一、什么是NBAR?
 
      NBAR的全称是Network−Based Application Recognition,译为基于网络的应用识别。它可以对使用动态分配TCP/UDP端口号的应用程序和HTTP流量等进行分类.在使用NBAR的时候要先启用CEF特性.
 
二、NBAR的缺陷
 
首先,NBAR不能在以下几种逻辑接口上使用:
1、快速以太网信道.
2、使用了隧道或加密技术的接口.
3、SVI.
4、拨号接口.
5、多链路PPP(MLP).
 
其次,NBAR不支持下列应用:
1、不支持多于24个的并发URL,HOST或MINE的匹配类型.
2、不支持超过400字节的URL匹配.
3、不支持非IP流量.
4、不支持组播或其他非CEF的交换模式.
5、不支持被分片的数据包.
6、不支持源自或去往运行NBAR的路由器的IP流量.
 
三、NBAR的基本配置步骤
 
1、启用CEF特性:Router(config)#ip cef
 
2、把流量分类,定义class map:Router(config)#class-map [match-all|match-any] {map-name}
 
3、定义NBAR要匹配的协议:Router(config-cmap)#match protocol {protocol}
 
4、设置policy map:Router(config)#policy-map {policy-name}
 
5、调用class map:Router(config-pmap)#class {class-map}
 
6、设置策略:Router(config-pmap-c)#{action}
 
7、把策略应用在接口上:Router(config-if)#service-policy {input|output} {policy-map}
 
四、在Cisco路由器上实现NBAR
 
1、网络拓扑:
 
服务质量之NBAR_职场
 
2、R1、R2的基本配置如下:
 
R1:
 
Router(config)#hostname R1
R1(config)#interface S0/0
R1(config-if)#ip address 10.10.10.1 255.255.255.252
R1(config-if)#clock rate 64000
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#ip route 192.168.10.0 255.255.255.0 10.10.10.2
R1(config)#exit
R1#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
 
R2:
 
Router(config)#hostname R2
R2(config)#interface S0/0
R2(config-if)#ip address 10.10.10.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface E0/0
R2(config-if)#ip address 192.168.10.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#exit
R2#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
 
3、测试连通性:
 
R1:
 
R1#ping 10.10.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
 
R1#ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
 
R1#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
 
R2:
 
R2#ping 10.10.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R2#ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
 
R2#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
 
4、在R1配置NBAR:
 
R1(config)#ip cef
R1(config)#class-map match-any Flow
R1(config-cmap)#match protocol icmp
R1(config-cmap)#exit
R1(config)#policy-map nbar
R1(config-pmap)#class Flow
R1(config-pmap-c)#drop
R1(config-pmap-c)#exit
R1(config-pmap)#exit
R1(config)#interface S0/0
R1(config-if)#service-policy input nbar
 
5、验证配置:
 
R1#show class-map
 Class Map match-any class-default (id 0)
   Match any
 Class Map match-all Flow (id 1)
   Match protocol icmp
 
R1#show policy-map
  Policy Map nbar
    Class Flow
      drop
 
R2#ping 10.10.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)  ---R2不能pingR1,因为R1的S0/0口将ICMP包Drop