What is NBAR?  NBAR is a powerful packet filtering/identification/firewall that you may already have installed on your Cisco router. For a list of what NBAR can detect look here.

NBAR is also what we call Cisco's "autopilot" for QoS. It has been in IOS since ver. 12.0 and has been continually updated with recognition of new applications. A huge improvement was made with IOS 12.3 which introduced the ability to recognize more applications because of the availability of the Packet Description Language Module (PDLM) feature. PDLMs help IOS to know which application is which when it looks through the traffic flow. Cisco regularly releases new PDLMs for new applications, and you can get more info here (a valid CCO login is required).

For list of NBAR applications recognized with IOS version 12.3, use the following commands:

cell_pe1(config)#class-map match-all nbar
cell_pe1(config-cmap)#match pro ?


Configuring and using NBAR to identify and block traffic is done as follows (you can find further details at here):

First, make sure that CEF is on using the following command:

cell_pe1(config)# ip cef


Next create a class-map, identifying the traffic you want to block.

cell_pe1(config)#class-map match-any killedtraffic

cell_pe1(config-cmap)# match protocol http url “*loveme.exe*”

cell_pe1(config-cmap)# match protocol http mime “*loveme.exe*”


Now create a policy to mark the traffic:


cell_pe1(config)# policy-map mark-killedtraffic

cell_pe1(config-pmap)# class killedtraffic

cell_pe1(config-pmap)# set ip dscp 1


Next, apply the policy to the interface that faces the Internet or the source of the traffic that you want to block. This marks the traffic when it enters the router:

cell_pe1(config)# interface serial 1/0

cell_pe1(config-if)#service-policy input mark-bad-traffic


Now create an access control list (ACL) that denies the marked traffic:

cell_pe1(config)# access-list 191 deny ip any any dscp 1

cell_pe1(config)# access-list 191 permit ip any any


Lastly, deny the marked traffic as it’s about to exit your router by applying the ACL to an interface:

cell_pe1(config)# interface GigabitEthernet 0/0

cell_pe1(config-if)# ip access-group 191 out


A less talked about feature of NBAR is its security aspect. NBAR can identify fields in a HTTP packet, such as the URL, content type, or user agent. For example, NBAR recognized the fast-moving Code Red Worm that first circulated the Internet in 2001. While traditional firewalls weren’t able to look inside the HTTP stream of data and block the Code Red traffic, NBAR was ideal for the situation. 


Lastly, there are some things that NBAR cannot do. You can’t use it on a tunnel or encrypted interface, and you can’t use it to work with asymmetric traffic flows, understand URLs or other traffic in HTTPS traffic, work with non-CEF traffic, or identify fragmented traffic.

We hope this helps you to understand NBAR, and we encourage you to use this feature in Cisco IOS.

Comments powered by CComment

Did you learn something?
Did I save you time? 

Buy me a coffeeBuy me a coffee!