×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

NBAR

Unanswered Question
Jan 17th, 2004
User Badges:

If I want to use NBAR, do I have to load any additional modules from flash? According to documentation, NBAR is available with IOS Release 12.0(5)XE2. Are the additional modules that need to be loaded from flash "just" to extend the functionality of NBAR.. IE.


Protocol Discovery

packet description language module (PDLM)


My question is this: If I have IOS Release 12.0(5)XE2, can I immediately start using NBAR, or do I have to load additional modules?


Thanks,

biz

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
nkhawaja Sat, 01/17/2004 - 16:31
User Badges:
  • Cisco Employee,

HI,


running 12.0(5)XE2, does not guarantess that you have NBAR support. You would need to get the right feature set for it. Check for http://www.cisco.com/go/fn


Yes PDLM will extent the functionality of NBAR.


Thanks

Nadeem

bizsnatch Sat, 01/17/2004 - 18:01
User Badges:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e2/nbar2e.htm


According to the documentation above, I need to create a class-map, policy-map, and a service-policy.


I want to look for 3 specific domains - since IP addresses can use round robin, I want to look specifically at the name.


Class-map:


Router(config)#class-map match-any bad-hosts

Router(config-cmap)#match protocol http host "*badhost1.com*"

Router(config-cmap)#match protocol http host "*badhost2.com*"

Router(config-cmap)#match protocol http host "*badhost3.com*"


Policy-map:


Router(config)#policy-map inbound-bad-hosts

Router(config-pmap)#class bad-hosts

Router(config-pmap)#set ip dscp 1


Service-policy:

Router(config)#interface serial 0/1

Router(config-if)#service-policy input inbound-bad hosts

Router(config)#access-list 101 deny ip any any dscp 1

Router(config)#access-list 101 permit ip any any


Will this block the hosts listed as badhost1.com, badhost2.com, and badhost3.com?


Thanks,

biz


bizsnatch Sat, 01/17/2004 - 18:13
User Badges:

One more thing... if you are going to have multiple NBAR statements... how do you pick the DSCP number? How can you be sure no other traffic will use this number?

nkhawaja Sun, 01/18/2004 - 19:34
User Badges:
  • Cisco Employee,

Hi,


Yes, it seems like you will be able to block those badhosts correctly. the Dscp number, i am not sure, but whatwver you pick up, you would need to use that in your access-list. As far as your question for surity about other applications/traffic not using that DSCP is concerned. i dont think there is any way to distinguish it. So other packets could also have the DSCP of 1.

bizsnatch Sun, 01/18/2004 - 19:59
User Badges:

Do I "have" to set the DSCP number? I've seen other examples that don't use the DSCP number...

I've seen examples that show similar to this... Does the "drop" statement in the policy-map take the place of adding an entry to an ACL to deny a specific DSCP number?


Example


class-map match-any bad-hosts

match protocol http host "*badhost1.com*"

match protocol http host "*badhost2.com*"

match protocol http host "*badhost3.com*"


policy-map block-badhosts

class bad-hosts

drop


int s0/1

service-policy input block-badhosts


Thanks for your help! I plan on putting this into effect on our 7200 edge router Wednesday morning and would like as much input before putting it into effect. I've been reading as much about nbar as I can find and just want to clear up a few things first...


thanks,

biz

Actions

This Discussion