Masood Ahmad Shah : How NBAR actually classifies the traffic flows?

This Blog

About

Email

Syndication

RSS 2.0

Atom 1.0

Search

Go

News

Online Eessen Food Homedeliver

Navigation

Home

Blogs

Forums

Photos

Downloads

My Reader

Control Panel

Tags

CISCO

IT

Juniper

Microsoft

MISC

MPLS

UNIX

Recent Posts

Firewall Filter on Juniper's EX-series Switches

MTR on Juniper JUNOS

Viewing default/hidden config on JUNOS

Cisco IOS 15.0 (new features).. Awesome

JUNOS Command Completion

Archives

July 2010 (1)

November 2009 (1)

October 2009 (2)

August 2009 (1)

July 2009 (3)

June 2009 (1)

May 2009 (2)

April 2009 (1)

March 2009 (3)

February 2009 (3)

January 2009 (7)

December 2008 (3)

November 2008 (3)

October 2008 (1)

September 2008 (3)

August 2008 (2)

July 2008 (2)

June 2008 (3)

May 2008 (3)

April 2008 (1)

February 2008 (1)

July 2007 (1)

June 2007 (1)

May 2007 (2)

April 2007 (2)

July 2006 (4)

June 2006 (9)

May 2006 (2)

April 2006 (3)

March 2006 (5)

February 2006 (5)

January 2006 (7)

December 2005 (7)

October 2005 (3)

September 2005 (11)

August 2005 (14)

July 2005 (10)

June 2005 (7)

May 2005 (11)

April 2005 (12)

March 2005 (11)

February 2005 (13)

January 2005 (6)

December 2004 (3)

November 2004 (1)

October 2004 (2)

September 2004 (6)

August 2004 (1)

June 2004 (2)

April 2004 (2)

March 2004 (1)

How NBAR actually classifies the traffic flows?

I still love Cisco. My one true love. It hurts with you :)

Anyways lets start with Layer 7 traffic filtring on Cisco router. NBAR protocol classification feature has long supported enhanced HTTP URL matching features. However, Cisco documentation site never provided a detailed description of the pattern language used for URL matching; neither has it explained how the engine matches client/server data streams. In this post I will give an overview of how NBAR works with URL filtering.
When you apply a policy-map that contains a class with “match protocol” statement, the system starts NBAR classification engine on the interface. Any packet, be it ingress or ingress, passes the NBAR inspection engine provided that it passes the basic filters like matching the port number assigned to the protocol. You can change the port map using the global command ip nbar port-map [protocol].

When the engine sees a TCP SYN packet for the matching session, it starts the internal state machine, trying to parse the packet flow. Every new packet in the flow (in any direction) is inspected. Note that the NBAR does not classify a flow instantly. It may take some packet exchange until the engine determines that the flow matches specified criteria. As soon as there is enough information about the flow to classify it, the engine “tags” the bi-directional flow with the corresponding class value and reports this decision to the policy-map. Note that this classification applies in both directions – that is to the packets belonging to the flow and heading either ingress or egress.

Consider the example below. In this scenario, Fa0/0 is the outside interface, facing the internet. User’s traffic flows out of this interface.

class-map match-all TEST
match protocol http url "*.(t?xt|ocx|ex[ea])”
!
policy-map TEST
class TEST
drop
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.30
service-policy input TEST

However, as soon as user opens the URL matching the class-map specification, the engine will classify the flow as matching the class “TEST”. After this, all returning packets (server to client) for this flow will be dropped by the policy map.

Published Saturday, November 15, 2008 6:22 PM by jahil
Filed under: CISCO, IT

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

No Comments

Leave a Comment

Title (required)

Name required

Your URL

Comments (required)

Remember Me?

weblogs.com.pk, a community program by SharpCoders.net