IOS + NBAR (for P2P applications)

ROBERTO TACCON · ‎06-12-2008

Hi,

need to inspect and drop on Cisco router P2P traffic (the cisco IOS IPS is not available as solution) and the nbar (network based application recognition) feature may can help me.

On the documentation I found 'only' the following link for download the nbar pdlm files:

http://www.cisco.com/pcgi-bin/tablebuild.pl/pdlm

where there's present only 1 pdlm file "directconnect.pdlm" and the readme.

As indicated on the readme document on page 1:

"

Note: For customers using any Cisco IOS versions running kazaa version 6 including the Cisco IOS 12.2SB

(Exodus) release, do not download the kazaa2.pdlm module. Doing so will cause classification

issues.

"

*** THE QUESTIONS:

1) As on the router I've the last IOS T release 12.4(5)T and the version display on the router is the following:

need to download the previous directconnect.pdlm file ?

2) WHERE I CAN FIND ALL THE PDLM FILES ? (also available for the Catalyst 6500 PISA supervisor) ?

3) Need to configure the following for inspect with nbar kazaa on HTTP port:

"

This PDLM uses a new software infrastructure which is provided in the Cisco IOS software releases.

You can check that this infrastructure is supported on your platform. At any class-map configuration

prompt, enter match protocol ?. If kazaa displays as a protocol to match, then it is supported.

Kazaa can use port 80 to get around the Firewall. You can control it be adding the following to the

class-map command:

match protocol http url \.hash=*

"

JORGE RODRIGUEZ · ‎06-12-2008

Roberto,

Please check this link which provides a wide variety of pdlm files

http://www.cisco.com/cgi-bin/tablebuild.pl/pdlm

You may need to check supported plaforms for NBAR implemenation and requirements in software advisory at http://www.cisco.com/public/sw-center/index.shtml

Complete NBAR document discribing configuration examples etc..

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/dtnbarad.htm#wp1077161

3) Need to configure the following for inspect with nbar kazaa on HTTP port:

There is a Kazaa pdf file on the link I provided above, there should be plain explanation on usage.

-

example script usage for blocking youtube, the link above on NBAR will give you several more examples and explanation.

class-map match-all YOUTUBE

match protocol http host "*youtube.com*"

!

policy-map DROP_YOUTUBE

class YOUTUBE

drop

!

interface FastEthernet0/0

description TO INTERNET

service-policy output DROP_YOUTUBE

Rgds

-Jorge

Jorge Rodriguez

ROBERTO TACCON · ‎06-12-2008

Thanks for the link but all the .pdlm files are not updated (the last one is 19-JUN-2007)

If I use the latest IOS version the nbar definitions are already on it ?

For example on the last 12.4T....

ISR2801-Atri#sh ip nbar version

NBAR software version: 6

1 base Mv: 2

2 ftp Mv: 2

3 http Mv: 9

4 static Mv: 6

5 tftp Mv: 1

6 exchange Mv: 1

7 vdolive Mv: 1

8 sqlnet Mv: 1

9 rcmd Mv: 1

10 netshow Mv: 1

11 sunrpc Mv: 2

12 streamwork Mv: 1

13 citrix Mv: 10

14 fasttrack Mv: 2

15 gnutella Mv: 4

16 kazaa2 Mv: 7

17 custom-protocols Mv: 1

18 rtsp Mv: 4

19 rtp Mv: 5

20 mgcp Mv: 2

21 skinny Mv: 1

22 h323 Mv: 1

23 sip Mv: 1

24 rtcp Mv: 2

25 edonkey Mv: 5

26 winmx Mv: 3

27 bittorrent Mv: 4

28 directconnect Mv: 2

29 skype Mv: 1

Regards.

JORGE RODRIGUEZ · ‎06-12-2008

It should based on your IOS feature set , however to be %100 sure, go to software advisory http://www.cisco.com/public/sw-center/index.shtml

and pick Compare the features in different software releases, and based on your current feature set whether is IP base, or adviced IP services and the target set you have in mind it should provide you with NBAR information.

Rgds

-Jorge

Jorge Rodriguez