May
08

Hi Brian,

Can we use NBAR on the gateway router to prevent internal users from watching video streams from any video web site (like Youtube.com)?

Ahmed

Hi Ahmed,

Yes, NBAR can be used to apply application based filters such as blocking youtube.com traffic. To accomplish this we can categorize traffic based on the HTTP hostname. Next we will create a policy-map that matches the youtube.com class and drops the traffic. Lastly the policy is applied outbound to the Internet. Syntax-wise this would read:

R1#
class-map match-all YOUTUBE
 match protocol http host "*youtube.com*"
!
policy-map DROP_YOUTUBE
 class YOUTUBE
   drop
!
interface FastEthernet0/0
 description TO INTERNET
 service-policy output DROP_YOUTUBE

NBAR for HTTP can also be used to match based on URL string or IANA MIME type. For more information see:

Network-Based Application Recognition and Distributed Network-Based Application Recognition

About Brian McGahan, CCIE #8593, CCDE #2013::13:

Brian McGahan was one of the youngest engineers in the world to obtain the CCIE, having achieved his first CCIE in Routing & Switching at the age of 20 in 2002. Brian has been teaching and developing CCIE training courses for over 10 years, and has assisted thousands of engineers in obtaining their CCIE certification. When not teaching or developing new products Brian consults with large ISPs and enterprise customers in the midwest region of the United States.

Find all posts by Brian McGahan, CCIE #8593, CCDE #2013::13 | Visit Website


You can leave a response, or trackback from your own site.

12 Responses to “Using NBAR for Application Filtering”

 
  1. Gian Paolo says:

    Hi,
    I’ve tried this configuration but if I ping the website and cut&paste the address into the browser I can surf youtube well (tested on a C871 with c870-advipservicesk9-mz.124-15.T5.bin).

    So it’s a good solution for not-so-clever users olny I suppose.

  2. Dwayne says:

    Brian,
    Although i don’t see any real world use for this could u match a nbar http HOST/URL inbound on an interface in your example. So could the service policy be
    service policy INOUT drop_yourself.
    Thanks

  3. Osama says:

    I have used your code:
    class-map match-all YOUTUBE
    match protocol http host “*youtube.com*”
    !
    policy-map DROP_YOUTUBE
    class YOUTUBE
    drop
    !
    interface FastEthernet0/0
    description TO INTERNET
    service-policy output DROP_YOUTUBE

    but it is not working.!?
    is that because i’m using upstream proxy on the ISP with port 8080?

    if yes, then how to cover this issue..

  4. Dayo says:

    You can make the class map more elaborate by not using just nbar. You could

    1. First using the “class-map match-any UTUBE” statement, which would as the name implies match any of the statements under the class map.
    2.Create an access-list that would give you more options in classifying the packets such as
    access-list 176 permit tcp any host X.X.X.X eq 8080
    access-list 176 permit tcp any host X.X.X.X eq www

    3.Setup more match statements to ensure that all instances of traffic for youtube will be properly managed depending on your policy e.g
    class-map match-any UTUBE
    match protocol http host “youtube.com”
    match access-group 176

    This is just one way, there maybe others even with just using nbar.

    Thanks

  5. Whenever you change port numbers like that NBAR may not know what to look for. Fortunately, there’s a solution for you! :)

    ip nbar port-map (protocol name) [tcp|udp] (port#)

    So you would add 8080 to the list for the protocol named “http” and you’ll start seeing matches.

    Look at “show ip nbar port-map” if you are interested in what the default listing of ports happens to be!

    HTH,

    Scott

  6. John says:

    How can you block a single SSL website Like “https://VTUNNEL.COM” by the hostname or URL FILTER.

  7. windex8er says:

    I’m not sure you really want to start dedicating functions like NBAR to end user control. For one, NBAR is expensive (i.e. not efficient) and wasn’t really designed for said use. Plus, when it does work you are effectively you black hole the end user with no real reason. If you need to proxy users then buy a real proxy. Being, originally, an infrastructure guy gone more security focused over the past 5 years it really bothers me that these sort of hacks work their way into the enterprise. In this case NBAR is not a security feature — it’s easily beatable on many levels which goes to show that it was never intended to really act in the capacity of a security solution.

  8. Home Network says:

    Well in my opinion Nbar is good for small companies with low budget that just want to enforce a “mild” not-complicated user control without spending additional money. I agree that users with some basic “tech” skills will bypass NBAR easily. It all depends on your environment.

  9. [...] Here is a good example: Using NBAR for application filtering [...]

  10. Manu says:

    Dear all,

    I tried the same and its working fine for me on 2811 router.

    Suppose if I need to surf only youtube.com and wanted to block all the other sites, what should be the configuration

    Regards,

    Manu B.

  11. pitt2k says:

    @Manu:
    match NOT protocol http host “*youtube.com*”
    ???

  12. [...] Here is a good example: Using NBAR for application filtering [...]

 

Leave a Reply

Categories

CCIE Bloggers