cc/td/doc/product/software/ios121/121newft/121limit/121e
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Network-Based Application Recognition

Network-Based Application Recognition

This feature module describes the Network-Based Application Recognition (NBAR) feature. It includes information on the benefits of the new feature, supported platforms, restrictions, definitions, and new and revised command syntax.

This document includes the following sections:

Feature Overview


Table 1: Feature History
Cisco IOS Release Modification

Release 12.0(5)XE2

This feature was introduced.

Release 12.1(1)E

Subport classification of HTTP traffic by Host name was introduced.

Release 12.1(2)E

Support for the Citrix, Novadigm, and Printer protocols was introduced.

As IP Quality of Service (QoS) technology matures and customers begin QoS deployment in production networks, new requirements for packet classification have emerged. Today's applications require high performance to ensure competitiveness in an increasingly fast-paced business environment. Networks provide a variety of services to ensure that mission-critical applications receive the required bandwidth for high performance. Today's Internet-based and client-server applications make it difficult for networks to identify packets and provide the proper level of control.

Network-Based Application Recognition (NBAR) solves this problem by adding intelligent network classification to network infrastructures. NBAR is a new classification engine that recognizes a wide variety of applications, including web-based and other difficult-to-classify protocols that utilize dynamic TCP/UDP port assignments. When an application is recognized and classified by NBAR, a network can invoke services for that specific application. NBAR ensures that network bandwidth is used efficiently by working with QoS features to provide:

NBAR introduces several new classification features:

NBAR can also classify static port protocols. Although Access Control Lists (ACLs) can also be used for this purpose, NBAR is easier to configure and can provide classification statistics that are not available when using ACLs.

NBAR provides a special Protocol Discovery feature that determines which application protocols are traversing a network at any given time. The Protocol Discovery feature captures key statistics associated with each protocol in a network. These statistics can be used to define traffic classes and QoS policies for each traffic class.

Enhancements for Release 12.1(2)E

NBAR has added the following enhancements for Release 12.1(2)E:

Enhancements for Release 12.1(1)E

Beginning in Cisco IOS Release 12.1(1)E, NBAR can perform subport classification of HTTP traffic by Host name. You can classify HTTP traffic by web server names. To perform a match on this host name portion of the URL, use the new HOST match criteria.

Classification of HTTP by URL, HOST, or MIME

NBAR can classify application traffic by looking beyond the TCP/UDP port numbers of a packet. This is subport classification. NBAR looks into the TCP/UDP payload itself and classifies packets on content within the payload such as transaction identifier, message type, or other similar data.

Classification of HTTP by URL, HOST, or Multipurpose Internet Mail Extension (MIME) type is an example of subport classification. NBAR classifies HTTP traffic by text within the URL or HOST fields of a GET request using regular expression matching. NBAR uses the UNIX filename specification as the basis for the URL or HOST specification format. The NBAR engine then converts the specified match string into a regular expression.

NBAR recognizes HTTP GET packet(s) containing the URL and classifies all packets that are sent to the source of the HTTP GET request. Figure 1 illustrates a network topology with NBAR in which Router Y is the NBAR-enabled router.


Figure 1: Network Topology with NBAR

When specifying a URL for classification, include only the portion of the URL following the www.hostname.domain in the match statement. For example, for the URL www.cisco.com/latest/whatsnew.html, include only /latest/whatsnew.html.

HOST specification is identical to URL specification. NBAR performs a regular expression match on the HOST field contents inside an HTTP GET packet and classifies all packets from that host. For example, for the URL www.cisco.com/latest/whatsnew.html, include only www.cisco.com.

For MIME type matching, the MIME type can contain any user-specified text string. A list of the Internet Assigned Numbers Authority (IANA)-supported MIME types can be found at:

ftp://ftp.isi.edu/in-notes/iana/assignments/media-types/media-types

In MIME type matching, NBAR classifies the packet containing the MIME type and all subsequent packets, which are sent to the source of the HTTP GET request.

NBAR supports URL and HOST classification in the presence of persistent HTTP. NBAR does not classify packets that are part of a pipelined request. With pipelined requests, multiple requests are pipelined to the server before previous requests are serviced. Pipelined requests are a less commonly used type of persistent HTTP request.

Classification of Citrix ICA Traffic by Application Name

NBAR can classify Citrix Independent Computing Architecture (ICA) traffic and perform subport classification of Citrix traffic based on Citrix published applications. NBAR can monitor Citrix ICA client requests for a published application destined to a Citrix ICA Master browser. After the client requests to the published application, the Citrix ICA Master browser directs the client to the server with the most available memory. The Citrix ICA client then connects to this Citrix ICA server for the application.

NBAR statefully tracks Citrix ICA server client messages and classifies requests for given Citrix application names and traffic. A Citrix application is named when published on a Citrix ICA server. NBAR performs a regular expression match using a user-specified application name-string on the contents of the Citrix ICA control packets carrying the published application name. Therefore, users need to specify a regular expression that will result in a match for the published application name if they wish to match a specified application. See the match protocol citrix command in the Command Reference section for additional information.

Citrix ICA clients can be configured in various modes. NBAR cannot distinguish among Citrix applications in all modes of operation. Therefore, network administrators might need to collaborate with Citrix administrators to ensure that NBAR properly classifies Citrix traffic.

A Citrix administrator can configure Citrix to publish Citrix applications individually or as the entire desktop. In the Published Desktop mode of operation, all applications within the published desktop of a client use the same TCP session. Therefore, differentiation among applications is impossible, and NBAR can only be used to classify Citrix applications as aggregates (by looking at port 1494).

The Published Application mode for Citrix ICA clients is recommended when you use NBAR. In Published Application mode, a Citrix administrator can configure a Citrix client in either seamless or non-seamless (windows) modes of operation. In non-seamless mode, each Citrix application uses a separate TCP connection, and NBAR can be used to provide interapplication differentiation based on the name of the published application.

Seamless mode clients can operate in one of two submodes: session sharing or non-session sharing. In seamless session sharing mode, all clients share the same TCP connection, and NBAR cannot differentiate amongapplications. Seamless sharing mode is enabled by default on some software releases.

In seamless non-session sharing mode, each application for each particular client uses a separate TCP connection. NBAR can provide inter-application differentiation in seamless non-session sharing mode.

Session sharing can be turned off using the following steps:


Step 1 At the command prompt of the Citrix server, open the registy editor by entering the regedit command.

Step 2 Create the following registry entry (which overrides session sharing):

[HKLM]\SYSTEM\CurrentControlSet\Control\Citrix\WFSHELL\TWI

Value name: "SeamlessFlags", type DWORD, possible values :0 or 1

Setting this registry value to 1 overrides session sharing. Note that this flag is SERVER GLOBAL.



Note NBAR operates properly in ICA secure mode. Pipelined Citrix ICA client requests are not supported.

Protocol Discovery

So that QoS policies can be developed and applied, NBAR includes a Protocol Discovery feature that provides an easy way to discover application protocols that are transiting an interface. The Protocol Discovery feature discovers any protocol traffic supported by NBAR. Protocol Discovery can be applied to interfaces and can be used to monitor both input and output traffic. Protocol Discovery maintains the following per-protocol statistics for enabled interfaces: total number of input and output packets and bytes, and input and output bit rates.

Packet Description Language Module

An external Packet Description Language Module (PDLM) can be loaded at run time to extend the NBAR list of recognized protocols. PDLMs can also be used to enhance an existing protocol recognition capability. PDLMs allow NBAR to recognize new protocols without requiring a new IOS image or a router reload.

New PDLMs will only be released by Cisco and can be loaded from Flash memory. Please contact your local Cisco representative to request additions or changes to the set of protocols classified by NBAR.

Memory Management

NBAR uses approximately 150 bytes of DRAM for each flow that requires stateful inspection. (See Table 4 for a list of stateful protocols supported by NBAR that require stateful inspection.) When NBAR is configured, it allocates 1 MB of DRAM to support up to 5000 concurrent flows. NBAR checks to see if it needs more memory to handle additional concurrent stateful flows. If such a need is detected, NBAR expands its memory usage in increments of 200 Kb to 400 Kb.

Supported Protocols

NBAR is capable of classifying the following three types of protocols:


Table 2: Non-UDP and Non-TCP Protocols
Cisco IOS Release1 Protocol Type Well-Known Port Number Description Syntax

12.0(5)XE2
12.1(1)E

EGP

IP

8

Exterior Gateway Protocol

egp

12.0(5)XE2
12.1(1)E

GRE

IP

47

Generic Routing Encapsulation

gre

12.0(5)XE2
12.1(1)E

ICMP

IP

1

Internet Control Message Protocol

icmp

12.0(5)XE2
12.1(1)E

IPINIP

IP

4

IP in IP

ipinip

12.0(5)XE2
12.1(1)E

IPSec

IP

50, 51

IP Encapsulating Security Payload/Authentication Header

ipsec

12.0(5)XE2
12.1(1)E

EIGRP

IP

88

Enhanced Interior Gateway Routing Protocol

eigrp

1Indicates the Cisco IOS maintenance release that first supported the protocol. This table is updated when a protocol is added to a new Cisco IOS Release train.


Table 3: TCP and UDP Static Port Protocols
Cisco IOS Release1 Protocol Type Well-Known Port Number Description Syntax

12.0(5)XE2
12.1(1)E

BGP

TCP/UDP

179

Border Gateway Protocol

bgp

12.0(5)XE2
12.1(1)E

CU-SeeMe

TCP/UDP

7648, 7649

Desktop videoconferencing

cuseeme

12.0(5)XE2
12.1(1)E

CU-SeeMe

UDP

24032

Desktop video conferencing

cuseeme

12.0(5)XE2
12.1(1)E

DHCP/
BOOTP

UDP

67, 68

Dynamic Host Configuration Protocol/ Bootstrap Protocol

dhcp

12.0(5)XE2
12.1(1)E

DNS

TCP/UDP

53

Domain Name System

dns

12.0(5)XE2
12.1(1)E

Finger

TCP

79

Finger user information protocol

finger

12.0(5)XE2
12.1(1)E

Gopher

TCP/UDP

70

Internet Gopher Protocol

gopher

12.0(5)XE2
12.1(1)E

HTTP

TCP

80

Hypertext Transfer Protocol

http

12.0(5)XE2
12.1(1)E

HTTPS

TCP

443

Secured HTTP

secure-http

12.0(5)XE2
12.1(1)E

IMAP

TCP/UDP

143, 220

Internet Message Access Protocol

imap

12.0(5)XE2
12.1(1)E

IRC

TCP/UDP

194

Internet Relay Chat

irc

12.0(5)XE2
12.1(1)E

Kerberos

TCP/UDP

88, 749

Kerberos Network Authentication Service

kerberos

12.0(5)XE2
12.1(1)E

L2TP

UDP

1701

L2F/L2TP tunnel

l2tp

12.0(5)XE2
12.1(1)E

LDAP

TCP/UDP

389

Lightweight Directory Access Protocol

ldap

12.0(5)XE2
12.1(1)E

MS-PPTP

TCP

1723

Microsoft Point-to-Point Tunneling Protocol for VPN

pptp

12.0(5)XE2
12.1(1)E

MS-
SQLServer

TCP

1433

Microsoft SQL Server Desktop Videoconferencing

sqlserver

12.0(5)XE2
12.1(1)E

NetBIOS

TCP

137, 139

NetBIOS over IP (MS Windows)

netbios

12.0(5)XE2
12.1(1)E

NetBIOS

UDP

137, 138

NetBIOS over IP (MS Windows)

netbios

12.0(5)XE2
12.1(1)E

NFS

TCP/UDP

2049

Network File System

nfs

12.0(5)XE2
12.1(1)E

NNTP

TCP/UDP

119

Network News Transfer Protocol

nntp

12.0(5)XE2
12.1(1)E

Notes

TCP/UDP

1352

Lotus Notes

notes

12.1(2)E

Novadigm

TCP/UDP

3460-3465

Novadigm Enterprise Desktop Manager (EDM)

novadigm

12.0(5)XE2
12.1(1)E

NTP

TCP/UDP

123

Network Time Protocol

ntp

12.0(5)XE2
12.1(1)E

PCAnywhere

TCP

5631, 65301

Symantec PCAnywhere

pcanywhere

12.0(5)XE2
12.1(1)E

PCAnywhere

UDP

22, 5632

Symantec PCAnywhere

pcanywhere

12.0(5)XE2
12.1(1)E

POP3

TCP/UDP

110

Post Office Protocol

pop3

12.1(2)E

Printer

TCP/UDP

515

Printer

printer

12.0(5)XE2
12.1(1)E

RIP

UDP

520

Routing Information Protocol

rip

12.0(5)XE2
12.1(1)E

RSVP

UDP

1698,1699

Resource Reservation Protocol

rsvp

12.0(5)XE2
12.1(1)E

SFTP

TCP

990

Secure FTP

secure-ftp

12.0(5)XE2
12.1(1)E

SHTTP

TCP

443

Secure HTTP

secure-http

12.0(5)XE2
12.1(1)E

SIMAP

TCP/UDP

585, 993

Secure IMAP

secure-imap

12.0(5)XE2
12.1(1)E

SIRC

TCP/UDP

994

Secure IRC

secure-irc

12.0(5)XE2
12.1(1)E

SLDAP

TCP/UDP

636

Secure LDAP

secure-ldap

12.0(5)XE2
12.1(1)E

SNNTP

TCP/UDP

563

Secure NNTP

secure-nntp

12.0(5)XE2
12.1(1)E

SMTP

TCP

25

Simple Mail Transfer Protocol

smtp

12.0(5)XE2
12.1(1)E

SNMP

TCP/UDP

161, 162

Simple Network Management Protocol

snmp

12.0(5)XE2
12.1(1)E

SOCKS

TCP

1080

Firewall security protocol

socks

12.0(5)XE2
12.1(1)E

SPOP3

TCP/UDP

995

Secure POP3

secure-pop3

12.0(5)XE2
12.1(1)E

SSH

TCP

22

Secured Shell

ssh

12.0(5)XE2
12.1(1)E

STELNET

TCP

992

Secure Telnet

secure-telnet

12.0(5)XE2
12.1(1)E

Syslog

UDP

514

System Logging Utility

syslog

12.0(5)XE2
12.1(1)E

Telnet

TCP

23

Telnet Protocol

telnet

12.0(5)XE2
12.1(1)E

X Windows

TCP

6000-6003

X11, X Windows

xwindows

1Indicates the Cisco IOS maintenance release that first supported the protocol. This table is updated when a protocol is added to a new Cisco IOS Release train.


Table 4: TCP and UDP Stateful Protocols
Cisco IOS Release1 Protocol Type Description Syntax

12.0(5)XE2
12.1(1)E

FTP

TCP

File Transfer Protocol

ftp

12.0(5)XE2
12.1(1)E

Exchange

TCP

MS-RPC for Exchange

exchange

12.0(5)XE2
12.1(1)E
(HTTP Host classification is not available on the 12.0 XE train)

HTTP

TCP

HTTP with URL, MIME, or Host classification

http

12.0(5)XE2
12.1(1)E

Netshow

TCP/UDP

Microsoft Netshow

netshow

12.0(5)XE2
12.1(1)E

Realaudio

TCP/UDP

RealAudio Streaming Protocol

realaudio

12.0(5)XE2
12.1(1)E

r-commands

TCP

rsh, rlogin, rexec

rcmd

12.0(5)XE2
12.1(1)E

StreamWorks

UDP

Xing Technology Stream Works audio and video

streamwork

12.0(5)XE2
12.1(1)E

SQL*NET

TCP/UDP

SQL*NET for Oracle

sqlnet

12.0(5)XE2
12.1(1)E

SunRPC

TCP/UDP

Sun Remote Procedure Call

sunrpc

12.0(5)XE2
12.1(1)E

TFTP

UDP

Trivial File Transfer Protocol

tftp

12.0(5)XE2
12.1(1)E

VDOLive

TCP/UDP

VDOLive Streaming Video

vdolive

1Indicates the Cisco IOS maintenance release that first supported the protocol. This table is updated when a protocol is added to a new Cisco IOS Release train.

Benefits

NBAR addresses IP QoS classification requirements by classifying application-level protocols so that QoS policies can be applied to the classified traffic. NBAR addresses the ongoing need to extend the classification engine for the many existing and emerging application protocols by providing an extensible Packet Description Language (PDL). NBAR can determine which protocols and applications are currently running on a network so that an appropriate QoS policy can be created based upon the current traffic mix and application requirements.

NBAR can now perform subport classification of HTTP traffic by HOST name in addition to classification by MIME-type or URL. This enables users to classify HTTP traffic by web server names. With URL matching, only the portion of the URL following the host name can be specified for a match. To perform a match on the host name portion of the URL, use the new HOST matching criterion. For example, a HOST match on http://www.cisco.com/latest/whatsnew.html will classify all traffic from the web server www.cisco.com, whereas a URL match can be performed on the /latest/whatsnew.html portion of the URL.

Restrictions

The NBAR feature does not support the following:

NBAR is not configurable on the following logical interfaces:


Note NBAR cannot be used to classify output traffic on a WAN link where tunneling or encryption is used. Therefore, NBAR should be configured on other interfaces on the router (such as a LAN link) to perform input classification before the traffic is switched to the WAN link for output.

Related Features and Technologies

Related Documents

Supported Platforms

Supported Standards, MIBs, and RFCs

MIBs

No new or modified MIBs are supported by this feature.

For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.

RFCs

Standards

Prerequisites

CEF

You must enable Cisco Express Forwarding (CEF) before you configure NBAR. For more information on CEF, refer to the Cisco IOS Release 12.0 configuration guide titled Cisco IOS Switching Services Configuration Guide.

Configuration Tasks

Your interface to NBAR is through the Modular QoS Command-Line Interface (Modular QoS CLL). The Modular QoS CLI provides a model for QoS configuration under IOS. The Modular QoS CLI provides a clean separation between the specification of a classification policy and the specification of other policies that act based on the results of the applied classification.

Configuring a QoS policy typically requires the configuration of traffic classes, the configuration of policies that will be applied to those traffic classes, and the attaching of policies to interfaces using the following commands:

Use the class-map command to define one or more traffic classes by specifying the criteria by which traffic is classified.

Use the policy-map command to define one or more QoS policies (such as shaping, policing, and so on) to apply to traffic defined by a class map.

Use the service-policy command to attach a policy map to an interface on the router.

For additional information on the Modular Quality of Service Command-Line Interface, see the Modular Quality of Service Command-Line document on CCO

See the following sections for configuration tasks for the NBAR feature. Each task in the list indicates if it is optional or required:

Configuring a Class Map

Use the class-map configuration command to define a traffic class and the match criteria that will be used to identify traffic as belonging to that class. Match statements can include criteria such as protocol, ACL, IP precedence value, or interface identifier. The match criteria is defined with one or more of the match statements entered within the class-map configuration mode listed in the table below:

Command Purpose
Router(config)# class-map [match-all | match-any] class-name

Specifies the user-defined name of the class map. The match-all option specifies that all match criteria in the class map must be matched. The match-any option specifies that one or more match criteria must match.

Router(config-cmap)# match protocol protocol-name

Specifies a protocol supported by NBAR as a matching criterion.

For additional information on the Modular Quality of Service Command-Line Interface, see the Modular Quality of Service Command-Line Interface document on CCO

Configuring a Policy Map

Use the policy-map configuration command to specify the QoS policies to apply to traffic classes defined by a class map. QoS policies that can be applied to traffic classification are listed in the Modular Quality of Service Command-Line Interface document on CCO.

Command Purpose
Router(config)# policy-map policy-name

User specified policy map name.

Router(config-pmap)# class class-name

Specifies the name of a previously defined class map.

Router(config-pmap-c)# 

Enter QoS policies in this (policy map class) configuration mode.

For additional information on policy map options in the Modular Quality of Service Command-Line Interface, see the Modular Quality of Service Command-Line document on CCO

Attaching a Policy Map to an Interface

Use the service-policy interface configuration command to attach a policy map to an interface and to specify the direction in which the policy should be applied (on either packets coming into the interface or packets leaving the interface.)

.
Command Purpose
Router(config-if)# service-policy output policy-map-name

Specifies the name of the policy map to be attached to the output direction of the interface.

Router(config-if)# service-policy input policy-map-name

Specifies the name of the policy map to be attached to the input direction of the interface.

Use the no service-policy [input | output] policy-map-name command to detach a policy map from an interface.

Verifying the Configuration

Use the show policy-map [interface [interface-spec [input | output [class class-name]]]] command to display the configuration of a policy map and its associated class maps. Forms of this command are listed in the table below.

Command Purpose
Router# show class-map

Displays all class map information.

Router# show class-map class-name

Displays the class map information of the user specified class map.

Router# show policy-map

Displays all configured policy maps.

Router# show policy-map policy-map-name

Displays the user-specified policy map.

Router# show policy-map interface

Displays statistics and configurations of all input and output policies, which are attached to an interface.

Router# show policy-map interface-spec

Displays configuration and statistics of the input and output policies attached to a particular interface

Router# show policy-map interface-spec [input]

Displays configuration and statistics of the input policy attached to an interface.

Router# show policy-map interface-spec [output]

Displays configuration statistics of the output policy attached to an interface.

Router# show policy-map interface-spec [input | output] class class-name

Displays the configuration and statistics for the class name configured in the policy.

Troubleshooting Tips

You must enable Cisco Express Forwarding (CEF) on the router prior to configuring the NBAR feature.

Monitoring and Maintaining NBAR

NBAR can determine which protocols and applications are currently running on a network. NBAR includes the Protocol Discovery feature that provides an easy way of discovering application protocols operating on an interface so that appropriate QoS policies can be developed and applied. With protocol discovery, you can discover any protocol traffic supported by NBAR and obtain statistics associated with that protocol. To monitor and maintain the NBAR feature, use the following commands:

Command Purpose
Router# show ip nbar port-map [protocol-name]

Displays the TCP/UDP port number(s) used by NBAR to classify a given protocol.

Router# show ip nbar protocol-discovery

Displays the statistics for all interfaces on which protocol discovery is enabled.

Configuration Examples

This section provides the following configuration examples:

Configuring a Class Map with NBAR

In the following example, the class-map foo command uses NBAR classification of SQL*Net as its matching criteria:

Router(config)# class-map foo
Router(config-cmap)# match protocol sqlnet

Command Reference

This section documents new and enhanced commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publications.

ip nbar pdlm

To extend or enhance the list of protocols recognized by NBAR through a Cisco-provided packet description language module (PDLM), use the ip nbar pdlm configuration command. Use the no form of this command to unload a PDLM if it was previously loaded.

ip nbar pdlm pdlm-name

no ip nbar pdlm pdlm-name

Syntax Description

pdlm-name

The URL where the PDLM can be found on the flash card.

Defaults

No default behavior or values.

Command Modes

Global Configuration

Command History
Release Modification

12.0(5)XE2

This command was introduced.

Usage Guidelines

This command is used in configuration mode to extend the list of protocols recognized by a given version of NBAR or to enhance an existing protocol recognition capability. NBAR can be given an external PDLM at run time. In most cases, the PDLM enables NBAR to recognize new protocols without requiring a new IOS image or a router reload. Only Cisco can provide you with a new PDLM.

Examples

The following example configures NBAR to load the citrix.pdlm PDLM from Flash memory on the router:

ip nbar pdlm flash://citrix.pdlm
 

Related Commands
Command Description

show ip nbar pdlm pdlm-name

Displays the current PDLM in use by NBAR.

ip nbar port-map

To configure NBAR to search for a protocol or protocol name using a port number other than the well-known port, use the ip nbar port-map global configuration command. Use the no form of this command to look for the protocol name using only the well-known port number.

ip nbar port-map protocol-name [tcp | udp] port

no ip nbar port-map protocol-name [tcp | udp] port

Syntax Description

protocol-name

Name of protocol known to NBAR

port

Assigned port for named protocol.

Defaults

No default behavior or values.

Command Modes

Global configuration

Command History
Release Modification

12.0(5)XE2

This command was introduced.

Usage Guidelines

This command is used in configuration mode to tell NBAR to look for the protocol protocol-name,using a port number or numbers other than the well-known (IANA-assigned) port number. For example, use this command to configure NBAR to look for Telnet on a port other than 23. From 1 to 16 ports can be specified with this command. Port number values can range from 0 to 65535.

Examples

The following example configures NBAR to look for the protocol SQL*NET on port numbers 63000 and 63001 instead of on the well-known port number:

ip nbar port-map sqlnet tcp 63000 63001

Command History
Command Description

show ip nbar port-map protocol-name

Displays the current protocol-to-port mappings in use by NBAR.

ip nbar protocol-discovery

To configure NBAR to discover traffic for all protocols known to NBAR on a particular interface, use the ip nbar protocol discovery interface configuration command. Use the no form of this command to disable traffic discovery.

ip nbar protocol-discovery

no ip nbar protocol-discovery

Syntax Description

None

Defaults

No default behavior or values.

Command Modes

Interface configuration

Command History
Release Modification

12.0(5)XE2

This command was introduced.

Usage Guidelines

Use the ip nbar protocol-discovery command to configure NBAR to keep traffic statistics for all protocols known to NBAR. Protocol discovery provides an easy way to discover application protocols transiting an interface so that QoS policies can be developed and applied. The Protocol Discovery feature discovers any protocol traffic supported by NBAR. Protocol discovery can be used to monitor both input and output traffic and may be applied with or without a service policy enabled.

Examples

The following example configures protocol discovery on an Ethernet interface:

interface ethernet 1/3
ip nbar protocol-discovery

Related Commands
Command Description

show ip nbar protocol-discovery

Displays the statistics gathered by the NBAR Protocol Discovery feature.

match protocol

To match traffic by a particular protocol, use the match protocol class map configuration mode command. Use the no form of this command to turn off traffic matching by protocol type.

match protocol protocol-name

no match protocol protocol-name

Syntax Description

protocol-name

Identifies a particular protocol as a matching criterion.

Defaults

No default behavior or values.

Command Modes

Class map configuration

Command History
Release Modification

12.0(5)XE2

This command was introduced.

Usage Guidelines

This command can be used to match protocols that are known to NBAR. See the tables in the "Supported Protocols" section for a list of protocols currently supported by NBAR.

Examples

The following example configures NBAR to match FTP traffic:

match protocol ftp
 

match protocol citrix

To configure NBAR to match Citrix traffic, use the match protocol citrix class map configuration command. Use the no form of this command to disable NBAR from matching Citrix traffic.

match protocol citrix [app word]

no match protocol citrix [app word]

Syntax Description

app

Specifies matching of an application name string.

word

Specifies string to be used as the subprotocol parameter.

Defaults

No default behavior or values.

Command Modes

Class map configuration

Command History
Release Modification

12.1(2)E

This command was introduced.

Usage Guidelines

Entering the match protocol citrix command without any other keywords establishes all Citrix traffic as a successful match criterion.

Examples

The following example configures NBAR to match all Citrix traffic:

match protocol citrix
 

The following example configures NBAR to match Citrix traffic with the application name of packet1:

match protocol citrix app packet1

match protocol http

To configure NBAR to match HTTP traffic by URL, HOST, or MIME-type, use the match protocol http class map configuration command. Use the no form of this command to disable NBAR from matching HTTP traffic by URL, HOST, or MIME-type.

match protocol http url | host | mime [url-string | hostname-string | MIME-type]

no match protocol http url | host | mime [url-string | hostname-string | MIME-type]

Syntax Description

url-string

User-specified URL of HTTP traffic to be matched.

hostname-string

User-specified HOST name to be matched.

MIME-type

User-specified MIME text string to be matched.

Defaults

No default behavior or values.

Command Modes

Class map configuration

Command History
Release Modification

12.0(5) XE2

This command was introduced.

12.1(2)E

This command was enhanced to include the hostname-string variable.

Usage Guidelines

When matching by MIME-type, the MIME-type can contain any user-specified text string. Refer to the following web page for the IANA-registered MIME types:

ftp://ftp.isi.edu/in-notes/iana/assignments/media-types/media-types

When matching by MIME-type, NBAR matches a packet containing the MIME-type and all subsequent packets until the next HTTP transaction.

When matching by HOST, NBAR performs a regular expression match on the HOST field contents inside an HTTP GET packet and classifies all packets from that host.

When matching by URL, NBAR recognizes the HTTP GET packets containing the URL, and then matches all packets that are part of the HTTP GET request. When specifying a URL for classification, include only the portion of the URL following www.hostname.domain in the match statement. For example, in the URL www.anydomain.com/latest/whatsnew.html include only /latest/whatsnew.html.

To match the www.anydomain.com portion, use the HOST name matching feature. The URL or HOST specification strings can take the form of a regular expression with the following options:

Option Description

*

Match any zero or more characters in this position.

?

Match any one character in this position.

|

Match one of a choice of characters.

(|)

Match one of a choice of characters in a range. For example foo.(gif | jpg) matches either foo.gif or foo.jpg.

[ ]

Match any character in the range specified, or one of the special characters. For example, [0-9] is all of the digits. [*] is the "*" or [[] is the "[" character.

Examples

The following example classifies, within class map foo, HTTP packets based on any URL containing the string whatsnew/latest followed by zero or more characters:

class-map foo
match protocol http url whatsnew/latest*
 

The following example classifies, within class map foo, packets based on any HOST name containing the string cisco followed by zero or more characters:

class-map foo
match protocol http host cisco*
 

The following example classifies, within class map foo, packets based on the JPEG MIME type:

class-map foo
match protocol http mime "*jpeg"
 

show ip nbar pdlm

To display the currently loaded Packet Description Language Modules (PDLMs), use the show ip nbar pdlm EXEC command.

show ip nbar pdlm

Syntax Description

None.

Defaults

No default behavior or values.

Command Modes

Privileged EXEC

Command History
Release Modification

12.0(5)XE2

This command was introduced.

Usage Guidelines

This command is used to display a list of all the PDLMs that have been loaded into NBAR using the ip nbar pdlm command.

Examples

In this example of the show ip nbar pdlm command, the citrix.pdlm PDLM has been loaded from Flash memory:

show ip nbar pdlm 
The following PDLMs have been loaded:
flash://citrix.pdlm

Related Commands
Command Description

ip nbar pdlm

Extends or enhances the list of protocols recognized by NBAR through a PDLM.

show ip nbar port-map

To display the current protocol-to-port mappings in use by NBAR, use the show ip nbar port-map EXEC command.

show ip nbar port-map [protocol-name]

Syntax Description

protocol-name

Limits the command display to the specified protocol.

Defaults

This command displays port assignments for NBAR protocols.

Command Modes

Privileged EXEC

Command History
Release Modification

12.0(5)XE2

This command was introduced.

Usage Guidelines

This command is used to display the current protocol-to-port mappings in use by NBAR. When the ip nbar port-map command has been used, the show ip nbar port-map command displays the ports assigned by the user to the protocol. If no ip nbar port-map command has been used, the show ip nbar port-map command displays the default ports. The protocol name variable can also be used to limit the display to a specific protocol.

Examples

The following example displays the show ip nbar port-map command:

show ip nbar-port-map
port-map bgp      udp 179 
port-map bgp      tcp 179 
port-map cuseeme  udp 7648 7649 
port-map cuseeme  tcp 7648 7649 
port-map dhcp     udp 67 68 
port-map dhcp     tcp 67 68 
port-map dns      udp 53 
port-map dns      tcp 53 

Related Commands
Command Description

ip nbar-port-map

Configures NBAR to search for a protocol or protocol name using a port number other than the well-known port.

show ip nbar protocol-discovery

To display the statistics gathered by the NBAR Protocol Discovery feature, use the show ip nbar protocol-discovery privileged EXEC command.

show ip nbar protocol-discovery [interface interface-spec] [stats {byte-count | bit-rate | packet-count}][{protocol protocol-name | top-n number}]

Syntax Description

interface

Specifies that protocol discovery statistics for the interface are to be displayed.

interface-spec

Specifies an interface to display.

stats

Specifies that the byte count, byte rate, or packet count is to be displayed.

byte-count

Specifies that the byte count is to be displayed.

bit-rate

Specifies that the bit rate is to be displayed.

packet-count

Specifies that the packet-count is to be displayed.

protocol

Specifies that statistics for a specific protocol are to be displayed.

protocol-name

User-specified protocol name for which the statistics are to be displayed.

top-n

Specifies that a top-n is to be displayed.

number

Specifies the number of top discovered protocols to be displayed.

Defaults

Statistics for all interfaces on which the Protocol Discovery feature is enabled are displayed.

Command Modes

Privileged EXEC

Command History
Release Modification

12.0(5)XE2

This command was introduced.

Usage Guidelines

Use the show ip nbar protocol-discovery command to display statistics gathered by the NBAR Protocol Discovery feature. This command, by default, displays statistics for all interfaces on which protocol discovery is currently enabled. The default output of this command includes, in the following order, input bit rate (bps), input byte count, input packet count, and protocol name.

Protocol discovery can be used to monitor both input and output traffic and may be applied with or without a service policy enabled. NBAR protocol discovery gathers statistics for packets switched to output interfaces. These statistics are not necessarily for packets that exited the router on the output interfaces, because packets may have been dropped after switching for various reasons, including policing at the output interface, access lists, or queue drops.

Examples

The following example displays partial output of the show ip nbar protocol-discovery command for an Ethernet interface:

show ip nbar protocol-discovery interface FastEthernet 6/0
 
 FastEthernet6/0 
                            Input                    Output                  
   Protocol                 Packet Count             Packet Count            
                            Byte Count               Byte Count              
                            5 minute bit rate (bps)  5 minute bit rate (bps) 
   ------------------------ ------------------------ ------------------------
   igrp                     316773                   0                       
                            26340105                 0                       
                            3000                     0                       
   streamwork               4437                     7367                    
                            2301891                  339213                  
                            3000                     0                       
   rsvp                     279538                   14644                   
                            319106191                673624                  
                            0                        0                       
   ntp                      8979                     7714                    
                            906550                   694260                  
                            0                        0                       
.
.
.
Total                    17203819                 151684936               
                            19161397327              50967034611             
                            4179000                  6620000 

Related Commands
Command Description

ip nbar protocol-discovery

Discovers traffic for all protocols known to NBAR.

Glossary

Modular QoS CLI---Modular Quality of Service Command-Line Interface. A CLI for QoS features that makes configuring and implementing packet classification and QoS policies easier than with the existing CLI.

PDLM---Packet Description Language Module. A file containing Packet Description Language statements used to define the signature of one or more application protocols.

Stateful protocol---A protocol that uses TCP and UDP port numbers that are determined at connection time.

Static protocol---A protocol that uses well-defined (predetermined) TCP and UDP ports for communication.

Subport classification---The classification of network traffic by information contained in the packet payload, that is, information found beyond the TCP or UDP port number.

Appendix

Sample Configuration

Below is a sample of how NBAR can be used.

E-Express Inc.'s network administrators wish to enforce the following policies on a 64 Kb WAN link:

Follow the steps below to configure the above policies:


Step 1 Classify all secure HTTP and HTTP traffic for the /transact/ directory:

Router(config)# class-map match-all http_transact
Router(config-cmap)# match protocol http url "/transact/*"
 
Router(config)# class-map match-all http_secure
Router(config-cmap)# match protocol secure-http
 
Router(config)# class-map match-any ecommerce
Router(config-cmap)# match class-map http_transact
Router(config-cmap)# match class-map http_secure
 

Step 2 Classify all traffic to SuperNetwork Inc:

Router(config)# access-list 101 permit ip 10.0.0.1 0.0.0.0 10.0.0.3 0.0.0.0
 
Router(config)# class-map match-all super_network
Router(config-cmap)# match access-group 101
 

Step 3 Classify all audio, video, and image web traffic:

Router(config)# class-map match-any audio_video
Router(config-cmap)# match protocol http mime "audio/*"
Router(config-cmap)# match protocol http mime "video/*"
 
Router(config)# class-map match-any web_images
Router(config-cmap)# match protocol http url "*.gif"
Router(config-cmap)# match protocol http url "*.jpg|*.jpeg"
 
Router(config)# class-map match-any av_im_web
Router(config-cmap)# match class-map audio_video
Router(config-cmap)# match class-map web_images
 
 

Step 4 Create the policies:

Router(config)# policy-map e-express
Router(config-pmap)# class ecommerce
Router(config-pmap-c)# bandwidth 32
Router(config-pmap-c)# class super_network
Router(config-pmap-c)# bandwidth 10
Router(config-pmap-c)# class av_im_web
Router(config-pmap-c)# police 10000 conform transmit exceed drop
 

Step 5 Attach the policy to the WAN link

Router(config)# interface hssi1/0
Router(config-if)# service-policy output e-express
 


hometocprevnextglossaryfeedbacksearchhelp
Posted: Mon Jun 26 15:39:28 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.