Friday, January 15, 2010

NBAR (Network-based application recognition)

So I HAVE been studying every night this week, and have found myself putting off my blogging in order to play COD:MW2 :)  So I am going to try and write a couple of these out tonight.  First, NBAR!
 Cisco Link: NBAR!!!

So NBAR provides to your network basically the equivalent of an application layer packet sniffer.  It was originally conceived to assist in providing quality of service more granularly to applications that traverse the network. You can call out things such as http, gnutella, bittorrent, etc....and you router or device can recognize the data and place it, or classify it, however you saw fit.  Here is a good example of an NBAR config:




lunde-edge(config)#class-map match-all MATCH_HTTP
lunde-edge(config-cmap)#match protocol http ? \\this is NBAR
c-header-field Client general Header Field
host Server Host Name
mime Match MIME Type
s-header-field Server general Header Field
url Match URL String \\you can match a url!

lunde-edge(config-cmap)#match protocol http
lunde-edge(config)#policy-map MATCH_HTTP \\create your policy-map
lunde-edge(config-pmap)#class MATCH_HTTP \\bind your class to policy
lunde-edge(config-pmap-c)#drop \\your **action**
lunde-edge(config)#int vlan1
lunde-edge(config-if)#service-policy [input\output] MATCH_HTTP \apply your policy

lunde-edge#show class-map \\display your class-map
Class Map match-all MATCH_HTTP (id 2)
Match protocol http

Class Map match-any class-default (id 0)
Match any

lunde-edge#show policy-map \\display your policy map
Policy Map MATCH_HTTP
Class HTTP_MATCH
Class MATCH_HTTP
drop


Some IOS's have different applications installed on them, but Cisco releases PLDM's, or packet description module language packs that you can install on your system to add more, or to update application signatures. This is a pretty cool feature, that as you can see, can also double as a security measure, stopping unwanted traffic at the application level. I did not show any here (I simply dropped http packets), but you can apply different ip precendence, and DSCP marking to traffic that matches an NBAR match statement.

1 comment:

  1. great blog. Keep it up. COD/MW2 is hard to stop unless the lagg gets u.

    ReplyDelete