Refer to the exhibit. You have noticed that several users in the network are consuming a great
deal of bandwidth for the peer-to-peer application Kazaa2. You would like to limit this traffic, and at
the same time provide a guaranteed 100 kb/s bandwidth for one of your servers. After applying the
configuration in the exhibit, you notice no change in the bandwidth utilization on the serial link; it is
still heavily oversubscribing the interface. What is the cause of this problem?
A.
CEF needs to be enabled for NBAR.
B.
In class Kazaa2, you should configure a policer instead of a drop command.
C.
The server class should have a priority of 100.
D.
The bandwidth parameter on serial 0/0 is wrong.
E.
Kazaa2 is not a valid protocol.
Explanation:
You need to enable Cisco Express Forwarding (CEF) in order to use NBAR.
How do you configure Cisco IOS NBAR?
Keep in mind that in its simplest form NBAR is a traffic identification and marking system. What
you do with the marked packets is up to you. For example, you could choose to drop them or
choose to give them a higher quality of service.
Configuring and using NBAR to identify and block traffic is actually very easy. Let’s walk through
the steps.
Step 1
Make sure that CEF is on using the following command:
Router(config)# ip cef
Step 2
Create a class-map, identifying the traffic you want to block. Here’s an example that would stop
any HTTP or MIME e-mail that contains the Readme.exe program:Router(config)#class-map match-any bad-traffic
Router(config-cmap)# match protocol http url “*readme.exe*”
Router(config-cmap)# match protocol http mime “*readme.exe*”
I want to stress here that HTTP is just one of the many applications that NBAR can identify. For list
of NBAR applications recognized with IOS version 12.3, use the following commands:
Router(config)#class-map match-all nbar
Router(config-cmap)#match pro ?
Step 3
Create a policy to mark the traffic. Here’s an example:
Router(config)# policy-map mark-bad-traffic
Router(config-pmap)# class bad-traffic
Router(config-pmap)# set ip dscp 1
Step 4
Apply the policy to the interface that faces the Internet or the source of the traffic that you want to
block. This marks the traffic when it enters the router. Here’s an example:
Router(config)# interface serial 0/0
Router(config-if)#service-policy input mark-bad-traffic
Step 5
Create an access control list (ACL) that denies the marked traffic. Here’s an example:
Router(config)# access-list 190 deny ip any any dscp 1
Router(config)# access-list 190 permit ip any any
Step 6
Deny the marked traffic as it’s about to exit your router by applying the ACL to an interface. Here’s
an example:
Router(config)# interface GigabitEthernet 0/0
Router(config-if)# ip access-group 190 out
When you’ve finished applying the configuration, you can check to see if the router marked and
dropped any traffic that met this criteria. To do this, use the show access-lists command.
Summary NBAR is a very powerful application-layer firewall that you may already have installed
on your Cisco router.
While traditional firewalls can only recognize traffic based on IOS Layers 3 or 4, Cisco’s NBAR can
go all the way to Layer 7.http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00800fc176.sh
tml
http://www.techrepublic.com/blog/networking/what-can-ciscos-network-based-applicationrecognition-nbar-dofor-you/399
http://www.cisco.com/en/US/products/ps6616/products_ios_protocol_group_home.html