[x]

APR configuration examples > NBAR configuration example

 

 Next

NBAR configuration example

Network requirements

As shown in Figure 178, configure NBAR on the router to recognize the packets sent by the host and destined for application BaoFeng.

The router drops the packets recognized by NBAR.

Figure 173: Network diagram

Configuration procedure

  1. Assign IP addresses to each interface, as shown in Figure 178

  2. Create security zones and add the interfaces to the security zones:

    # Create a security zone named trust and add GigabitEthernet 1/0/1 to the security zone.

    <Router> system-view
[Router] security-zone name trust
[Router-security-zone-Trust] import interface gigabitethernet 1/0/1
[Router-security-zone-Trust] quit

    # Create a security zone named untrust and add GigabitEthernet 1/0/2 to the security zone.

    [Router] security-zone name untrust
[Router-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Router-security-zone-Untrust] quit

  3. Create an IPv4 address object group named ipsfilter. Configure an IPv4 address object with the subnet address of 192.168.1.0/24 for the group. 

    [Router] object-group ip address ipsfilter
[Router-obj-grp-ip-ipsfilter] network subnet 192.168.1.0 24
[Router-obj-grp-ip-ipsfilter] quit

  4. Create a DPI application profile named sec and enter its view.

    [Router] app-profile sec

  5. Create an object policy and rule:

    # Create an IPv4 object policy named ipsfilter and enter its view.

    [Router] object-policy ip ipsfilter

    # Configure a rule to apply DPI application profile sec to packets that match source IPv4 address object group ipsfilter.

    [Router-object-policy-ip-ipsfilter] rule inspect sec source-ip ipsfilter destination-ip any
[Router-object-policy-ip-ipsfilter] quit

  6. Apply the object policy to a zone pair:

    # Create a zone pair from security zone trust to security zone untrust. Apply IPv4 object policy ipsfilter to the zone pair. 

    [Router] zone-pair security source trust destination untrust
[Router-zone-pair-security-Trust-Untrust] object-policy apply ip ipsfilter
[Router-zone-pair-security-Trust-Untrust] quit

    # Activate the DPI service policies.

    [Router] inspect activate

  7. Configure QoS:

    # Create a traffic class named classifier_1, and match application BaoFeng to the class.

    [Router] traffic classifier classifier_1 
[Router-classifier-classifier_1] if-match application BaoFeng
[Router-classifier-classifier_1] quit

    # Create a traffic behavior named bdeny, and configure the action as deny.

    [Router] traffic behavior bdeny
[Router-behavior-bdeny] filter deny
[Router-behavior-bdeny] quit

    # Create QoS policy 1, associate classifier_1 with traffic behavior bdeny to create a class-behavior association in the QoS policy.

    [Router] qos policy 1
[Router-qospolicy-1] classifier classifier_1 behavior bdeny
[Router-qospolicy-1] quit

    # Apply the QoS policy to the inbound direction of GigabitEthernet 1/0/1.

    [Router] interface gigabitethernet 1/0/1
[Router-GigabitEthernet1/0/1] qos apply policy 1 inbound
[Router-GigabitEthernet1/0/1] quit

Verifying the configuration

# Verify that the host fails to visit the BaoFeng application. (Details not shown.)

prev

 

up

 next

PBAR configuration example 

home

 Managing sessions

© Copyright 2017 Hewlett Packard Enterprise Development LP