Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
635
Views
0
Helpful
4
Replies

Zone-Based Firewall - Block Applications with NBAR2

tripley
Level 1
Level 1

‎11-15-2018 08:50 AM - edited ‎02-21-2020 08:28 AM

Hello,

 

I'm curious to know if there is a way to block applications that have been classified by NBAR2 using zone-based firewalls on the ISR platform.

 

Here's what I was thinking:

 

class-map match-any CM
 match protocol bittorrent
 match protocol bitcoin
!
class-map type inspect ACL
 match access-group name ACL
!
policy-map type inspect PM
 class type inspect CM
  drop
 class type inspect ACL
  inspect
 class class-default
  drop log
!

Basically we would still have our ACL to permit/deny certain L3/L4 traffic but I wanted to add another class map that was matching at the application level above.

 

The above code doesn't work because the CM class-map isn't of type "inspect".  However when I create an inspect class-map I don't get all the NBAR2 applications.

 

Is what I'm thinking of possible?

 

Tyler

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎11-15-2018 09:01 AM

can you post the show version output

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to balaji.bandi

‎11-15-2018 09:09 AM

Example :

 

ISR(config)#ip cef <-- this is already enabled in your case.

 

Create a Class map which will group all the bittorrent protocols.

 

ISR(config)#class-map match-any CM
ISR(config)# match protocol bittorrent
ISR(config)# match protocol bitcoin

 

Create a Policy map to define what you want to do with the traffic.

ISR(config)#policy-map CM-DROP
ISR(config)#class CM
ISR(config)#drop

 

Apply the policy to the user-facing (Incoming) interface.

ISR(config)#interface gigabitEthernet 0/0
ISR(config-if)#service-policy input CM-DROP

 

Now you can verify the correct operation of the NBAR feature using the below command :

ISR#show policy-map interface gigabitEthernet 0/0

 

Let me know is that works ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

tripley
Level 1
Level 1
In response to balaji.bandi

‎11-15-2018 10:10 AM

For some reason I don't get the drop option.

 

ISR(config)#policy-map PM_TEST
ISR(config-pmap)#class CM
ISR(config-pmap-c)#?
Policy-map class configuration commands:
  aaa-accounting   AAA Accounting
  account          Account statistic
  admit            Admit the request for
  bandwidth        Bandwidth
  compression      Activate Compression
  exit             Exit from class action configuration mode
  fair-queue       Enable Flow-based Fair Queuing in this Class
  forward          forward action
  netflow-sampler  NetFlow action
  no               Negate or set default values of a command
  police           Police
  priority         Strict Scheduling Priority for this Class
  queue-limit      Queue Max Threshold for Tail Drop
  random-detect    Enable Random Early Detection as drop policy
  service-policy   Configure QoS Service Policy
  set              Set QoS values
  shape            Traffic Shaping
#

This is on an ISR 4321 running 16.06.04.  I have the ipbase, appxk9 and securityk9 licenses installed.

 

Tyler

0 Helpful

tripley
Level 1
Level 1
In response to balaji.bandi

‎11-16-2018 08:55 AM

ISR#show version
Cisco IOS XE Software, Version 16.06.04
Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.4, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Sun 08-Jul-18 04:33 by mcpre


Cisco IOS-XE software, Copyright (c) 2005-2018 by cisco Systems, Inc.
All rights reserved.  Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0.  The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.  For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.


ROM: IOS-XE ROMMON

ISR uptime is 7 hours, 21 minutes
Uptime for this control processor is 7 hours, 24 minutes
System returned to ROM by PowerOn at 14:21:03 MST Fri Nov 9 2018
System restarted at 02:32:22 MST Fri Nov 16 2018
System image file is "bootflash:isr4300-universalk9.16.06.04.SPA.bin"
Last reload reason: PowerOn



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.



Suite License Information for Module:'esg'

--------------------------------------------------------------------------------
Suite                 Suite Current         Type           Suite Next reboot
--------------------------------------------------------------------------------
FoundationSuiteK9     None                  None           None
securityk9
appxk9

AdvUCSuiteK9          None                  None           None
uck9
cme-srst
cube


Technology Package License Information:

-----------------------------------------------------------------
Technology    Technology-package           Technology-package
              Current       Type           Next reboot
------------------------------------------------------------------
appxk9           appxk9           Permanent        appxk9
uck9             None             None             None
securityk9       securityk9       Permanent        securityk9
ipbase           ipbasek9         Permanent        ipbasek9

cisco ISR4321/K9 (1RU) processor with 1795999K/6147K bytes of memory.
Processor board ID FDO2123A2KH
2 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
3125247K bytes of flash memory at bootflash:.
0K bytes of WebUI ODM Files at webui:.

Configuration register is 0x2102

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card