Configuring Cisco Network-Based Application Recognition (NBAR)

Hi everyone, today I am going to do lab configuration about Cisco Network-Based Application Recognition (NBAR). NBAR recognized particular protocol and application that are running on your network and based on that you decide what you want to do with that traffic. NBAR is configure using Modular Quality of Server (QoS) Command-Line Interface (CLI) (MQC) which allows you to match/classify traffic (class-map), then create a policy to it (policy-map), and lastly applying the policy (service-policy) to a particular interface. For more detail information about NBAR, visit Cisco official website. For frequently ask questions about NBAR2 or (Next Generation NBAR) and for official configuration guide.

 nbar-2

Above will be our topology for this lab. So let us create a scenario, very simple scenario, just an idea how NBAR work and basic configuration. After that, you can create your scenario that to meet your specific needs.

Goals:
1. Block Youtube and Netflix from VLAN 60
2. Block Facebook and Twitter from VLAN 50
3. Block Torrent from both VLAN 60 and 50

During testing, I am going to use Windows 10 so we can install some third party application like youtube from windows store. Will see if NBAR block any of those applications, if not we’re going to use the NBAR classification.


Configurations

######################## core-sw ######################
! Create layer 2 VLAN
vlan 50 
 name DATA_Flr1_Acctg
vlan 60
 name DATA_Flr2_HR
vlan 80
 name DATA_Flr4_Sales
! Then we assigned the port to specific VLAN
int e1/1
 switchport mode access
 switchport access vlan 50
!
int e1/2
 switchport mode access
 switchport access vlan 60
!
int e1/3
 switchport mode access
 switchport access vlan 80
!
int e0/0
 description -> NBAR_rtr1
 no switchport ! Convert L2 port to routed port
 ip add 192.168.200.1 255.255.255.0
!
! Create Switch Virtual Interface (SVI) for VLANs. This
! will be our default gateway for specific VLAN
int vlan 50
 ip add 192.168.50.1 255.255.255.0
!
int vlan 60
 ip add 192.168.60.1 255.255.255.0
!
int vlan 80
 ip add 192.168.80.1 255.255.255.0
!
! Routing Configuration. This to advertised VLANs network
! to NBAR_rtr1
router eigrp 1
 no auto
 network 192.168.50.1 0.0.0.0
 network 192.168.60.1 0.0.0.0
 network 192.168.80.1 0.0.0.0
 network 192.168.200.1 0.0.0.0
 exit
! DHCP SERVER for VLANs. For automatic IP Address 
! assignment for PC in each VLAN.
ip dhcp excluded-address 192.168.50.1 192.168.50.9
ip dhcp excluded-address 192.168.60.1 192.168.60.9
ip dhcp excluded-address 192.168.80.1 192.168.80.9
!
ip dhcp pool DATA_Flr1_Acctg
 network 192.168.50.0 /24
 default-router 192.168.50.1
 dns-server 8.8.8.8
!
ip dhcp pool DATA_Flr2_HR
 network 192.168.60.0 /24
 default-router 192.168.60.1
 dns-server 8.8.8.8
!
ip dhcp pool DATA_Flr4_Sales
 network 192.168.80.0 /24
 default-router 192.168.80.1
 dns-server 8.8.8.8
 exit
!
######################## NBAR_rtr1 ######################
int e0/0
 description -> core-sw
 ip add 192.168.200.2 255.255.255.0
 ip nat inside
!
int e1/0
 description -> ISP
 ip address 192.168.91.3 255.255.255.0
 ip nbar protocol-discovery
 ip nat outside
!
router eigrp 1
 network 192.168.200.2 0.0.0.0
 redistribute static
!
ip nat inside source list access_nat interface Ethernet1/0 overload
!
ip route 0.0.0.0 0.0.0.0 192.168.91.2
!
! Access-list to use in NBAR
ip access-list standard access_acctg
 permit 192.168.50.0 0.0.0.255
!
ip access-list standard access_hr
 permit 192.168.60.0 0.0.0.255
!
ip access-list standard access_sales
 permit 192.168.80.0 0.0.0.255
!
ip access-list standard access_acctg_hr
 permit 192.168.50.0 0.0.0.255
 permit 192.168.60.0 0.0.0.255
! Access-list to be use in NAT
ip access-list standard access_nat
 permit 192.168.50.0 0.0.0.255
 permit 192.168.60.0 0.0.0.255
 permit 192.168.80.0 0.0.0.255
!
! Create NBAR2 custom attribute. 
! First create a application-group. In this case named 
! custom_video_stream
ip nbar attribute application-group custom custom_video_stream
! Then create a attribute profile. In this case named 
! you-net, then map the application-group that created in 
! the previous step
ip nbar attribute-map you-net
 attribute application-group custom custom_video_stream
 exit
! Lastly, set your protocol or application of choice to be 
! included in the attribute profile that you created
ip nbar attribute-set youtube you-net
ip nbar attribute-set netflix you-net
!
ip nbar attribute application-group custom custom_social_network
ip nbar attribute-map face-twit
 attribute application-group custom custom_social_network
 exit
ip nbar attribute-set facebook face-twit
ip nbar attribute-set twitter face-twit
!
! MQC Configuration for NBAR
! First create a class-map and classify the traffic 
! with "match" command
class-map match-all c-hr-youtube-netflix ! This will match 
! our goal number 1
 match protocol attribute application-group custom_video_stream
 match access-group name access_hr ! This command refer to
! the access-list that we created name access_hr
!
class-map match-all c-acctg-facebook-twitter ! This will match 
! our goal number 2
 match protocol attribute application-group custom_social_network
 match access-group name access_acctg
!
class-map match-all c-acctg-hr-torrent ! This will match our 
! goal number 3
 match protocol attribute application-group bittorrent-group 
! The above application-group bittorrent-group 
! is a built-in application-group in NBAR2.
 match access-group name access_acctg_hr
!
class-map match-any drop-traffic ! This is the nested MQC that
! include all the three class-map that we define
 match class-map c-acctg-hr-torrent
 match class-map c-hr-youtube-netflix
 match class-map c-acctg-facebook-twitter
!
! After that, create a policy-map then put the class-map 
! that you created then the policy you want to enforce.
! In this case we will drop the bittorrent, youtube, netflix
! facebook and twitter.
policy-map p-internet
 class drop-traffic
 drop
!
! Lastly, apply the policy-map to the interface with 
! "service-policy"
int e0/0
 service-policy input p-internet
!

So during testing, I installed third party app of youtube which is Hyper for Youtube from windows store, and NBAR does not recognize it as Youtube application even though it uses youtube services. I used NBAR classification auto-learn to determine what type of application and communication address it uses. After that, just learned that it use an SSL application type and it uses an SSL  Server Name Indication (SNI) of hyperyoutube.azure-mobile.net

With that, you can create a custom application named hyperyoutube, then assigned it to profile attribute named you-net that was created in earlier steps.

ip nbar classification auto-learn top-host
!
! After that use the show command below to determine
! the nbar classification auto-learn
show ip nbar classification auto-learn top-hosts 10
!
! The command below create a custom application 
! named hyperyoutube and ssl parameters
ip nbar custom hyperyoutube ssl unique-name "hyperforyoutube.azure-mobile"
! The commnad below add the hyperyoutube application
! to you-net attribute profile 
ip nbar attribute-set hyperyoutube you-net

Verification command:

show policy-map interface
show class-map
show policy-map
show ip nbar protocol-discovery
show ip nbar attribute-map profile_name
show ip nbar attribute application-group application_group_name

So with this, you can create your scenario specific to your needs. If you need to ask something don’t hesitate to leave a comment or email me, I am willing to answer any questions related to the topic.

Thanks for stopping by.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s