https://community.cisco.com/t5/network-security/filtering-issues-using-nbar/m-p/1117877#M893964 <HTML><HEAD></HEAD><BODY><P>Shameless bump <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Sat, 08 Nov 2008 16:20:20 GMT snetherland 2008-11-08T16:20:20Z https://community.cisco.com/t5/network-security/filtering-issues-using-nbar/m-p/1117872#M893955 <P>We are using NBAR to match on and subsequently filter certain urls and p2p traffic at a few customer sites. I understand that this is a substandard way to police user traffic in light of other content filtering options and if this proves unreliable then I will definitely look at those other options.</P><P></P><P>We're matching urls with a very basic class map:</P><P></P><P>Class Map match-any url_list </P><P> Match protocol http host "*youtube*"</P><P> Match protocol http host "*myspace*"</P><P> Match protocol http host "*facebook*"</P><P> Match protocol http host "*video.google*"</P><P></P><P>This is being applied to inbound traffic on the LAN interface(s) and the traffic is being filtered fine. The issue we are running into is that other html traffic is matching and being filtered as well.</P><P></P><P>We are also filtering p2p applications with the following class-map:</P><P></P><P>Class Map match-any p2p_list</P><P> Match protocol bittorrent</P><P> Match protocol directconnect</P><P> Match protocol fasttrack</P><P> Match protocol edonkey</P><P> Match protocol gnutella</P><P> Match protocol winmx</P><P> Match protocol kazaa2</P><P> Match protocol socks</P><P></P><P>This is applied ingress on the LAN interface and ingress on the WAN. On one of our sites the ingress LAN application is filtering out POP3 traffic.</P><P></P><P>I really appreciate everyone's time and help.</P><P></P><P>Routers used: 3745 with 12.4(15)T7 &amp; 871 with 12.4(20)T1</P><P></P><P></P><P></P><P></P> Mon, 11 Mar 2019 14:08:50 GMT https://community.cisco.com/t5/network-security/filtering-issues-using-nbar/m-p/1117872#M893955 snetherland 2019-03-11T14:08:50Z https://community.cisco.com/t5/network-security/filtering-issues-using-nbar/m-p/1117873#M893956 <HTML><HEAD></HEAD><BODY><P>why u dont apply it outbound on the internet link interface ?</P><P>this way this policy will not effct LAN and LAN over WAN traffic </P><P></P></BODY></HTML> Wed, 05 Nov 2008 22:21:56 GMT https://community.cisco.com/t5/network-security/filtering-issues-using-nbar/m-p/1117873#M893956 Marwan ALshawi 2008-11-05T22:21:56Z https://community.cisco.com/t5/network-security/filtering-issues-using-nbar/m-p/1117874#M893958 <HTML><HEAD></HEAD><BODY><P>Marwanshawi, I really do appreciate the advice and will take it under serious consideration. Our issues seem to be solely affecting outbound WAN-bound traffic(i.e. improperly matched url headers and outbound POP3 requests). As I said though, I most certainly will consider making that adjustment.</P><P></P><P>Thanks for your help</P></BODY></HTML> Wed, 05 Nov 2008 22:45:34 GMT https://community.cisco.com/t5/network-security/filtering-issues-using-nbar/m-p/1117874#M893958 snetherland 2008-11-05T22:45:34Z https://community.cisco.com/t5/network-security/filtering-issues-using-nbar/m-p/1117875#M893960 <HTML><HEAD></HEAD><BODY><P>Now that I have a little time, let me provide more detail. On one site we are using an 871 as a LAN router and filtering websites with the above class-map(please see "url_list" class-map above). This class-map is being nested in a policy that is simply dropping the packets. At other sites we are using ToS marking and filtering in-line with the DiffServ model. </P><P></P><P>This particular site(871 matching "url_list" &amp; dropping the packets) it seems that packets are being improperly dropped to legitimate websites, but it's random. For instance, a packet attempting to GET the following URL: <A class="jive-link-custom" href="http://en-us.www.mozilla.com/en-US/firefox/3.0.3/firstrun/" target="_blank">http://en-us.www.mozilla.com/en-US/firefox/3.0.3/firstrun/</A> will sometimes be dropped and other times be forwarded. Also, arin.net is another example of this behavior. Again, the only classifying we are using at this site is the "url_list" class-map above.</P><P></P><P>Thanks so much for everyone's help.</P><P></P><P></P></BODY></HTML> Thu, 06 Nov 2008 18:47:29 GMT https://community.cisco.com/t5/network-security/filtering-issues-using-nbar/m-p/1117875#M893960 snetherland 2008-11-06T18:47:29Z https://community.cisco.com/t5/network-security/filtering-issues-using-nbar/m-p/1117876#M893962 <HTML><HEAD></HEAD><BODY><P>This is still very much an issue at multiple sites. All routers(3745's and 871's) have the latest Boot Rom and IOS images. All are being tested with the basic "url_list" class-map(please see above). Some have been nested in a policy that is marking unwanted traffic and subsequently filtering, and others are being nested in a policy that is simply dropping the packets. At all sites we seem to be experiencing the same issue; using the "url_list" class-map above, some legitimate http traffic(in addition to the unwanted traffic) is being improperly classified and filtered. </P><P></P><P>All help is greatly appreciated. Thanks</P></BODY></HTML> Fri, 07 Nov 2008 14:04:50 GMT https://community.cisco.com/t5/network-security/filtering-issues-using-nbar/m-p/1117876#M893962 snetherland 2008-11-07T14:04:50Z https://community.cisco.com/t5/network-security/filtering-issues-using-nbar/m-p/1117877#M893964 <HTML><HEAD></HEAD><BODY><P>Shameless bump <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Sat, 08 Nov 2008 16:20:20 GMT https://community.cisco.com/t5/network-security/filtering-issues-using-nbar/m-p/1117877#M893964 snetherland 2008-11-08T16:20:20Z https://community.cisco.com/t5/network-security/filtering-issues-using-nbar/m-p/1117878#M893965 <HTML><HEAD></HEAD><BODY><P>may i know how does the interface check every packet, from my understand from your posts, do you use ingress? have you tried to use "ip nbar protocol-discovery"</P><P></P><P>second, how do you govern the qos? police, burst, bandwidth or drop?</P></BODY></HTML> Fri, 30 Jan 2009 18:38:51 GMT https://community.cisco.com/t5/network-security/filtering-issues-using-nbar/m-p/1117878#M893965 hasmurizal 2009-01-30T18:38:51Z https://community.cisco.com/t5/network-security/filtering-issues-using-nbar/m-p/1117879#M893966 <HTML><HEAD></HEAD><BODY><P>hasmurizal, thank you for taking the time to respond. I have tried packet inspection both ingress on the LAN interfaces as well as egress on the WAN ports. Qos, however, has only ever been configured to use a "drop" policy. </P><P></P><P>Please let me know if I can provide any more details that would be of use to you, and any suggestions that you might have would be most appreciated.</P><P></P><P>Thanks.</P></BODY></HTML> Fri, 30 Jan 2009 19:05:31 GMT https://community.cisco.com/t5/network-security/filtering-issues-using-nbar/m-p/1117879#M893966 snetherland 2009-01-30T19:05:31Z