NBAR

bizsnatch · ‎01-17-2004

If I want to use NBAR, do I have to load any additional modules from flash? According to documentation, NBAR is available with IOS Release 12.0(5)XE2. Are the additional modules that need to be loaded from flash "just" to extend the functionality of NBAR.. IE.

Protocol Discovery

packet description language module (PDLM)

My question is this: If I have IOS Release 12.0(5)XE2, can I immediately start using NBAR, or do I have to load additional modules?

Thanks,

biz

nkhawaja · ‎01-17-2004

HI,

running 12.0(5)XE2, does not guarantess that you have NBAR support. You would need to get the right feature set for it. Check for http://www.cisco.com/go/fn

Yes PDLM will extent the functionality of NBAR.

Thanks

Nadeem

bizsnatch · ‎01-17-2004

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e2/nbar2e.htm

According to the documentation above, I need to create a class-map, policy-map, and a service-policy.

I want to look for 3 specific domains - since IP addresses can use round robin, I want to look specifically at the name.

Class-map:

Router(config)#class-map match-any bad-hosts

Router(config-cmap)#match protocol http host "*badhost1.com*"

Router(config-cmap)#match protocol http host "*badhost2.com*"

Router(config-cmap)#match protocol http host "*badhost3.com*"

Policy-map:

Router(config)#policy-map inbound-bad-hosts

Router(config-pmap)#class bad-hosts

Router(config-pmap)#set ip dscp 1

Service-policy:

Router(config)#interface serial 0/1

Router(config-if)#service-policy input inbound-bad hosts

Router(config)#access-list 101 deny ip any any dscp 1

Router(config)#access-list 101 permit ip any any

Will this block the hosts listed as badhost1.com, badhost2.com, and badhost3.com?

Thanks,

biz

bizsnatch · ‎01-17-2004

One more thing... if you are going to have multiple NBAR statements... how do you pick the DSCP number? How can you be sure no other traffic will use this number?

nkhawaja · ‎01-18-2004

Hi,

Yes, it seems like you will be able to block those badhosts correctly. the Dscp number, i am not sure, but whatwver you pick up, you would need to use that in your access-list. As far as your question for surity about other applications/traffic not using that DSCP is concerned. i dont think there is any way to distinguish it. So other packets could also have the DSCP of 1.

bizsnatch · ‎01-18-2004

Do I "have" to set the DSCP number? I've seen other examples that don't use the DSCP number...

I've seen examples that show similar to this... Does the "drop" statement in the policy-map take the place of adding an entry to an ACL to deny a specific DSCP number?

Example

class-map match-any bad-hosts

match protocol http host "*badhost1.com*"

match protocol http host "*badhost2.com*"

match protocol http host "*badhost3.com*"

policy-map block-badhosts

class bad-hosts

drop

int s0/1

service-policy input block-badhosts

Thanks for your help! I plan on putting this into effect on our 7200 edge router Wednesday morning and would like as much input before putting it into effect. I've been reading as much about nbar as I can find and just want to clear up a few things first...

thanks,

biz