Identifying Layer 7 application traffic

Network administrators around the globe are very concerned about the type of traffic that is exiting their network. They want their critical business application over the WAN to perform at its best. Non-critical applications like web traffic and social media downgrade the performance of WAN links. Therefore, administrators should avoid non-business applications on WAN links.

Over the last decade, administrators around the globe have used traditional NetFlow and other similar flow technologies to identify the type of traffic on their network.  The traditional flow-based traffic analysis is utilized to identify layer 3 application traffic based on port and protocol.

What if a user on the network uses cloud services, social media and random port applications? The majority of these applications are placed in layer 7.  Traditional layer 3 NetFlow analysis can only give us an answer: “I am good for what I am used for.”

Let’s look at a scenario to explain how to identify and tackle the layer 7 application:

An individual thinks, “What happens to my personal data if my PC, mobile or tablet crashes?” This question provokes him or her to search for on alternate storage to back up their data.  That is where an individual does research to find the correct storage, ensuring that it is safe, easy to access and redundant.

Things have improved a lot over the last couple decades . No one  wants to store their data in a flash drive or external hard drive, as these  are prone to crash or theft.
With the evolution  of cloud based storage, social media (i.e.  Google Drive, Drop Box, Picasa, SkyDrive, iCloud, Facebook, etc. ) makes the individual comfortable knowing his or her data is safe,  redundant and easy to  access from anywhere, on  any device . All one  needs to do  is sign up for any of these cloud based service, as they provide a large amount of  free space for individual sign up, as well as very cheap upgrade options.

What Network Administrator think?

The network administrator always think on 100% up time and high performance network. The non-business applications like cloud storage, social media and video streaming  utilize much of available bandwidth on the corporate network, which reduces the performance of network.

Dropping non-business layer 7 application, random port and social media traffic by identifying each of its IP addresses and placing access lists on the firewall is tedious. Furthermore , the IP address and port numbers used by cloud based application and storage are dynamic . The actual rule placed on the firewall will be outdated within a short span.

What helps administrator to find layer 7 application traffic visibility?

Deep packet inspection is an appropriate methodology to find layer 7 application traffic utilization. Consider a network of Cisco devices with recent IOS. Cisco device supports NBAR (Network Based Application Recognition) which helps to identify layer 7 application traffic using deep packet inspection mechanism.

NBAR has PDLM (Packet Description Language Module), which has over 1,000 signatures  used for identifying  web traffic, URL’s, file sharing application and random port application. PDLM on a Cisco device is updated on every IOS upgrade or with intermediate PDLM update pack. Refer this blog about PDLM upgrade on Cisco device.

A new IOS with recent PDLM has  many  signatures and protocols mapped, refer this link for detail information about mapped protocol and applications on the Cisco IOS.

How to identify the Layer 7 application traffic utilization?

To monitor the traffic utilization of layer 7 applications, you need to enable NBAR on the WAN interfaces of the Cisco router. After enabling NBAR on the interfaces, the router will start doing deep packet inspection on all the traffic on the interfaces. To view NBAR stats, we need a NetFlow analysis tool which could parse the Flexible NetFlow records.

We need to configure the router to export NBAR stats as a Flexible NetFlow to the NetFlow analysis tool which generates report as shown in below screenshot.

The following  are a sequence of steps that need to be followed on the Cisco router to block non-business layer 7 application traffic.

Step 1 :-

Creating a class map to classify this kind of traffic:

class-map match-any File-Sharing

match protocol dropbox

match protocol google-docs

match protocol gtalk-ft

match protocol google-services

match protocol facebook

match protocol itune

Step 2 :-

Creating access group and attaching it with class map File-Sharing

 match access-group 102

Step 3 :-

Creating a policy to drop this drop box and Google traffic.

policy-map File-Sharing
class File-Sharing

Step 4 :-

Associating the policy created to a WAN interface

Interface GigabitEthernet0/0

Ip address

Ip nbar protocol-discovery

service-policy input File-Sharing

service-policy output File-Sharing

Step 5 :-

Creating a access list to prevent these traffic. We already created a access group matching these traffic .

access-list 102 deny ip any any

The policy created to block or drop layer 7 application traffic based on NBAR application map is permanent and there is  no need for periodic updates or customization even if  the application uses random ports or dynamic IP.

Praveen Kumar

NetFlow Analyzer Technical Team


You Can Learn More About the ManageEngine Product Line By Going to

The original article/video can be found at Identifying Layer 7 application traffic

About the Author: Shannon Lewis

Leave a Reply Cancel reply