NBAR (Network Based Application Recognition) Фильтрация по url (запрещаем одноклассники, вконтакте)

Рассмотрим всё это на примере, заблокируем доступ YouTube, Одноклассники и Вконтакте.

NBAR (Network Based Application Recognition) is a cool Cisco tool to identify and classify content flowing through a router. You can identify applications as mission critical, business-related, non-critical or unwanted. Once these mission critical applications are classified they can be guaranteed a minimum amount of bandwidth, policy routed, and marked for preferential treatment. Non-critical applications including Internet gaming applications and MP3 file sharing applications can also be classified using NBAR and marked for best effort service, policed, or blocked as required. 

Блокировать будем на нашем внутреннем интерфейсе Vlan1, и для начала включим на этом интерфейсе NBAR.

interface Vlan 1
ip nbar protocol-discovery

Создадим policy-map и class-map. В class-map определим контент для блокировки.

class-map match-any cm-blocked-content
	match protocol http host "*youtube*"
	match protocol http host "*vkontakte*"
	match protocol http host "*odnoklassniki*"
policy-map pm-blocked-content
	class cm-blocked-content

You can also police or shape the identified content so it cannot “consume” all the available bandwidth. The final steps is to apply the policy-map to the internal interface in the input direction.

RTR#configure terminal
RTR(config)#int Vlan 1
RTR(config-if)#service-policy input pm-blocked-content

To verify the operation of NBAR you need to try to browse to the YouTube website or download a file with the .exe extension. Check the operation with the show policy-map interface vlan 1 command, like shown below.

RTR#sh policy-map interface vlan 1 input
 Service-policy input: pm-blocked-content
  Class-map: cm-blocked-content (match-any)
   228 packets, 121574 bytes
   5 minute offered rate 0 bps, drop rate 0 bps
   Match: protocol http url "*youtube*"
    9 packets, 7090 bytes
    5 minute rate 0 bps
   Match: protocol http host "*vkontakte*"
    24 packets, 12813 bytes
    5 minute rate 0 bps
   Match: protocol http host "*odnoklassniki*"
    0 packets, 0 bytes
    5 minute rate 0 bps	
  Class-map: class-default (match-any)
   111703 packets, 12021043 bytes
   5 minute offered rate 33000 bps, drop rate 0 bps
   Match: any

From now on your users aren’t able to browse to YouTube or download .exe files over HTTP. With NBAR you can also block a specific content type, like streaming media. I use WireShark to retrieve the content-type I would like to block. By following the TCP stream from a WireShark session you can find the exact content-type or other useful information. 

Use the match protocol http mime command to classify a content-type. In MIME type matching, NBAR classifies the packet that contains the MIME type and all subsequent packets, which are sent to the source of the HTTP request. This means that the corresponding policy-map should be applied inbound (input) on the external interface or outbound (output) on the internal interface. For MIME type matching, the MIME type can contain any user-specified text string. A list of the Internet Assigned Numbers Authority (IANA)-supported MIME types can be found here.