NBAR question

When I do show IP NBAR port-map I get the following:

MG-7206#show ip nbar port-map
port-map active-directory         udp 389
port-map active-directory         tcp 443 445 139 389 135
port-map activesync               tcp 80
port-map adobe-connect            tcp 443 80
port-map aol-messenger            tcp 80 1080 443 5190
port-map aol-messenger-audio      udp 3478

How come we are using port 80 multile times for different applications? Isn't this going to cause some traffic missclassification?

 

Comments

  • No it works becuase NBAR does "deep" packet inspection rather than just using the port.  A lot of applications tunnel using port 80 as port 80 is commonly allowed through a firewall so firewalls and routers have developed better tech so they can examine the packet and see what protocol it is rather than relying on port number alone.

    The port number just gives NBAR a starting point for this traffic.

     

    Nick

     

  • How come we are using port 80 multile times for different applications? Isn't this going to cause some traffic missclassification?

     

    Hi,

    NBAR has DPI(Deep Packet Inspection) capability that allows the policy to check a packet not only on protocol number basis, rather it can check the pattern, MIME type , URL etc located within the packet. It has content filtering capability which is currenlty being used by Cisco Security Appliances as well. Please take a look into the following example:

    I-WAN#sh class-map 

     Class Map match-all YOUTUBE (id 2)

       Match protocol http host "*youtube*"

     

     Class Map match-all TORRENT (id 1)

       Match protocol bittorrent

     

     Class Map match-any class-default (id 0)

       Match any 

    Here I have different classes which have been configured to filter different applications. As the bittorrent doesn't work on the specific port number, we can use Cisco PDLM(Protocol Description Language Module) which gets into the depth of p2p application and take necessary action. Anything that doesn't match with the above classes will be matched by the class-default, thereby allowing rest of the traffics to go outside the network.


    Hope this helps!
  • Thank you very much.

     

    HB

  • Thanks for the examples Kathmandu.

    It works great on the 15 terrain IOS, I'm trying to block P2P on the 12 IOS teraion but it doesn't do port 80 like the 15 IOS.

  • Thanks for the examples Kathmandu.

    It works great on the 15 terrain IOS, I'm trying to block P2P on the 12 IOS teraion but it doesn't do port 80 like the 15 IOS.

    You don't need to define port in order to block p2p traffic. Just download the latest PDLM from Cisco & put it into the flash. Then locate the PDLM using "ip nbar pdlm flash:bittorrent.pdlm " command, it will work fine. :)

    Good luck!

Sign In or Register to comment.