I received a question for one of my clients, they wanted to configure an interface to drop everything except this application’s packets. they told me that this application uses destination UDP port 22004, and that traffic is identified by a sequence of characters of “YADAYADA” starting in the first 117 bytes after the payload’s first byte.

the solution was to match on a specific protocol using NBAR, but in this case the application is not one of those supported by Cisco.

With this  feature we can create an nbar protocol and name it like “SpecialProtocol” specifying the destination UDP port and the characters mentioned in the question.

Router(config)#ip nbar cust SpecialProtocol 117 ascii YADAYADA destination udp 22004

Then, we will create a class-map to match this protocol and another one to match any :

Router(config)#class-map match-all MYCLASS
Router(config-cmap)# match protocol SpecialProtocol

Router(config)#class-map match-all all
Router(config-cmap)# match any

Then, we will create a Policy-map with two classes. The first class will match “MYCLASS” and will have no actions (in other words, let the traffic through). The second class will match “all” and drop all traffic, basically non-spec-soft traffic.

Router(config)#policy-map lan-filter
 Router(config-pmap)# class MYCLASS
 Router(config-pmap)# class all
 Router(config-pmap-c)#   drop

The reason why we had to create another class-map “all” to match “any” is that Cisco IOS doesn’t allow us to configure action “drop” on the class-default implicit class.