When you create access-lists or QoS (Quality of Service) policies you normally use layers 1,2,3 and 4 information to match certain criteria. NBAR (Network Based Application Recognition) adds application layer intelligence to our Cisco IOS router, which means we can match and filter based on certain applications.
Let’s say you want to block a certain website like Youtube.com. Normally you would look up the IP addresses that youtube uses and block those using an access-list or perhaps police / shape them in your QoS policies. Using NBAR we can match the website addresses instead of IP addresses. This makes life a lot easier. Let’s look at an example where we use NBAR to block a website (youtube, for example):
R1(config)#class-map match-any BLOCKED
R1(config-cmap)#match protocol http host "*youtube.com*"
R1(config-cmap)#exit
First, I will create a class-map called “BLOCKED” and I will use match protocol to use NBAR. As you can see I match the hostname “youtube.com”. The * means “any character”. Effectively this will block all sub-domains of youtube.com, for example, “subdomain.youtube.com” will also be blocked. Now we need to create a policy-map:
R1(config)#policy-map DROP
R1(config-pmap)#class BLOCKED
R1(config-pmap-c)#drop
R1(config-pmap-c)#exit
The policy-map above matches our class-map BLOCKED and when this matches the traffic will be dropped. Last but not least, we need to apply the policy-map to the interface:
R1(config)#interface fastEthernet 0/1
R1(config-if)#service-policy output DROP
I will apply the policy-map to the interface that is connected to the Internet. Now whenever someone tries to reach youtube.com, their traffic will be dropped. You can verify this on your router using the following command:
R1#show policy-map interface fastEthernet 0/1
FastEthernet0/1
Service-policy output: DROP
Class-map: BLOCKED (match-any)
1 packets, 500 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http host "*youtube.com*"
1 packets, 500 bytes
5 minute rate 0 bps
drop
Class-map: class-default (match-any)
6101 packets, 340841 bytes
5 minute offered rate 10000 bps, drop rate 0 bps
Match: any
Above, you see that we have a match for our class-map BLOCKED. Apparently, someone tried to reach youtube.com. The class-map class-default matches all other traffic, and it is permitted.
you can block http site with that, but you cannot block HTTPs sites with these
Hi Sameer,
I just updated the article to show you why we can’t block HTTPS with NBAR.
Rene
This is awesome! Thanks
What is the limit? I tried adding a lot of websites and it only shows me 7 of them when i do a show run.
Hi Sandra,
I’m not sure but there might be a limit on the number of URLs. If you have many websites to block like facebook or youtube you might want to lookup their IP address ranges and block those instead.
Rene