Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Network-Based Application Recognition (NBAR)

Introduction:

Network Based Application Recognition (NBAR) is a Cisco IOS technology that does deep packet inspection on network traffic to find the applications involved.You can say NBAR is a very powerful application-layer firewall that you may already have installed on your Cisco router.Most routers just look at traffic at Layer 3; with NBAR, routers can also look at Layers 4 through 7; As NBAR goes through the whole packet including header and some payload to classify an application and at the same time can work along with QoS (Quality of Service) by helping the network to provide differentiated services to each application.

NBAR used Protocol Description Language Module (PDLM) contains the rules by which NBAR technology recognizes an application during its packet inspection. NBAR analyzes the packets and compares them to a set of rules in the PDLM. If the rules mentioned in the PDLM are met, NBAR recognizes and classifies the application.you can download PDLM file.To know more about PDLM downloading and installation please refer Packet Description Language Module

Configuration Example:

Here are the some examples configuration on the Cisco devices.

 

Example 1:

Router(config)#class−map match−any http_filter

Router(config−cmap)#match protocol http url “*.ida*”

Router(config−cmap)#match protocol http url “*cmd.exe*”

Router(config−cmap)#match protocol http url “*root.exe*”

Router(config−cmap)#match protocol http url “*readme.eml*”

 

Once the router is configured to filter worms as mentioned above, the NBAR engine will do a deep packet analysis on traffic passing through the router interface and if the traffic matches above class then administrator can filter them using access list or they can do policy base routing for monitoring infected hosts.

 

Example 2:

 

This example shows how we can block P2P with the help of NBAR

 

class-map match-any OUTBOUND_TRAFFIC



match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol edonkey
match protocol napster
match protocol bittorrent



policy-map OUTBOUND

class OUTBOUND_TRAFFIC
  drop



interface FastEthernet0/0

ip address 1.1.1.1 255.255.255.252
duplex auto
speed auto
service-policy output OUTBOUND

 

All the packets of P2P matching in the Class Map will get dropped as soon as It reaches the outbound interface of the router.

Some verification command:

 

To check class map use "sh class-map <class-map name>"

To check policy status use "sh policy-map <policy-map name>"

To check various NBAR options

R2#sh ip nbar ?
  filter                   Show current NBAR's filter criteria
  link-age                 Show protocol link age
  pdlm                     Show currently installed PDLMs (PDL modules)
  port-map                 Show StILE Protocol Port Map
  protocol-discovery       Show traffic classes and statistics
  resources                Show memory configuration for tracking Stateful
                           sessions
  unclassified-port-stats  Show NBAR's port statistics for unclassified packets
  version                  Show currently installed PDL Module Version Info

                                   

Base Initial configuration:

 

 

Related Information:

Network Based Application Recognition Performance Analysis

Network-Based Application Recognition

2702
Views
4
Helpful
0
Comments