NBAR question
When I do show IP NBAR port-map I get the following:
MG-7206#show ip nbar port-map
port-map active-directory udp 389
port-map active-directory tcp 443 445 139 389 135
port-map activesync tcp 80
port-map adobe-connect tcp 443 80
port-map aol-messenger tcp 80 1080 443 5190
port-map aol-messenger-audio udp 3478
How come we are using port 80 multile times for different applications? Isn't this going to cause some traffic missclassification?
Comments
No it works becuase NBAR does "deep" packet inspection rather than just using the port. A lot of applications tunnel using port 80 as port 80 is commonly allowed through a firewall so firewalls and routers have developed better tech so they can examine the packet and see what protocol it is rather than relying on port number alone.
The port number just gives NBAR a starting point for this traffic.
Nick
Hi,
NBAR has DPI(Deep Packet Inspection) capability that allows the policy to check a packet not only on protocol number basis, rather it can check the pattern, MIME type , URL etc located within the packet. It has content filtering capability which is currenlty being used by Cisco Security Appliances as well. Please take a look into the following example:
I-WAN#sh class-map
Class Map match-all YOUTUBE (id 2)
Match protocol http host "*youtube*"
Class Map match-all TORRENT (id 1)
Match protocol bittorrent
Class Map match-any class-default (id 0)
Match any
Thank you very much.
HB
Thanks for the examples Kathmandu.
It works great on the 15 terrain IOS, I'm trying to block P2P on the 12 IOS teraion but it doesn't do port 80 like the 15 IOS.
You don't need to define port in order to block p2p traffic. Just download the latest PDLM from Cisco & put it into the flash. Then locate the PDLM using "ip nbar pdlm flash:bittorrent.pdlm " command, it will work fine.
Good luck!