Monday, October 31, 2011

notes: NBAR

 

Cisco offers multiple approaches to identify packets to mark. For example, packets can be classified and marked if they match a particular access list or if they come into a router on a particular interface. However, one of the most powerful Cisco IOS tools for performing packet classification is Network-Based Application Recognition (NBAR), which can look beyond Layer 4 information, all the way up to the application layer, where NBAR can recognize such packet attributes as character strings in a URL.

- NBAR is a classification engine that can identify traffic/protocols at an application level.
- NBAR looks into the TCP/UDP payload itself and classifies packets based on content within the payload such as that transaction
identifier, message type, or other similar data.
- NBAR natively supports many predefined application/protocols, which can be seen with "match protocol ?"
- A PDLM (Packet Description Language Modules) is a file that can extend the protocols that NBAR can recognize.
- New PDLMs can be downloaded from Cisco.com and can be loaded from flash memory.
- NBAR protocol discovery can be used to track and provide statistics on which protocols transits an interface.
- Custom NBAR mappings allow well-known protocols to be defined in the network as NBAR protocols with "ip nbar port-map".

 

- "match protocol http" explained:
> Using NBAR to match HTTP traffic provides 3 match criteria’s:
> Domain Hostname - The URL portion between 'http://' and the first slash '/'
> URL-entry - The URL portion after the first slash '/'
> Mime type - The media content of a website.

-----------
COMMANDS
-----------

- Shows the default NBAR port mappings for applications

sh ip nbar port-map

- Shows the version of the PDLM's

sh ip nbar version

- Shows traffic classes and statistics NBAR discovered

sh ip nbar protocol-discovery

- Matches NBAR applications in a class-map

class-map {name}
match protocol {protocol}

- Specifies where to load a new PDLM from

ip nbar pdlm {unc path}

- Maps well-known port/s of a protocol to an NBAR application

ip nbar port-map custom {name} {tcp|udp} {port|range}

- Enables NBAR protocol discovery

interface s0/0
ip nbar protocol-discovery

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)