Network administrators around the globe are very concerned about the type of traffic that is exiting their network. They want their critical business application over the WAN to perform at its best. Non-critical applications like web traffic and social media downgrade the performance of WAN links. Therefore, administrators should avoid non-business applications on WAN links.

Over the last decade, administrators around the globe have used traditional NetFlow and other similar flow technologies to identify the type of traffic on their network. The traditional flow-based traffic analysis is utilized to identify Layer 3 application traffic based on port and protocol.

What if a user on the network uses cloud services, social media, and random port applications? The majority of these applications are placed in Layer 7. Traditional Layer 3 NetFlow analysis can only give us an answer: “I am good for what I am used for.”

Let’s look at a scenario to explain how to identify and tackle the Layer 7 application:

An individual thinks, “What happens to my personal data if my PC, mobile device, or tablet crashes?” This question provokes him or her to search for an alternate storage method to back up their data. That is where an individual does research to find the correct storage, ensuring that it is safe, easy to access, and redundant.

Things have improved a lot over the last couple decades. No one wants to store their data on a flash drive or external hard drive as these are prone to crash or theft. The evolution of cloud-based storage and social media (e.g., Google Drive, Dropbox, Picasa, SkyDrive, iCloud, and Facebook) has made individuals comfortable knowing that their data is safe, redundant, and easy to access from anywhere, on any device. All one needs to do is sign up for any of these cloud-based services as they provide a large amount of free space for individual sign-ups as well as very cheap upgrade options.

What does the network administrator think?

The network administrator always think about 100% uptime and having a high-performance network. The non-business applications like cloud storage, social media, and video streaming utilize much of the available bandwidth on the corporate network, which reduces the network’s performance.

Dropping non-business Layer 7 application, random port, and social media traffic by identifying each one’s IP addresses and placing access lists on the firewall is tedious. Furthermore, the IP addresses and port numbers used by cloud-based applications and storage are dynamic. The actual rule placed on the firewall will be outdated within a short span.

What helps the administrator get visibility into Layer 7 application traffic?

Deep packet inspection is an appropriate methodology to find Layer 7 application traffic utilization. Consider a network of Cisco devices with the recent IOS. The Cisco device supports Network Based Application Recognition (NBAR), which helps identify Layer 7 application traffic using a deep-packet-inspection mechanism.

NBAR has the Packet Description Language Module (PDLM), which has over 1,000 signatures used for identifying web traffic, URLs, file-sharing applications, and random port applications. PDLM on a Cisco device is updated on every IOS upgrade or with an intermediate PDLM update pack. Refer to this blog about PDLM upgrade on Cisco devices.

A new IOS with recent PDLM has many signatures and protocols mapped; refer to this link for detailed information about the mapped protocols and applications on Cisco IOS.

How do you identify the Layer 7 application traffic utilization?

To monitor the traffic utilization of Layer 7 applications, you need to enable NBAR on the WAN interfaces of the Cisco router. After enabling NBAR on the interfaces, the router will start doing deep packet inspection on all the traffic on the interfaces. To view NBAR stats, we need a NetFlow analysis tool that can parse the Flexible NetFlow records.

We need to configure the router to export NBAR stats as a Flexible NetFlow to the NetFlow analysis tool, which generates a report as shown in the screenshot below.

The following are a sequence of steps that need to be followed on the Cisco router to block non-business Layer 7 application traffic.

Step 1:

Create a class map to classify this kind of traffic.

class-map match-any File-Sharing

match protocol dropbox

match protocol google-docs

match protocol gtalk-ft

match protocol google-services

match protocol facebook

match protocol itune

Step 2:

Create an access group and attach it with class map File-Sharing.

 match access-group 102

Step 3:

Create a policy to drop this Dropbox and Google traffic.

policy-map File-Sharing
class File-Sharing

Step 4:

Associate the created policy with a WAN interface.

Interface GigabitEthernet0/0

Ip address

Ip nbar protocol-discovery

service-policy input File-Sharing

service-policy output File-Sharing

Step 5:

Create an access list to prevent this traffic. We already created an access group matching this traffic.

access-list 102 deny ip any any

The policy created to block or drop Layer 7 application traffic based on the NBAR application map is permanent, and there is no need for periodic updates or customization even if the application uses random ports or has a dynamic IP.