Network administrators around the globe are very concerned about the type of traffic that is exiting their network. They want their critical business application over the WAN to perform at its best. Non-critical applications like web traffic and social media downgrade the performance of WAN links. Therefore, administrators should avoid non-business applications on WAN links.
Over the last decade, administrators around the globe have used traditional NetFlow and other similar flow technologies to identify the type of traffic on their network. The traditional flow-based traffic analysis is utilized to identify layer 3 application traffic based on port and protocol.
What if a user on the network uses cloud services, social media and random port applications? The majority of these applications are placed in layer 7. Traditional layer 3 NetFlow analysis can only give us an answer: “I am good for what I am used for.”
Let’s look at a scenario to explain how to identify and tackle the layer 7 application:
An individual thinks, “What happens to my personal data if my PC, mobile or tablet crashes?” This question provokes him or her to search for on alternate storage to back up their data. That is where an individual does research to find the correct storage, ensuring that it is safe, easy to access and redundant.
With the evolution of cloud based storage, social media (i.e. Google Drive, Drop Box, Picasa, SkyDrive, iCloud, Facebook, etc. ) makes the individual comfortable knowing his or her data is safe, redundant and easy to access from anywhere, on any device . All one needs to do is sign up for any of these cloud based service, as they provide a large amount of free space for individual sign up, as well as very cheap upgrade options.
The network administrator always think on 100% up time and high performance network. The non-business applications like cloud storage, social media and video streaming utilize much of available bandwidth on the corporate network, which reduces the performance of network.
Dropping non-business layer 7 application, random port and social media traffic by identifying each of its IP addresses and placing access lists on the firewall is tedious. Furthermore , the IP address and port numbers used by cloud based application and storage are dynamic . The actual rule placed on the firewall will be outdated within a short span.
What helps administrator to find layer 7 application traffic visibility?
Deep packet inspection is an appropriate methodology to find layer 7 application traffic utilization. Consider a network of Cisco devices with recent IOS. Cisco device supports NBAR (Network Based Application Recognition) which helps to identify layer 7 application traffic using deep packet inspection mechanism.
NBAR has PDLM (Packet Description Language Module), which has over 1,000 signatures used for identifying web traffic, URL’s, file sharing application and random port application. PDLM on a Cisco device is updated on every IOS upgrade or with intermediate PDLM update pack. Refer this blog about PDLM upgrade on Cisco device.
A new IOS with recent PDLM has many signatures and protocols mapped, refer this link for detail information about mapped protocol and applications on the Cisco IOS.
How to identify the Layer 7 application traffic utilization?
To monitor the traffic utilization of layer 7 applications, you need to enable NBAR on the WAN interfaces of the Cisco router. After enabling NBAR on the interfaces, the router will start doing deep packet inspection on all the traffic on the interfaces. To view NBAR stats, we need a NetFlow analysis tool which could parse the Flexible NetFlow records.
We need to configure the router to export NBAR stats as a Flexible NetFlow to the NetFlow analysis tool which generates report as shown in below screenshot.
Step 1 :-
Creating a class map to classify this kind of traffic:
class-map match-any File-Sharing
match protocol dropbox
match protocol google-docs
match protocol gtalk-ft
match protocol google-services
match protocol facebook
match protocol itune
Step 2 :-
Creating access group and attaching it with class map File-Sharing
match access-group 102
Step 3 :-
Creating a policy to drop this drop box and Google traffic.
Step 4 :-
Associating the policy created to a WAN interface
Ip address 192.168.49.106
Ip nbar protocol-discovery
service-policy input File-Sharing
service-policy output File-Sharing
Step 5 :-
Creating a access list to prevent these traffic. We already created a access group matching these traffic .
access-list 102 deny ip any any
The policy created to block or drop layer 7 application traffic based on NBAR application map is permanent and there is no need for periodic updates or customization even if the application uses random ports or dynamic IP.
NetFlow Analyzer Technical Team
The original article/video can be found at Identifying Layer 7 application traffic