When you create access-lists or QoS (Quality of Service) policies you normally use layer 1,2,3 and 4 information to match on certain criteria. NBAR (Network Based Application Recognition) adds application layer intelligence to our Cisco IOS router which means we can match and filter based on certain applications.
Let’s say you want to block a certain website like Youtube.com. Normally you would lookup the IP addresses that youtube uses and block those using an access-list or perhaps police / shape them in your QoS policies. Using NBAR we can match on the website addresses instead of IP addresses. This makes life a lot easier. Let’s look at an example where we use NBAR to block a website (youtube for example):
R1(config)#class-map match-any BLOCKED R1(config-cmap)#match protocol http host "*youtube.com*" R1(config-cmap)#exit
First I will create a class-map called “BLOCKED” and I will use match protocol to use NBAR. As you can see I match on the hostname “youtube.com”. The * means “any character”. Effectively this will block all sub-domains of youtube.com, for example “subdomain.youtube.com” will also be blocked. Now we need to create a policy-map:
R1(config)#policy-map DROP R1(config-pmap)#class BLOCKED R1(config-pmap-c)#drop R1(config-pmap-c)#exit
The policy-map above matches our class-map BLOCKED and when this matches the traffic will be dropped. Last but not least we need to apply the policy-map to the interface:
R1(config)#interface fastEthernet 0/1 R1(config-if)#service-policy output DROP
I will apply the policy-map to the interface that is connected to the Internet. Now whenever someone tries to reach youtube.com their traffic will be dropped. You can verify this on your router using the following command:
R1#show policy-map interface fastEthernet 0/1 FastEthernet0/1 Service-policy output: DROP Class-map: BLOCKED (match-any) 1 packets, 500 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: protocol http host "*youtube.com*" 1 packets, 500 bytes 5 minute rate 0 bps drop Class-map: class-default (match-any) 6101 packets, 340841 bytes 5 minute offered rate 10000 bps, drop rate 0 bps Match: any
Above you see that we have a match for our class-map BLOCKED. Apparently someone tried to reach youtube.com. The class-map class-default matches all other traffic and it is permitted.
In case you were wondering…you can only use NBAR to match HTTP traffic, not HTTPS. The reason for this is that NBAR matches on the HTTP “get” command which is encrypted if you use HTTPS. Take a look at the following wireshark capture for HTTP:
Above you see the HTTP GET request for youtube.com in plaintext. This is what NBAR looks at and matches on. Now let me show you the HTTPS capture:
Above you see a wireshark capture of HTTPS traffic between my computer and youtube.com. It’s impossible for NBAR to look into these SSL packets and see what website you are requesting. In this case your only option is to use a proxy server for HTTP server or block the IP addresses using an access-list.
This is how you can block websites using your normal Cisco IOS router. If you have any questions just leave a comment!