Cisco offers multiple approaches to identify packets to mark. For example, packets can be classified and marked if they match a particular access list or if they come into a router on a particular interface. However, one of the most powerful Cisco IOS tools for performing packet classification is Network-Based Application Recognition (NBAR), which can look beyond Layer 4 information, all the way up to the application layer, where NBAR can recognize such packet attributes as character strings in a URL.
- NBAR is a classification engine that can identify traffic/protocols at an application level.
- NBAR looks into the TCP/UDP payload itself and classifies packets based on content within the payload such as that transaction
identifier, message type, or other similar data.
- NBAR natively supports many predefined application/protocols, which can be seen with "match protocol ?"
- A PDLM (Packet Description Language Modules) is a file that can extend the protocols that NBAR can recognize.
- New PDLMs can be downloaded from Cisco.com and can be loaded from flash memory.
- NBAR protocol discovery can be used to track and provide statistics on which protocols transits an interface.
- Custom NBAR mappings allow well-known protocols to be defined in the network as NBAR protocols with "ip nbar port-map".
- "match protocol http" explained:
> Using NBAR to match HTTP traffic provides 3 match criteria’s:
> Domain Hostname - The URL portion between 'http://' and the first slash '/'
> URL-entry - The URL portion after the first slash '/'
> Mime type - The media content of a website.
-----------
COMMANDS
-----------
sh ip nbar port-map
- Shows the version of the PDLM'ssh ip nbar version
- Shows traffic classes and statistics NBAR discoveredsh ip nbar protocol-discovery
- Matches NBAR applications in a class-mapclass-map {name}
match protocol {protocol}
ip nbar pdlm {unc path}
- Maps well-known port/s of a protocol to an NBAR applicationip nbar port-map custom {name} {tcp|udp} {port|range}
- Enables NBAR protocol discovery
interface s0/0
ip nbar protocol-discovery
No comments:
Post a Comment