In 2005, in an article about Cisco IOS 12.3, I wrote that Cisco's Network-Based Application Recognition (NBAR) was one of the best features of the IOS. Two years later, it still is. Let's look at what NBAR can do for you and find out how to configure it.
What is NBAR?
Cisco's NBAR is truly an amazing feature. Most routers just look at traffic at Layer 3; with NBAR, routers can also look at Layers 4 through 7. This means that a router can recognize applications. And once it can recognize the applications, it can then take some action to ensure that the application gets higher priority, drop packets from that application, or take some other action.
NBAR has been around since IOS 12.0, but it recognized only a small number of applications. With IOS 12.3 improvements, NBAR was able to recognize more applications because of the availability of the Packet Description Language Module (PDLM) feature.
The IOS uses PDLMs to know which application is what when it looks through the traffic flow. Cisco regularly releases new PDLMs for new applications, and you can find the list on the PDLM Web page (valid CCO login required).
How can you use NBAR?
While originally designed to recognize applications in order to provide quality of service, NBAR has a long list of uses. In my opinion, many of these uses revolve around controlling traffic for security purposes or just removing unwanted traffic from a network link. When it comes to identifying traffic, the most popular use is to identify fields in a HTTP packet, such as the URL, content type, or user agent.
For example, a classic example of using NBAR for security purposes was when NBAR recognized the fast-moving Code Red Worm that first circulated the Internet in 2001. While traditional firewalls weren't able to look inside the HTTP stream of data and block the Code Red traffic, NBAR was ideal for the situation. (For more information, check out "Using Network-Based Application Recognition and ACLs for Blocking the 'Code Red' Worm.")
In general, you can use NBAR to identify any application layer traffic for which it has a "definition." For an exact list of all supported protocols, see the Cisco IOS Documentation that lists the Cisco NBAR supported protocols.
Some words of caution: There are some things that NBAR cannot do. You can't use it on a tunnel or encrypted interface, and you can't use it to work with asymmetric traffic flows, understand URLs or other traffic in HTTPS traffic, work with non-CEF traffic, or identify fragmented traffic.
How do you configure Cisco IOS NBAR?
Keep in mind that in its simplest form NBAR is a traffic identification and marking system. What you do with the marked packets is up to you. For example, you could choose to drop them or choose to give them a higher quality of service.
Configuring and using NBAR to identify and block traffic is actually very easy. Let's walk through the steps.
Make sure that CEF is on using the following command:
Router(config)# ip cef
Create a class-map, identifying the traffic you want to block. Here's an example that would stop any HTTP or MIME e-mail that contains the Readme.exe program:
Router(config)#class-map match-any bad-traffic Router(config-cmap)# match protocol http url "*readme.exe*" Router(config-cmap)# match protocol http mime "*readme.exe*"
I want to stress here that HTTP is just one of the many applications that NBAR can identify. For list of NBAR applications recognized with IOS version 12.3, use the following commands:
Router(config)#class-map match-all nbar Router(config-cmap)#match pro ?
Create a policy to mark the traffic. Here's an example:
Router(config)# policy-map mark-bad-traffic Router(config-pmap)# class bad-traffic Router(config-pmap)# set ip dscp 1
Apply the policy to the interface that faces the Internet or the source of the traffic that you want to block. This marks the traffic when it enters the router. Here's an example:
Router(config)# interface serial 0/0 Router(config-if)#service-policy input mark-bad-traffic
Create an access control list (ACL) that denies the marked traffic. Here's an example:
Router(config)# access-list 190 deny ip any any dscp 1 Router(config)# access-list 190 permit ip any any
Deny the marked traffic as it's about to exit your router by applying the ACL to an interface. Here's an example:
Router(config)# interface GigabitEthernet 0/0 Router(config-if)# ip access-group 190 outWhen you've finished applying the configuration, you can check to see if the router marked and dropped any traffic that met this criteria. To do this, use the show access-lists command.
NBAR is a very powerful application-layer firewall that you may already have installed on your Cisco router. While traditional firewalls can only recognize traffic based on IOS Layers 3 or 4, Cisco's NBAR can go all the way to Layer 7.
Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!