Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Filtering Application Layer 7 Traffic with 6509

I would like to know what would be required to filter application layer traffic on a 6509 Switch. What I would like to be able to do is filter layer 7 traffic such as audio streams or other content that go over port 80. Is there a way to do this with any module such as a Content Switching Module or a Nework Analysis Module? Or could this be possible to do just in the 6509 IOS? We have a Sup1A with PFC1 and MSFC1. What do you think?

VIP Purple

Re: Filtering Application Layer 7 Traffic with 6509


you could use NBAR (Network Based Application Recognition), which is an IOS feature and which is supported on the 6509 with SUP1A/MFSC1.

Basically what you do is you define a traffic policy for the traffic you want to filter and you apply rules to that traffic. Let´s say you want to filter all ICA/CITRIX traffic and apply a specific precedence to that protocol, effectively prioritizing

that traffic over other traffic, this what you would do:

6509(config)# class-map ICA

6509(config-cmap)# match protocol ica


6509(config)# policy-map CITRIX

6509(config-pmap)# class ICA

6509(config-pmap-c)# set ip precedence 5


6509(config)# interface fastethernet 0/1

6509(config-if)# service-policy output CITRIX

Check out this link for detailed information on how NBAR works:



New Member

Re: Filtering Application Layer 7 Traffic with 6509

Unfortunately I just found out unless you have a flexiwan module NBAR is only supported with a MSFC2 Minimum, so unfortunately I cannot run NBAR. It is even listed in that link provided.

New Member

Re: Filtering Application Layer 7 Traffic with 6509

An easier way to filter port 80 traffic is to use a product such as Websense. It integrates with almost every major firewall out there.

New Member

Re: Filtering Application Layer 7 Traffic with 6509

We are using websense, the only issue with that is that in order to do filtering other than http traffic on port 80 you have to span all your internet traffic to the websense server which I prefer not to have to do.