NBAR configuration example
Network requirements
As shown in Figure 178, configure NBAR on the router to recognize the packets sent by the host and destined for application BaoFeng.
The router drops the packets recognized by NBAR.
Figure 173: Network diagram
Configuration procedure
Assign IP addresses to each interface, as shown in Figure 178
Create security zones and add the interfaces to the security zones:
# Create a security zone named trust and add GigabitEthernet 1/0/1 to the security zone.
<Router> system-view [Router] security-zone name trust [Router-security-zone-Trust] import interface gigabitethernet 1/0/1 [Router-security-zone-Trust] quit
# Create a security zone named untrust and add GigabitEthernet 1/0/2 to the security zone.
[Router] security-zone name untrust [Router-security-zone-Untrust] import interface gigabitethernet 1/0/2 [Router-security-zone-Untrust] quit
Create an IPv4 address object group named ipsfilter. Configure an IPv4 address object with the subnet address of 192.168.1.0/24 for the group.
[Router] object-group ip address ipsfilter [Router-obj-grp-ip-ipsfilter] network subnet 192.168.1.0 24 [Router-obj-grp-ip-ipsfilter] quit
Create a DPI application profile named sec and enter its view.
[Router] app-profile sec
Create an object policy and rule:
# Create an IPv4 object policy named ipsfilter and enter its view.
[Router] object-policy ip ipsfilter
# Configure a rule to apply DPI application profile sec to packets that match source IPv4 address object group ipsfilter.
[Router-object-policy-ip-ipsfilter] rule inspect sec source-ip ipsfilter destination-ip any [Router-object-policy-ip-ipsfilter] quit
Apply the object policy to a zone pair:
# Create a zone pair from security zone trust to security zone untrust. Apply IPv4 object policy ipsfilter to the zone pair.
[Router] zone-pair security source trust destination untrust [Router-zone-pair-security-Trust-Untrust] object-policy apply ip ipsfilter [Router-zone-pair-security-Trust-Untrust] quit
# Activate the DPI service policies.
[Router] inspect activate
Configure QoS:
# Create a traffic class named classifier_1, and match application BaoFeng to the class.
[Router] traffic classifier classifier_1 [Router-classifier-classifier_1] if-match application BaoFeng [Router-classifier-classifier_1] quit
# Create a traffic behavior named bdeny, and configure the action as deny.
[Router] traffic behavior bdeny [Router-behavior-bdeny] filter deny [Router-behavior-bdeny] quit
# Create QoS policy 1, associate classifier_1 with traffic behavior bdeny to create a class-behavior association in the QoS policy.
[Router] qos policy 1 [Router-qospolicy-1] classifier classifier_1 behavior bdeny [Router-qospolicy-1] quit
# Apply the QoS policy to the inbound direction of GigabitEthernet 1/0/1.
[Router] interface gigabitethernet 1/0/1 [Router-GigabitEthernet1/0/1] qos apply policy 1 inbound [Router-GigabitEthernet1/0/1] quit
Verifying the configuration
# Verify that the host fails to visit the BaoFeng application. (Details not shown.)