Re: ACL or NBAR for classification and Marking

Ibrahim Jamil · ‎02-18-2022

Hi Guys

I m bit confused whether to use ACL or NBAR for classification and Marking , pls clarify

thanks

Giuseppe Larosa · ‎02-18-2022

>> I m bit confused whether to use ACL or NBAR for classification and Marking , pls clarify

Actualy you can use both for different class maps that are then invoked in a policy-map applied inbound on the edge router.

To be noted:

use an extended ACL for all traffic with known ports like TCP SMTP 25 https TCP 443 on server side.

Use NBAR using match protocol for all dynamic cases.

Use NBAR for example for fine tuning of web experience of employees like for example blocking access to social networks like facebook during office times or allowing it during lunch time

On ISR routers you can use a regular expression to match an URI and to allow or not allow some type of traffic.

In modular QoS you can use NBAR in order to limit the usage of social networks for employes working on site but most of the traffic is from the internet so a complete solution would require a "mirror" configuration on the ISP router.

Hope to help

Giuseppe

Joseph W. Doherty · ‎02-18-2022

As @Giuseppe Larosa already describes, you can use either or both, depends on what you're trying yo match on.

BTW, NBAR is sometimes just a "pretty face" on an ACL, sometimes it does much deeper packet inspection. For example, an ACL ACE might match HTTP just looking for TCP port 80 whereas NBAR might actually look at packet's payload to see if it appears to have HTTP embedded within it.

Possible issues with NBAR, might be slower or more resource intensive (because/when doing deep a packet inspection) and/or might require an additional license (i.e. $$$).

Ibrahim Jamil · ‎02-19-2022

thanks Guys