Using NBAR to match web traffic

QOS 2 Minutes

Although NBAR is an extremely powerful tool that CISCO IOS has to offer, many guys still dont know how use the match statements correctly.
You can use NBAR to block almost any part website or the content there of. It is most useful to block those bandwidth hungry websites that contains pictures, videos, music or even flash.

The match protocol HTTP function is what you will need to use.
Firstly to match just the HOSTNAME of the website:

match protocol http host *facebook.com*
! This would match any hostname containing the string
! 'facebook.com' like http://www.facebook.com
! or http://login.facebook.com
!
match protocol http host *google*
! This would match any hostname containing the word google
! like http://mail.google.com or http://www.google.co.za
! or http://images.google.com
!
match protocol http host google*
! This would match http://google.co.za but
! not http://mail.google.com
!

Secondly to  match certain URL strings:

match protocol http url *.jpeg|*.jpg|*.gif
! This would match any strings containing .jpeg or .jpg
! or .gif extention in the url
!
match protocol http url *.swf
! This would match any .swf in the URL
!
match protocol http url *video*
! This would match http://www.cnn.com/video/index.php
! or http://www.cnn.com/news/video.html
!
match protocol http url video*
! This would match http://www.cnn.com/video/index.php
! but not http://www.cnn.com/news/video.html because
! the string after your first "/" should start with video
!

Next, the one that eludes most, matching MIME-TYPES.
A full list of mime-types can be found here:
http://www.sfsu.edu/training/mimetype.htm
The thing to keep in mind here is your must match the type/suffix exactly not by means of REGEX

match protocol http mime image/jpeg
! This would match jpeg,jpg,jpe,jfif,pjpeg, and pjp types
!
match protocol http mime image/jpg
! This would not match anything as it does match a
! proper mime type.
!
match protocol http mime image*
! This would match all image mime types
!
match protocol http mime application/x-shockwave-flash
! This would not only match swf flash movies,
! but all of flash.
!

To apply this all to a router you would need MQC
class-map match-any BW-HUNGRY
! each of the match statements
!
policy-map DROP
class BW-HUNGRY
drop
!
int s1/0
service-policy input DROP

Advertisement

Published by Ruhann

Just another Network Engineer.

Published

3 thoughts on “Using NBAR to match web traffic

  2. Thanks $author! You share some great web traffic tactics, thanks for sharing all this and making it clear enough for any one to be able to understand! I’ve subscribed to your rss feed to keep up to date, looking forward to your new posts!

    Reply

Please leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.