offered rate 0 bps, drop rate 0 bps
    Match: any

Comments are closed.