I came across this blog post one day while doing some research on QoS. I’ve seen sites like youtube take down network links so that users could not do real work.
I would really like to use this somewhere. I guess it is a solution searching for a problem at this point. My hat is off to the author.
Tutorial: How to use Cisco MQC & NBAR to filter websites like YouTube
I was asked a great question by one of my clients regarding filtering of websites. He had filtered http://www.youtube.com/ and http://video.google.com.au/ at his proxy server but with the number of different video sites popping up (metacafe, jibjab etc etc), his filters just couldn’t keep up…and neither could his bandwidth!
One solution to this problem is the use of Cisco’s Network Based Application Recognition (NBAR). NBAR is a deep packet inspection and classification engine. It was first introduced in experimental versions of IOS v12.1 and can be used with Cisco’s Modular Quality Of Service Command Line (MQC).
In this article we will look at using MQC to filter websites. I will demonstrate using the match protocol http command to match a URL, a host or MIME type. We will use the following topology for demonstration:
R3 will act as a webserver and R1 as a client. The filtering will be applied on R2. You can download the dynamips .net file the following topology here.
R1 Base Configuration:
R2 Base Configuration:
R3 Base Configuration:
We have set up R3 as a webserver. Details on how to setup R3 as a webserver using IOS can be found here.
Basic HTTP Filtering using NBAR
Lets set up basic http filtering with MQC on R2.
In the code above we have a class map called MATCH-HTTP. The match protocol http command tells NBAR to match the http protocol. This will match all http traffic. The MATCH-HTTP class is then utilized in the HTTP-POLICY policy map. This policy map is used to set a DSCP marking on all traffic that matches the MATCH-HTTP class (ie all http traffic). The policy is then implemented on R2’s s1/0. Traffic is inspected and marked as it comes into that interface.
We can check how many packets have been marked using the show policy-map command.
Lets generate some http traffic, and see if our policy marks some packets.
We used the copy http://10.0.23.3/index.html null: command to generate some http traffic. We can see above that 5 packets were generated and were marked as af13. All other traffic will fall into the class-default class. With the packets marked, we could forward them or drop them.
Instead of matching all of the http protocol we can use NBAR to look further into the packet and classify or drop packets based on the host requested.
Match protocol HTTP host
The match protocol HTTP url command is used to match a url. It takes a regular expression as an argument. For example:
Lets set up R2 to filter based on a host.
We’ve cleared the counters on R2, so lets generate some traffic on R1 again.
We can see here it matched 5 packets based on the host. We can use this to match whole sites like youtube.com or video.google.com.
Match protocol HTTP url
We can match strings AFTER the host portion of a URL using the match protocol http url command. It also takes a regular expression as an argument. For example:
Lets set up R2 to match based on a URL.
As you can see above we have used the match protocol http url function of NBAR to match any url that ends in a .jpg. This effectively blocks jpeg images (unless they have a different extension).
Let test it, before we send some traffic we’ll reset the counters on the interface.
If we request a gif file we shouldn’t match the class MATCH-HTTP. Lets test that first.
Great Success! Looks pretty good. Now lets try a .jpg extension. We should match this.
Awesome! You can see above we matched based on a URL.
match protocol http mime
We can also use the match protocol http mime to match internet mime types. The mime type has to be the same mime type that the web server responds with. For a list of valid mime types check out: http://www.sfsu.edu/training/mimetype.htm. Lets look at an example:
Lets set up R2 to filter the image/jpeg mime type:
Once again, we’ll clear the counters so we can verify that this works correctly.
On R1 lets generate some traffic. A gif file will be requested first. This should not match our policy.
All good! Ok lets do the final test and actually request a jpeg image and see if it matches our policy.
You can see above that the jpeg image was matched. It works!
Putting it all together
So lets put it all together. We can use all three match protocol http commands in a match-any class map. For example:
This would match any traffic going to youtube or video.google.com, or any flash applications, or common video mime types, and any swf (flash or flash movie) files! Be aware that NBAR does make your router take a hit in CPU processor usage, I’d suggest evaluating your processor usage before using this in production.
HTH! Now back to labs!