一、什么是NBAR?
NBAR的全称是Network−Based Application Recognition,译为基于网络的应用识别。它可以对使用动态分配TCP/UDP端口号的应用程序和HTTP流量等进行分类.在使用NBAR的时候要先启用CEF特性.
二、NBAR的缺陷
首先,NBAR不能在以下几种逻辑接口上使用:
1、快速以太网信道.
2、使用了隧道或加密技术的接口.
3、SVI.
4、拨号接口.
5、多链路PPP(MLP).
其次,NBAR不支持下列应用:
1、不支持多于24个的并发URL,HOST或MINE的匹配类型.
2、不支持超过400字节的URL匹配.
3、不支持非IP流量.
4、不支持组播或其他非CEF的交换模式.
5、不支持被分片的数据包.
6、不支持源自或去往运行NBAR的路由器的IP流量.
三、NBAR的基本配置步骤
1、启用CEF特性:
Router(config)#ip cef
2、把流量分类,定义class map:
Router(config)#class-map [match-all|match-any] {map-name}
3、定义NBAR要匹配的协议:
Router(config-cmap)#match protocol {protocol}
4、设置policy map:
Router(config)#policy-map {policy-name}
5、调用class map:
Router(config-pmap)#class {class-map}
6、设置策略:
Router(config-pmap-c)#{action}
7、把策略应用在接口上:
Router(config-if)#service-policy {input|output} {policy-map}
四、在Cisco路由器上实现NBAR
1、网络拓扑:
2、R1、R2的基本配置如下:
R1:
Router(config)#hostname R1
R1(config)#interface S0/0
R1(config-if)#ip address 10.10.10.1 255.255.255.252
R1(config-if)#clock rate 64000
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#ip route 192.168.10.0 255.255.255.0 10.10.10.2
R1(config)#exit
R1#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
R2:
Router(config)#hostname R2
R2(config)#interface S0/0
R2(config-if)#ip address 10.10.10.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface E0/0
R2(config-if)#ip address 192.168.10.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#exit
R2#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
3、测试连通性:
R1:
R1#ping 10.10.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R2:
R2#ping 10.10.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R2#ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R2#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
4、在R1配置NBAR:
R1(config)#ip cef
R1(config)#class-map match-any Flow
R1(config-cmap)#match protocol icmp
R1(config-cmap)#exit
R1(config)#policy-map nbar
R1(config-pmap)#class Flow
R1(config-pmap-c)#drop
R1(config-pmap-c)#exit
R1(config-pmap)#exit
R1(config)#interface S0/0
R1(config-if)#service-policy input nbar
5、验证配置:
R1#show class-map
Class Map match-any class-default (id 0)
Match any
Class Map match-all Flow (id 1)
Match protocol icmp
R1#show policy-map
Policy Map nbar
Class Flow
drop
R2#ping 10.10.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5) ---R2不能ping通R1,因为R1的S0/0口将ICMP包Drop。
本文出自 “Uione” 博客,谢绝转载!