Network Based Application Recognition is an IOS feature which can recognize applications, traditionlly routers will look at traffic in layer 3 but with NBAR routers can see traffic in layer 4, 5, 6 & 7.

From what i gather online it looks like NBAR was released around 2005 IOS 12.0

I wont go too deep into how it recognises them other than to say the routers uses a sort of list also known as Packet Description Language Module (PDLM) which is updated regularly by Cisco.

Now i hear you ask …. how can i use and benefit from NBAR?

NETFLOW……. you can use the command “ip nbar protocol-discovery” on an interface that you want to monitor netflow traffic on, with this enabled the router will send the flow host information of the application traffic types i.e. telnet, SQL, HTTP etc. there is other configuration for netlfow which is outside this conversation….. perhaps that will be my next blog.

QOS……. this is my favourite use for NBAR, with this you can write QOS polices based on traffic type so for example you might want to give certain types of traffic a higher priority you would create a normal class-map just like this.

#class-map test
#match protocol xxxxxx

Then apply that to your policy map with whatever QOS settings you require.
#policy-map test
#class test
#priority percent 15

SECURITY ……. This is probably the most impressive use for NBAR although i have yet to implement it anywhere, but it may suit your needs? What you can do is again create your class-map and policy-map which match your protocols so for example we want to block all telnet traffic.

#class-map nbar-block
#match protocol telnet
!
#policy-map nbar-block-telnet
#class nbar-block
#set ip dscp 2

Next you apply the policy to your WAN interface

#int gig 0/0
#service-policy input nbar-block-telnet

This will mark the traffic inbound to your router, next you create an ACL to deny the marked traffic.

#ip access-list 101 deny ip any any dscp 2
#ip access-list 101 permit ip any any

Finally we apply this to the outbound LAN interface, so imagine your router is now a firewall (inbound & outbound) so technically this is outbound from the routers point of view.

#int gig 0/1
#ip access-group 101 out

Setup some configs with NBAR in your lab and see how you could use it.

stay safe

RH

Advertisements