NBAR - Network Based Application Recognition: I've been doing a lot of reading on QoS lately and ran into NBAR. The thing that I found really cool about NBAR, other than using it for QoS, is the ability to block user access to certain protocols on the router itself. The problem I have been running into is the Guest WiFi eating up all of the bandwidth at our stores. Outbound QoS does an OK job but it is the inbound traffic that is causing the majority of our issues. With using NBAR I can block protocols that use a lot of bandwidth which will hopefully give our stores some relief. The configuration for this is pretty simple:
class-map match-any BLOCK_GUEST_CM
match protocol youtube
match protocol netflix
match protocol hulu
policy-map BLOCK_GUEST_PM
class BLOCK_GUEST_CM
drop
int bvi32
service-policy input BLOCK_GUEST_PM
After applying the policy-map to the guest vlan users are no longer able to connect to hulu, netflix, or youtube. NBAR can also block P2P, bittorrent, tor, etc..
**I had to update the NBAR protocol pack to get it to block youtube. Cisco has updated packs you can download from their website and then install on your router. Once the updated pack is in flash all you have to do is install it(no reboot required):
ip nbar protocol-pack flash:pp-adv-isrg2.pack
If anyone has any good ideas on how to control inbound traffic let me know ;)
block any any all log
^ Prevents ALL possible malware downloads. Best to apply the rule in both directions.
Quote from: deanwebb on September 02, 2016, 10:47:55 AM
block any any all log
^ Prevents ALL possible malware downloads. Best to apply the rule in both directions.
BINGO! :problem?:
OK, now for serious answers... while the firewall is keeping uninvited inbound traffic out, *invited* traffic in the form of a browser request gets thorough all the time... having a proxy server doing content filtering and/or a PaloAlto firewall filtering on traffic can get things as granular as allowing Facebook, but blocking FB games. By blocking the request, then no inbound traffic will arrive to answer that request.
Thanks Dean - we have Palo Alto firewalls in our main corporate office and are working on deploying them to all of our branch offices. For our stores we do have a squid proxy doing the content filtering for the PCs in the stores. It would be too expensive for us to have a Palo Alto at each of our 1200+ stores and I'm not sure how to get the guest user PC to use the squid proxy since we don't manage their device. I read somewhere that you could forward the user traffic using NAT to go through the proxy. I'll hopefully have time to play with this later this week. I bought a rsapberry pi 3 to install squid on for the tests. This will be my first time playing with a raspberry pi so should be fun :)
Fun, indeed. And NBAR would be good for bulk traffic filtering routers so that the firewalls don't have to waste cycles on dropping the traffic.
Is your store network local internet links hence this problem?
You have three options in my mind if you can't enforce proxy via standard settings or roll out local Palos (sweet sweet palos)
- overlay a VPN/tunnel solution to force all traffic to be centralised
- cloud proxy solution with local router redirecting - full fat solution includes the likes of the new Cisco web security thingy that basically sets up a tunnel between the router and a cloud proxy service so acts as a transparent proxy. Vendors like Zscaler offer similar solutions using manual IPSEC/GRE tunnels and PBR for example.
- quick and dirty equivalent is openDNS (block via URL categories) - I'm not sure how this works at a granular RBAC level
We had this same issue, and I am going to give you the magic formula. Here we go:
1) Get a backup connection (cable)
2) configure PBR (send RFC 1918 in, internet out cable)
3) Get a cloud based DNS service (cough OpenDNS cough)
4) Configure Split-DNS on said router
There you go. No more issues :)
Thanks Wintermute000 and LynK -
Our stores connect with a Cisco router with two WAN interfaces. Currently our guest network is separated from the store network(s) by using VRFs and PBR. One WAN connection is the primary DSL/Cable/T1 and the second WAN port is a 4G LTE backup connection. The business has decided that a good backup is more important than a second connection that is primarily used for guest access. A handful of our stores do have two Cable/DSL connections where this is currently being done but these are one-offs and are to support the high density of guest user access(i.e. one of ours stores just off the Vegas strip).
We had looked at OpenDNS(before they were bought by Cisco) but the business decided it would be too expensive to implement at all stores. They want a Ferrari for the price of a Kia which I think a lot of people working for a retail based company run into. I liked NBAR since I could filter applications without any extra costs associated with it.
I gave the suggestion that the cheapest way to alleviate the stress on the store network caused by the guest usage is to get a bigger pipe. This is something we are looking into but in the meantime they are wanting the store to run perfectly with guest wireless on a legacy DSL connection with 1.5Mbps/786Kbps ;)
the cheap solution:
PBR the guest wireless out the backup 4G.
Write a EEM to ACL off or shape guest traffic when running in backup ;)
Quote from: LynK on September 07, 2016, 01:02:14 PM
We had this same issue, and I am going to give you the magic formula. Here we go:
1) Get a backup connection (cable)
2) configure PBR (send RFC 1918 in, internet out cable)
3) Get a cloud based DNS service (cough OpenDNS cough)
4) Configure Split-DNS on said router
There you go. No more issues :)
Cisco cough bought cough openDNS cough
Quote from: Dieselboy on September 12, 2016, 10:03:54 PM
Cisco cough bought cough openDNS cough
Welp... I'm sure that'll be broken soon then.... :problem?:
Viptela + automagic tunnels to zscaler ftw
How about adding a bandwidth policer to your "guest" interface? Allocate only a certain bandwidth for guest traffic?