Using NBAR for Application Filtering

May 2008
S	M	T	W	T	F	S
« Apr		Jun »
	1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30	31

By Brian McGahan, CCIE #8593

Hi Brian,

Can we use NBAR on the gateway router to prevent internal users from watching video streams from any video web site (like Youtube.com)?

Ahmed

Hi Ahmed,

Yes, NBAR can be used to apply application based filters such as blocking youtube.com traffic. To accomplish this we can categorize traffic based on the HTTP hostname. Next we will create a policy-map that matches the youtube.com class and drops the traffic. Lastly the policy is applied outbound to the Internet. Syntax-wise this would read:

R1#
class-map match-all YOUTUBE
 match protocol http host "*youtube.com*"
!
policy-map DROP_YOUTUBE
 class YOUTUBE
   drop
!
interface FastEthernet0/0
 description TO INTERNET
 service-policy output DROP_YOUTUBE

NBAR for HTTP can also be used to match based on URL string or IANA MIME type. For more information see:

Network-Based Application Recognition and Distributed Network-Based Application Recognition

This entry is filed under Advanced Security, QoS, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Gian Paolo says:

May 26th, 2008 at 11:25 am

Hi,
I’ve tried this configuration but if I ping the website and cut&paste the address into the browser I can surf youtube well (tested on a C871 with c870-advipservicesk9-mz.124-15.T5.bin).

So it’s a good solution for not-so-clever users olny I suppose.

Dwayne says:

June 3rd, 2008 at 2:37 pm

Brian,
Although i don’t see any real world use for this could u match a nbar http HOST/URL inbound on an interface in your example. So could the service policy be
service policy INOUT drop_yourself.
Thanks

CCIE Blog

Helping you become a Cisco Certified Internetwork Expert

Using NBAR for Application Filtering