The course of the young fighter: defended by the router. Continued: NBAR
On many routers, even in basic IOS, there is a rather convenient and clear tsiskin technology: Network-Based Application Recognition (NBAR). With it, the router can recognize various protocols and applications and, if necessary, use this knowledge to implement Quality of Service (QoS)
So how can a router allocate various protocols from traffic?
1. Analyzing the TCP / UDP header and sorting by known numbers. This is the most simple and affordable in all iOS
2. Analyzing the header of the protocol of the level 7. For example, by parsing the HTTP header and isolating from there the type of data transferred (for example, the HTTP protocol itself, citrix and some other Web-enabled applications), URL, attachments.
3. Analyzing the service protocol of complex (multichannel) applications and taking into account dynamic, agreed on the service channel session.
4. Analyzing RTP headers.
5. By analyzing the header of protocols other than TCP / UDP
The third and fourth algorithm requires the inclusion of inspection protocols (ip inspect), discussed a little earlier.
')
Inspection requires IOS with a firewall feature set.
There are two ways to enable NBAR technology:
1. Just turn on the study of all known protocols.
Ro (config) # int f0 / 0
Ro (config-if) # ip nbar protocol-discovery
After enabling the study on the interface, statistics on known protocols will be collected and can be viewed with the command
Ro # show ip nbar protocol discovery
2. Take advantage of the MQC architecture (Modular QoS CLI)
Create a traffic class specifying the required protocol
Ro (config) # class-map [CLASSNAME]
Ro (config-cmap) # match protocol [protocol]
For example:
Ro (config) # class-map PD
Ro (config-cmap) # match protocol citrix ica-tag 2
Create a policy and specify an action for the class.
Ro (config) # policy-map [POLICY]
Ro (config-pmap) # class [CLASSNAME]
Ro (config-pmap-c) # {action}
For example:
Ro (config) POL policy # map
Ro (config-pmap) # class PD
Ro (config-pmap-c) # {shape | police | priority | service-policy}
It remains to hang the policy on the interface to activate it.
Ro (config) # int f0 / 0
Ro (config-if) # service-policy {input | output} [POLICY]
For example, let's hang a policy at the interface input.
Ro (config) # int f0 / 0
Ro (config-if) # service-policy input POL
Specifying match protocol keywords in the traffic class means enabling NBAR technology.
You can see the statistics for class hits
Ro # sh policy-map interface f0 / 0
It remains only to recall that any process of analyzing the traffic is made by the processor and pretty annoying. Under the link - an article with a performance test without trying NBAR, using basic and advanced analysis technologies.
article on tsisko.kom
The results of traffic processing technology NBAR can be collected via SNMP and analyze. From the point of view of perimeter protection, the closest attention should be paid to a sharp increase in the amount of traffic over some protocol. This may indicate the presence of worms in the network, as well as other problems, such as botnets, spam proxies, etc.
(Continued follows)
So how can a router allocate various protocols from traffic?
1. Analyzing the TCP / UDP header and sorting by known numbers. This is the most simple and affordable in all iOS
2. Analyzing the header of the protocol of the level 7. For example, by parsing the HTTP header and isolating from there the type of data transferred (for example, the HTTP protocol itself, citrix and some other Web-enabled applications), URL, attachments.
3. Analyzing the service protocol of complex (multichannel) applications and taking into account dynamic, agreed on the service channel session.
4. Analyzing RTP headers.
5. By analyzing the header of protocols other than TCP / UDP
The third and fourth algorithm requires the inclusion of inspection protocols (ip inspect), discussed a little earlier.
')
Inspection requires IOS with a firewall feature set.
There are two ways to enable NBAR technology:
1. Just turn on the study of all known protocols.
Ro (config) # int f0 / 0
Ro (config-if) # ip nbar protocol-discovery
After enabling the study on the interface, statistics on known protocols will be collected and can be viewed with the command
Ro # show ip nbar protocol discovery
2. Take advantage of the MQC architecture (Modular QoS CLI)
Create a traffic class specifying the required protocol
Ro (config) # class-map [CLASSNAME]
Ro (config-cmap) # match protocol [protocol]
For example:
Ro (config) # class-map PD
Ro (config-cmap) # match protocol citrix ica-tag 2
Create a policy and specify an action for the class.
Ro (config) # policy-map [POLICY]
Ro (config-pmap) # class [CLASSNAME]
Ro (config-pmap-c) # {action}
For example:
Ro (config) POL policy # map
Ro (config-pmap) # class PD
Ro (config-pmap-c) # {shape | police | priority | service-policy}
It remains to hang the policy on the interface to activate it.
Ro (config) # int f0 / 0
Ro (config-if) # service-policy {input | output} [POLICY]
For example, let's hang a policy at the interface input.
Ro (config) # int f0 / 0
Ro (config-if) # service-policy input POL
Specifying match protocol keywords in the traffic class means enabling NBAR technology.
You can see the statistics for class hits
Ro # sh policy-map interface f0 / 0
It remains only to recall that any process of analyzing the traffic is made by the processor and pretty annoying. Under the link - an article with a performance test without trying NBAR, using basic and advanced analysis technologies.
article on tsisko.kom
The results of traffic processing technology NBAR can be collected via SNMP and analyze. From the point of view of perimeter protection, the closest attention should be paid to a sharp increase in the amount of traffic over some protocol. This may indicate the presence of worms in the network, as well as other problems, such as botnets, spam proxies, etc.
(Continued follows)
Source: https://habr.com/ru/post/61183/
All Articles