h1

Using NBAR to match web traffic

February 15, 2009

Although NBAR is an extremely powerful tool that CISCO IOS has to offer, many guys still dont know how use the match statements correctly.
You can use NBAR to block almost any part website or the content there of. It is most useful to block those bandwidth hungry websites that contains pictures, videos, music or even flash.

The match protocol HTTP function is what you will need to use.
Firstly to match just the HOSTNAME of the website:

match protocol http host *facebook.com*
! This would match any hostname containing the string
! 'facebook.com' like http://www.facebook.com
! or http://login.facebook.com
!
match protocol http host *google*
! This would match any hostname containing the word google
! like http://mail.google.com or http://www.google.co.za
! or http://images.google.com
!
match protocol http host google*
! This would match http://google.co.za but
! not http://mail.google.com
!

Secondly to  match certain URL strings:

match protocol http url *.jpeg|*.jpg|*.gif
! This would match any strings containing .jpeg or .jpg
! or .gif extention in the url
!
match protocol http url *.swf
! This would match any .swf in the URL
!
match protocol http url *video*
! This would match http://www.cnn.com/video/index.php
! or http://www.cnn.com/news/video.html
!
match protocol http url video*
! This would match http://www.cnn.com/video/index.php
! but not http://www.cnn.com/news/video.html because
! the string after your first "/" should start with video
!

Next, the one that eludes most, matching MIME-TYPES.
A full list of mime-types can be found here:
http://www.sfsu.edu/training/mimetype.htm
The thing to keep in mind here is your must match the type/suffix exactly not by means of REGEX

match protocol http mime image/jpeg
! This would match jpeg,jpg,jpe,jfif,pjpeg, and pjp types
!
match protocol http mime image/jpg
! This would not match anything as it does match a
! proper mime type.
!
match protocol http mime image*
! This would match all image mime types
!
match protocol http mime application/x-shockwave-flash
! This would not only match swf flash movies,
! but all of flash.
!

To apply this all to a router you would need MQC
class-map match-any BW-HUNGRY
! each of the match statements
!
policy-map DROP
class BW-HUNGRY
drop
!
int s1/0
service-policy input DROP

Advertisements

3 comments

  1. Good stuff thanks dude!!!!!!!!!!!


  2. Thanks $author! You share some great web traffic tactics, thanks for sharing all this and making it clear enough for any one to be able to understand! I’ve subscribed to your rss feed to keep up to date, looking forward to your new posts!


  3. Hi,

    Thanks for sharing this. I have a doubt.

    Is the BC calculation same for policing & shaping.



Please leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s