Introduction:
Network Based Application Recognition (NBAR) is a Cisco IOS technology that does deep packet inspection on network traffic to find the applications involved.You can say NBAR is a very powerful application-layer firewall that you may already have installed on your Cisco router.Most routers just look at traffic at Layer 3; with NBAR, routers can also look at Layers 4 through 7; As NBAR goes through the whole packet including header and some payload to classify an application and at the same time can work along with QoS (Quality of Service) by helping the network to provide differentiated services to each application.
NBAR used Protocol Description Language Module (PDLM) contains the rules by which NBAR technology recognizes an application during its packet inspection. NBAR analyzes the packets and compares them to a set of rules in the PDLM. If the rules mentioned in the PDLM are met, NBAR recognizes and classifies the application.you can download PDLM file.To know more about PDLM downloading and installation please refer Packet Description Language Module
Configuration Example:
Here are the some examples configuration on the Cisco devices.
Example 1:
Router(config)#class−map match−any http_filter
Router(config−cmap)#match protocol http url “*.ida*”
Router(config−cmap)#match protocol http url “*cmd.exe*”
Router(config−cmap)#match protocol http url “*root.exe*”
Router(config−cmap)#match protocol http url “*readme.eml*”
Once the router is configured to filter worms as mentioned above, the NBAR engine will do a deep packet analysis on traffic passing through the router interface and if the traffic matches above class then administrator can filter them using access list or they can do policy base routing for monitoring infected hosts.
Example 2:
This example shows how we can block P2P with the help of NBAR
class-map match-any OUTBOUND_TRAFFIC
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol edonkey
match protocol napster
match protocol bittorrent
policy-map OUTBOUND
class OUTBOUND_TRAFFIC
drop
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.252
duplex auto
speed auto
service-policy output OUTBOUND
All the packets of P2P matching in the Class Map will get dropped as soon as It reaches the outbound interface of the router.
Some verification command:
To check class map use "sh class-map <class-map name>"
To check policy status use "sh policy-map <policy-map name>"
To check various NBAR options
R2#sh ip nbar ?
filter Show current NBAR's filter criteria
link-age Show protocol link age
pdlm Show currently installed PDLMs (PDL modules)
port-map Show StILE Protocol Port Map
protocol-discovery Show traffic classes and statistics
resources Show memory configuration for tracking Stateful
sessions
unclassified-port-stats Show NBAR's port statistics for unclassified packets
version Show currently installed PDL Module Version Info
Base Initial configuration:
Related Information:
Network Based Application Recognition Performance Analysis
Network-Based Application Recognition