11-15-2018 08:50 AM - edited 02-21-2020 08:28 AM
Hello,
I'm curious to know if there is a way to block applications that have been classified by NBAR2 using zone-based firewalls on the ISR platform.
Here's what I was thinking:
class-map match-any CM match protocol bittorrent match protocol bitcoin ! class-map type inspect ACL match access-group name ACL ! policy-map type inspect PM class type inspect CM drop class type inspect ACL inspect class class-default drop log !
Basically we would still have our ACL to permit/deny certain L3/L4 traffic but I wanted to add another class map that was matching at the application level above.
The above code doesn't work because the CM class-map isn't of type "inspect". However when I create an inspect class-map I don't get all the NBAR2 applications.
Is what I'm thinking of possible?
Tyler
11-15-2018 09:01 AM
can you post the show version output
11-15-2018 09:09 AM
Example :
ISR(config)#ip cef <-- this is already enabled in your case.
Create a Class map which will group all the bittorrent protocols.
ISR(config)#class-map match-any CM
ISR(config)# match protocol bittorrent
ISR(config)# match protocol bitcoin
Create a Policy map to define what you want to do with the traffic.
ISR(config)#policy-map CM-DROP
ISR(config)#class CM
ISR(config)#drop
Apply the policy to the user-facing (Incoming) interface.
ISR(config)#interface gigabitEthernet 0/0
ISR(config-if)#service-policy input CM-DROP
Now you can verify the correct operation of the NBAR feature using the below command :
ISR#show policy-map interface gigabitEthernet 0/0
Let me know is that works ?
11-15-2018 10:10 AM
For some reason I don't get the drop option.
ISR(config)#policy-map PM_TEST ISR(config-pmap)#class CM ISR(config-pmap-c)#? Policy-map class configuration commands: aaa-accounting AAA Accounting account Account statistic admit Admit the request for bandwidth Bandwidth compression Activate Compression exit Exit from class action configuration mode fair-queue Enable Flow-based Fair Queuing in this Class forward forward action netflow-sampler NetFlow action no Negate or set default values of a command police Police priority Strict Scheduling Priority for this Class queue-limit Queue Max Threshold for Tail Drop random-detect Enable Random Early Detection as drop policy service-policy Configure QoS Service Policy set Set QoS values shape Traffic Shaping #
This is on an ISR 4321 running 16.06.04. I have the ipbase, appxk9 and securityk9 licenses installed.
Tyler
11-16-2018 08:55 AM
ISR#show version
Cisco IOS XE Software, Version 16.06.04
Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.4, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Sun 08-Jul-18 04:33 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2018 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
ISR uptime is 7 hours, 21 minutes
Uptime for this control processor is 7 hours, 24 minutes
System returned to ROM by PowerOn at 14:21:03 MST Fri Nov 9 2018
System restarted at 02:32:22 MST Fri Nov 16 2018
System image file is "bootflash:isr4300-universalk9.16.06.04.SPA.bin"
Last reload reason: PowerOn
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Suite License Information for Module:'esg'
--------------------------------------------------------------------------------
Suite Suite Current Type Suite Next reboot
--------------------------------------------------------------------------------
FoundationSuiteK9 None None None
securityk9
appxk9
AdvUCSuiteK9 None None None
uck9
cme-srst
cube
Technology Package License Information:
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
appxk9 appxk9 Permanent appxk9
uck9 None None None
securityk9 securityk9 Permanent securityk9
ipbase ipbasek9 Permanent ipbasek9
cisco ISR4321/K9 (1RU) processor with 1795999K/6147K bytes of memory.
Processor board ID FDO2123A2KH
2 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
3125247K bytes of flash memory at bootflash:.
0K bytes of WebUI ODM Files at webui:.
Configuration register is 0x2102
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide