Qos Nbar Xe 2 Book
Qos Nbar Xe 2 Book
IOS XE Release 2
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED
WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED
WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version
of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL
FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE
PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR
ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output,
network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content
is unintentional and coincidental.
• NBAR processing. By design, NBAR processing is temporarily disabled during the In-Service
Software Upgrade (ISSU). The following syslog message indicates the restart of the NBAR
classification once ISSU is complete: "%NBAR_HA-5-NBAR_INFO: NBAR sync DONE!".
• Multicast packet classification.
• Asymmetric flows with stateful protocols.
• Packets that originate from or destined to the router running NBAR.
Note In the NBAR context, asymmetric flows are flows in which different packets of the flow go through
different routers, for reasons such as load balancing implementation or asymmetric routing, where packets
flow through different routes in different directions.
Note In cases where encapsulation is not supported by NBAR on some of the links, you can apply NBAR on
other interfaces of the router to perform input classification. For example, you can configure NBAR on
LAN interfaces to classify output traffic on the WAN link.
The following virtual interfaces are supported in Cisco IOS XE Release 3.5S and later releases:
• Generic routing encapsulation (GRE)
• IPsec IPv4 tunnel (including tunneled IPv6) in protocol discovery mode and MQC mode (cryptomap
mode is not supported)
• IPsec IPv6 tunnel in protocol discovery mode but not in MQC mode (cryptomap mode is not
supported)
• Multipoint GRE/Dynamic Multipoint VPN in protocol discovery mode
Note NBAR requires more CPU power when NBAR is enabled on tunneled interfaces.
If protocol discovery is enabled on both the tunnel interface and the physical interface on which the tunnel
interface is configured, the packets that are designated to the tunnel interface are counted on both
interfaces. On the physical interface, the packets are classified and are counted based on the encapsulation.
On the tunnel interface, the packets are classified and are counted based on the L7 protocol.
NBAR Functionality
NBAR is a classification engine that recognizes and classifies a wide variety of protocols and applications,
including web-based and other difficult-to-classify applications and protocols that use dynamic TCP/UDP
port assignments.
When NBAR recognizes and classifies a protocol or application, the network can be configured to apply
the appropriate QoS for that application or traffic with that protocol. The QoS is applied using the MQC.
Note For more information about the MQC, see the "Applying QoS Features Using the MQC" module.
NBAR introduces several classification features that identify applications and protocols from Layer 4
through Layer 7. These classification features are as follows:
• Statically assigned TCP and UDP port numbers.
• Non-TCP and non-UDP IP protocols.
• Dynamically assigned TCP and UDP port numbers. This kind of classification requires stateful
inspection, that is, the ability to inspect a protocol across multiple packets during packet classification.
• Subport classification or classification based on deep packet inspection, that is, classification
inspecting the packets.
Note Access Control Lists (ACLs) can also be used for classifying static port protocols. However, NBAR is
easier to configure and can provide classification statistics that are not available when ACLs are used.
NBAR includes a Protocol Discovery feature that provides an easy way to discover application protocols
that are operating on an interface. For more information about Protocol Discovery, see the "Enabling
Protocol Discovery" module.
Note NBAR classifies network traffic by application or protocol. Network traffic can be classified without using
NBAR. For information about classifying network traffic without using NBAR, see the "Classifying
Network Traffic" module.
NBAR includes the Protocol Pack feature that provides an easy way to load protocols and helps NBAR
recognize additional protocols for network traffic classification. A protocol pack is set a of protocols
developed and packed together. A new protocol pack can be loaded on the router to replace the default IOS
protocol pack that is already present in the router.
NBAR Benefits
Identifying and classifying network traffic is an important first step in implementing QoS. A network
administrator can more effectively implement QoS in a networking environment after identifying the
number and types of applications and protocols that are running on a network.
NBAR gives network administrators the ability to see the different types of protocols and the amount of
traffic generated by each protocol. After NBAR gathers this information, users can organize traffic into
classes. These classes can then be used to provide different levels of service for network traffic, thereby
allowing better network management by providing the appropriate level of network resources for the
network traffic.
The figure below illustrates a network topology with NBAR in which Router Y is the NBAR-enabled
router.
When specifying a URL for classification, include only the portion of the URL that follows the
www.hostname.domain in the match statement. For example, for the URL www.cisco.com/latest/
whatsnew.html, include only /latest/whatsnew.html with the match statement (for instance, match
protocol http url /latest/whatsnew.html).
Host specifications are identical to URL specifications. NBAR performs a regular expression match on the
host field contents inside an HTTP packet and classifies all packets from that host. For example, for the
URL www.cisco.com/latest/whatsnew.html, include only www.cisco.com.
For MIME type matching, the MIME type can contain any user-specified text string. A list of the Internet
Assigned Numbers Authority (IANA) supported MIME types can be found at the following URL:
http://www.iana.org/assignments/media-types/
When matching by MIME type, NBAR matches a packet containing the MIME type and all subsequent
packets until the next HTTP transaction.
NBAR supports URL and host classification in the presence of persistent HTTP. NBAR does not classify
packets that are part of a pipelined request. With pipelined requests, multiple requests are pipelined to the
server before previous requests are serviced. Pipelined requests are not supported with subclassification and
tunneled protocols that use HTTP as the transport protocol.
The NBAR Extended Inspection for HTTP Traffic feature allows NBAR to scan TCP ports that are not
well known and to identify HTTP traffic that traverses these ports. HTTP traffic classification is no longer
limited to the well-known and defined TCP ports.
◦ User-Agent
◦ Referer
◦ From
• For response messages (server to client), the following HTTP header fields can be identified using
NBAR:
◦ Server
◦ Location
◦ Content-Base
◦ Content-Encoding
Note In Cisco IOS XE Release 3.1S and later releases, up to 56 parameters or subclassifications per protocol per
router can be specified with the match protocol http command. These parameters or subclassifications can
be a combination of any of the available match choices, such as host matches, MIME matches, server
matches, and URL matches. For other Cisco IOS XE releases and platforms, the maximum is 24 parameters
or subclassifications per protocol per router.
Within NBAR, the match protocol http c-header-field command is used to specify that NBAR identify
request messages (the "c" in the c-header-field portion of the command is for client). The match protocol
http s-header-field command is used to specify response messages (the "s" in the s-header-field portion of
the command is for server).
Note In Cisco IOS XE Release 3.1S and later releases, the c-header-field and s-header-field keywords and
associated arguments in the match protocol http command are not available. The same functionality is
achieved by using the individual keywords and arguments. For more information, see the syntax of the
match protocol http command in the Cisco IOS Quality of Service Solutions Command Reference.
Note The c-header-field performs subclassifications based on a single value in the user-agent, the referrer, or
from header field values. The s-header-field performs subclassifications based on a single value in the
server, location, content-encoding, or content-base header field values. These header field values are not
related to each other. Hence, the c-header and s-header fields are replaced by the user-agent, referrer,
from, server, content-base, content-encoding, and location parameters as per the intent and need of HTTP
subclassification.
Combinations of Classification of HTTP Headers and URL Host or MIME Type to Identify
HTTP Traffic
Note that combinations of URL, Host, MIME type, and HTTP headers can be used during NBAR
configuration. These combinations provide customers with more flexibility to classify specific HTTP traffic
based on their network requirements.
Note For Citrix to monitor and classify traffic by the published application name, Server Browser Mode on the
Master browser must be used.
In Server Browser Mode, NBAR statefully tracks and monitors traffic and performs a regular expression
search on the packet contents for the published application name specified by the match protocol citrix
command. The published application name is specified by using the app keyword and the application-
name-string argument of the match protocol citrix command. For more information about the match
protocol citrix command, see the Cisco IOS Quality of Service Solutions Command Reference.
The Citrix ICA session triggered to carry the specified application is cached, and traffic is classified
appropriately for the published application name.
• Citrix ICA Client Modes, page 7
Note NBAR operates properly in Citrix ICA secure mode. Pipelined Citrix ICA client requests are not supported.
• When you create a custom protocol after creating a variable, you can use the match protocol
command to classify traffic on the basis of a specific value in the custom protocol.
NBAR includes the following features related to user-defined custom protocols and applications:
• The ability to inspect the payload for certain matching string patterns at a specific offset.
• The ability to allow users to define the names of their custom protocol applications. The user-named
protocol can then be used by Protocol Discovery, the Protocol Discovery MIB, the match protocol
command, and the ip nbar port-map command as an NBAR-supported protocol.
• The ability of NBAR to inspect custom protocols specified by traffic direction (that is, traffic heading
toward a source or destination rather than traffic in both directions), if desired by the user.
• CLI support that allows a user configuring a custom application to specify a range of ports rather than
to specify each port individually.
• The variable keyword, the field-name argument, and the field-length argument were added to the ip
nbar custom command.
This additional keyword and two additional arguments allow for creation of more than one custom protocol
based on the same port numbers.
Note Defining a user-defined custom protocol restarts the NBAR feature, whereas defining predefined custom
protocol does not restart the NBAR feature.
Note PDLMs must be loaded on both Route Processors (RPs) when using the ASR 1006 redundant hardware
setup.
Dynamic PDLMs are platform-specific and have Software Family Identifier (SFI) embedded in them.
Dynamic PDLMs of other platforms cannot be loaded on Cisco ASR 1000 Series Routers.
In Cisco IOS XE Release 2.5 the DirectConnect and the eDonkey P2P protocols support the following
subclassifications:
• eDonkey supports the following subclassification options:
◦ file-transfer
◦ search-file-name
◦ text-chat
• KazaA, FastTrack, and Gnuetella support the file-transfer subclassification.
The Gnutella file sharing became classifiable using NBAR in Cisco IOS XE Release 2.5.
Applications that use the Gnutella protocol are Bearshare, Gnewtellium, Gnucleus, Gtk-Gnutella,
Limewire, Mutella, Phex, Qtella, Swapper, and Xolo. The traffic from the applications that use the Gnutella
protocol will be classified as Gnutella and not as the respective application.
NBAR Scalability
• Interface Scalability, page 11
• Flow Scalability, page 11
• Flow Table Sizing, page 12
Interface Scalability
In Cisco IOS XE Release 2.4 and earlier releases, there is no limit on the number of interfaces on which
protocol discovery can be enabled.
The table below provides the details of the protocol discovery supported interface and the release number.
Flow Scalability
In Cisco IOS XE Release 2.5, the following flows are supported:
• A maximum of 250K bidirectional flows on Edge Services Processor (ESP)10 and ESP20 hardware.
• A maximum of 125K bidirectional flows on ESP5.
If this limit is exceeded or there is a flow memory constraint, new flows will be classified as Unknown.
In Cisco IOS XE Release 3.1, the following flows are supported:
• A maximum of 125K bidirectional flows on Forwarding Processor (FP)5 platform.
• A maximum of 250K bidirectional flows on FP10, FP20, and FP40 platform.
If this limit is exceeded or there is a flow memory constraint, new flows will be classified as Unknown.
In Cisco IOS XE Release 3.2, the following flows are supported:
• A maximum of 500K bidirectional flows on FP5/1Rack Units (RU) platform.
• A maximum of 1M bidirectional flows on 10/10/40 platform.
If this limit is exceeded or there is a flow memory constraint, new flows will be classified as Unknown.
In Cisco IOS XE Release 3.3S, the number of bidirectional flows and the platforms supported are the same
as in Cisco IOS XE Release 3.2. A new method to reduce the number of active flows based on quick aging
is introduced.
Quick aging occurs under the following conditions:
• TCP flows that do not reach the established state.
• UDP flows with fewer than five packets that are not classified within the specified quick aging
timeout.
• Flows that are not classified within the specified quick aging timeout.
The quick aging method reduces the number of flows required for NBAR operation up to three times or
more depending on the network behavior.
In Cisco IOS XE Release 3.4S, the following flows are supported:
• A default flow capacity of 500K bidirectional flows on ESP5/1Rack Units (RU) platform.
• A default flow capacity of 1M bidirectional flows on 10/20/40 platform.
Platform Maximum number of flows Default number of flows Memory upper limit [MB] (70% of
platform memory)
ESP5/1RU 750,000 500,000 179
The recommended number of flow configuration on all the platforms is 50,000 flows.
Note The flow size cannot be increased if the overall system memory usage is already 90%.
NBAR-Supported Protocols
The match protocol(NBAR) command is used to classify traffic on the basis of protocols supported by
NBAR. NBAR can classify the following types of protocols:
• Non-UDP and non-TCP IP protocols
• TCP and UDP protocols that use statically assigned port numbers
• TCP and UDP protocols that use statically assigned port numbers, but still require stateful inspection.
• TCP and UDP protocols that dynamically assign port numbers and therefore require stateful inspection
The table below lists the NBAR-supported protocols available in Cisco IOS XE software, sorted by
category. The table also provides information about the protocol type, the well-known port numbers (if
applicable), the syntax for entering the protocol in NBAR, and the Cisco IOS XE software release in which
the protocol was initially supported. This table is updated when a protocol becomes supported in Cisco IOS
XE software.
Citrix (ICA, TCP/ UDP TCP: Citrix ICA citrix Cisco IOS XE
CGP, IMA, 1494, traffic Release 2.5
citrix app
SB) 2512,
2513, citrix ica-tag
2598
UDP:
1604
1 For Cisco IOS XE Release 2.5, Cisco supports Exchange 03 and 07 only. MS client access is recognized, but web client access is not recognized.
SIMAP TCP/ UDP 585, 993 Secure Internet secure-imap Cisco IOS XE
Message Access Release 2.3
Protocol
SNMP TCP/ UDP 161, 162 Simple Network snmp Cisco IOS XE
Management Release 2.3
Protocol
IMAP TCP/ UDP 143, 220 Internet Message imap Cisco IOS XE
Access Protocol Release 2.3
Internet FTP TCP 21, 21000, File Transfer ftp Cisco IOS XE
Heuristic Protocol Release 2.3
Non-IP and NetBIOS TCP/ UDP TCP-137, NetBIOS over IP netbios Cisco IOS XE
LAN/ 138 (MS Windows) Release 2.3
Legacy UDP-137,
139
2 Cisco software supports Skype 1.0, 2.5, 3.0, and 4.0. In Skype 4.0, the classification may not be complete.
3 BitTorrent classifies only unencrypted traffic.
4 eDonkey classifies only unencrypted traffic.
Miscellaneo 3Com AMP3 TCP/UDP 629 3Com AMP3 3com-amp3 Cisco IOS XE
us Release 3.1S
IL IP 40 IL il Cisco IOS XE
Transport Release 3.1S
Protocol
Restarting NBAR
NBAR is restarted under the following circumstances.
• Custom protocol addition via CLI
• PDLM load
• RP switchover
• FP switchover
• Protocol pack installation
• Link-age change
Restart involves deactivating and reactivating NBAR. During this time, all packets are classified as
‘Unknown’ by NBAR. Once NBAR is reactivated, classification is activated.
Note Classification for Citrix protocol with "app" subclassification is not guaranteed on VRF interfaces when
NBAR is enabled on VRF interfaces.
NBAR Support for IPv6 from Cisco IOS XE Release 3.5S and Later Releases
In Cisco IOS XE Release 3.5S and later releases, NBAR supports the following types of classification:
• Native IPv6 classification.
• Classification of IPv6 traffic flows inside tunneled IPv6 over IPv4 and teredo.
• IPv6 classification in protocol discovery mode and in MQC mode.
• Static and stateful classification.
• Flexible NetFlow with NBAR based fields on IPv6.
NBAR supports IPv6 in IPv4 (6to4, 6rd, and ISATAP), and teredo tunneled classification. The ip nbar
classification tunneled-traffic command is used to enable the tunneled traffic classification. When the
tunneled traffic classification is enabled, NBAR performs an application classification of the IPv6 packets
carried inside IPv4 traffic. If the ip nbar classification tunneled-traffic command is disabled, the tunneled
IPv6 packets are handled as IPv4 packets.
NBAR supports the capture of IPv6 fields and allows the creation of IPv6 traffic-based flow monitors.
When you enable the ipv6 flow monitor command, the monitor is bound to the interface, NBAR
classification is applied to the IPv6 traffic type, and Flexible NetFlow captures the application IDs in the
IPv6 traffic flow.
dependent on the traffic. The following attributes are available to configure the match criteria using the
match protocol attribute command. They are:
• application-group: The application-group attribute allows the configuration of applications grouped
together based on the same networking application as the match criteria. For example, Yahoo-
Messenger, Yahoo-VoIP-messenger, and Yahoo-VoIP-over-SIP are grouped together under the yahoo-
messenger-group.
• category: The category attribute allows you to configure applications that are grouped together based
on the first level of categorization for each protocol as the match criteria. Similar applications are
grouped together under one category. For example, the email category contains all email applications
such as, Internet Mail Access Protocol (IMAP), Simple Mail Transfer Protocol (SMTP), Lotus Notes,
and so forth.
• sub-category: The sub-category attribute provides the option to configure applications grouped
together based on the second level of categorization for each protocol as the match criteria. For
example, clearcase, dbase, rda, mysql and other database applications are grouped under the database
group.
• encrypted: The encrypted attribute provides the option to configure applications grouped together
based on whether the protocol is an encrypted protocol or not as the match criteria. Applications are
grouped together based on whether they are encrypted and non-encrypted status of the applications.
Protocols for which the NBAR does not provide any value are categorized under the unassigned
encrypted group.
• tunnel: The tunnel attribute provides the option to configure protocols based on whether or not a
protocol tunnels the traffic of other protocols. Protocols for which the NBAR does not provide any
value are categorized under the unassigned tunnel group. For example, Layer 2 Tunneling Protocols
(L2TP).
Note Attribute-based protocol match configuration does not impact the granularity of classification either in
reporting or in the protocol discovery information.
SUMMARY STEPS
1. enable
2. configure terminal
3. class-map [type] [match-all | match-any] class-map-name
4. match protocol attribute application-group application-group [application-name]
5. match protocol attribute category application-category [application-name]
6. match protocol attribute encrypted {encrypted-no | encrypted-unassigned | encrypted-yes}
[application-name]
7. match protocol attribute sub-category application-category [application-name]
8. match protocol attribute tunnel {tunnel-no | tunnel-unassigned | tunnel-yes} [application-name]
9. end
DETAILED STEPS
Step 1 enable
Example:
Router> enable
Example:
Router# configure terminal
Example:
Router(config)# class-map cmap1
Creates a class map to be used for matching packets to a specified class and enters class-map configuration mode.
• Enter the name of the class map.
Step 4 match protocol attribute application-group application-group [application-name]
Example:
Router(config-cmap)# match protocol attribute application-group skype
• (Optional) Use the application-name attribute to configure the application and not the application group as the
match criterion. The configuration is saved as match protocol application-name instead of match protocol
attribute application-group application-group.
Step 5 match protocol attribute category application-category [application-name]
Example:
Router(config-cmap)# match protocol attribute category email
Example:
Router(config-cmap)# match protocol attribute encrypted encrypted-yes
Example:
Router(config-cmap)# match protocol attribute sub-category client-server
Example:
Router(config-cmap)# match protocol attribute tunnel tunnel-yes
Enter the tunnel-unassigned keyword to specify the applications that are unassigned for tunneling as the match
criterion.
or
Enter the tunnel-yes keyword to specify the tunneled applications as the match criterion.
• (Optional) Use the application-name attribute to configure a specific application within the specified tunneling
status as the match criterion. The configuration is saved as match protocol application-name instead of match
protocol attribute tunnel {tunnel-no | tunnel-unassigned | tunnel-yes}.
Step 9 end
Example:
Router(config-cmap)# end
In the following example, any request message that contains "http://www.cisco.com/routers" in the User-
Agent, Referer, or From field will be classified by NBAR. Typically, a term with a format similar to "http://
www.cisco.com/routers" would be found in the Referer header field of the HTTP request message.
In the following example, any request message that contains "CERN-LineMode/2.15" in the User-Agent,
Referer, or From header field will be classified by NBAR. Typically, a term with a format similar to
"CERN-LineMode/2.15" would be found in the User-Agent header field of the HTTP request message.
In the following example, any response message that contains "CERN/3.0" in the Content-Base (if
available), Content-Encoding, Location, or Server header field will be classified by NBAR. Typically, a
term with a format similar to "CERN/3.0" would be found in the Server header field of the response
message.
In the following example, any response message that contains "http://www.cisco.com/routers" in the
Content-Base (if available), Content-Encoding, Location, or Server header field will be classified by
NBAR. Typically, a term with a format similar to "http://www.cisco.com/routers" would be found in the
Content-Base (if available) or Location header field of the response message.
In the following example, any response message that contains "gzip" in the Content-Base (if available),
Content-Encoding, Location, or Server header field will be classified by NBAR. Typically, the term "gzip"
would be found in the Content-Encoding header field of the response message.
In the following example, the custom protocol virus-home will identify UDP packets that have a
destination port of 3000 and that contain "0x56" in the seventh byte of the payload:
In the following example, the custom protocol media_new will identify TCP packets that have a destination
or source port of 4500 and that have a value of 90 at the sixth byte of the payload:
In the following example, the custom protocol msn1 will look for TCP packets that have a destination or
source port of 6700:
In the following example, the custom protocol mail_x will look for UDP packets that have a destination
port of 8202:
In the following example, the custom protocol mail_y will look for UDP packets that have destination ports
between 3000 and 4000 inclusive:
Similarly, all Gnutella traffic is classified into class map nbar in the following example:
Wildcard characters in a regular expression can also be used to identify specified Gnutella and FastTrack
traffic. These regular expression matches can be used to match on the basis of a filename extension or a
particular string in a filename.
In the following example, all Gnutella files that have the .mpeg extension will be classified into class map
nbar:
In the following example, only Gnutella traffic that contains the characters "cisco" is classified:
or
In the following example, skype-group applications are configured as the match criterion:
Router# configure terminal
Router(config)# class-map apps
Router(config-cmap)# match protocol attribute application-group skype-group
In the following example, encrypted applications are configured as the match criterion:
Router# configure terminal
Router(config)# class-map my-class
Router(config-cmap)# match protocol encrypted encrypted-yes
In the following example, Client-server subcategory applications are configured as the match criterion:
Router# configure terminal
Router(config)# class-map newmap
Router(config-cmap)# match protocol attribute sub-category client-server
In the following example, tunneled applications are configured as the match criterion:
Router# configure terminal
Router(config)# class-map mygroup
Router(config-cmap)# match protocol attribute tunnel tunnel-yes
The following sample output from the show ip nbar attribute command displays the details of all the
attributes:
Router# show ip nbar attribute
Name : category
Help : category attribute
Type : group
Groups : email, newsgroup, location-based-services, instant-messaging, netg
Need : Mandatory
Default : other
Name : sub-category
Help : sub-category attribute
Type : group
Groups : routing-protocol, terminal, epayement, remote-access-terminal, nen
Need : Mandatory
Default : other
Name : application-group
Help : application-group attribute
Type : group
Groups : skype-group, wap-group, pop3-group, kerberos-group, tftp-group, bp
Need : Mandatory
Default : other
Name : tunnel
Help : Tunnelled applications
Type : group
Groups : tunnel-no, tunnel-yes, tunnel-unassigned
Need : Mandatory
Default : tunnel-unassigned
Name : encrypted
Help : Encrypted applications
Type : group
Groups : encrypted-yes, encrypted-no, encrypted-unassigned
Need : Mandatory
Default : encrypted-unassigned
The following sample output from the show ip nbar protocol-attribute command displays the details of
the protocols:
Router# show ip nbar protocol-attribute
Additional References
Related Documents
QoS commands: complete command syntax, Cisco IOS Quality of Service Solutions Command
command modes, command history, defaults, usage Reference
guidelines, and examples
Classifying network traffic if not using NBAR "Classifying Network Traffic" module
Standards
Standard Title
ISO 0009 File Transfer Protocol (FTP)
MIBs
RFCs
RFC Title
RFC 742 NAME/FINGER Protocol
RFC Title
RFC 1001 Protocol Standard for a NetBIOS Service on a
TCP/UDP Transport: Concepts and Methods
RFC 1890 RTP Profile for Audio and Video Conferences with
Minimal Control
RFC Title
RFC 1928 SOCKS Protocol Version 5
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/
provides online resources to download index.html
documentation, software, and tools. Use these
resources to install and configure the software and
to troubleshoot and resolve technical issues with
Cisco products and technologies. Access to most
tools on the Cisco Support and Documentation
website requires a Cisco.com user ID and
password.
Table 5 Feature Information for Classifying Network Traffic Using NBAR in Cisco IOS XE software
Enhanced NBAR Cisco IOS XE Release 3.2S The Enhanced NBAR feature
provides additional PDLs for
Cisco IOS XE Release 3.2S.
The following section provides
information about this feature:
NBAR-Supported Protocols,
page 13
NBAR Categorization and Cisco IOS XE Release 3.4S The NBAR Categorization and
Attributes Attributes feature provides the
mechanism of matching the
protocols grouped under specific
categories based on the attributes.
These categories are available for
Class-Based Policy Language
(CPL) as a match criteria for
application recognition.
The following section provides
information about this feature:
NBAR Categorization and
Attributes, page 82
NBAR PDLM Supported in ASR Cisco IOS XE Release 2.5 This feature was integrated into
1000 Release 2.5 Cisco IOS XE Release 2.5.
Cisco IOS XE Release 3.1S
NBAR-supported protocols were
Cisco IOS XE Release 3.3S added for this release.
The following section provides
information about this feature:
NBAR-Supported Protocols,
page 13
The following command was
modified: match protocol
(NBAR).
NBAR Protocols Cisco IOS XE Release 2.3 This feature was integrated into
Cisco IOS XE Release 2.3.
NBAR-supported protocols were
added for this release.
The following section provides
information about this feature:
NBAR-Supported Protocols,
page 13
The following command was
modified: match
protocol(NBAR).
NBAR Real-time Transport Cisco IOS XE Release 2.1 This feature was introduced on
Protocol Payload Classification Cisco ASR 1000 Series
Aggregation Services Routers.
The following section provides
information about this feature:
NBAR-Supported Protocols,
page 13
NBAR VRF aware Cisco IOS XE Release 3.3S This feature was introduced on
Cisco ASR 1000 Series
Aggregation Services Routers.
The following section provides
information about this feature:
NBAR Scalability, page 11
Glossary
Encryption—Encryption is the application of a specific algorithm to data so as to alter the appearance of
the data, making it incomprehensible to those who are not authorized to see the information.
HTTP —Hypertext Transfer Protocol. The protocol used by web browsers and web servers to transfer
files, such as text and graphic files.
IANA —Internet Assigned Numbers Authority. An organization operated under the auspices of the Internet
Society (ISOC) as a part of the Internet Architecture Board (IAB). IANA delegates authority for IP
address-space allocation and domain-name assignment to the InterNIC and other organizations. IANA also
maintains a database of assigned protocol identifiers used in the TCP/IP stack, including autonomous
system numbers.
LAN —Local-area network. A high-speed, low-error data network that covers a relatively small geographic
area (up to a few thousand meters). LANs connect workstations, peripherals, terminals, and other devices in
a single building or other geographically limited area. LAN standards specify cabling and signaling at the
physical and data link layers of the Open System Interconnection (OSI) model. Ethernet, FDDI, and Token
Ring are widely used LAN technologies.
MIME —Multipurpose Internet Mail Extension. The standard for transmitting nontext data (or data that
cannot be represented in plain ASCII code) in Internet mail, such as binary, foreign language text (such as
Russian or Chinese), audio, and video data. MIME is defined in RFC 2045, Multipurpose Internet Mail
Extension (MIME) Part One: Format of Internet Message Bodies .
MPLS —Multiprotocol Label Switching. A switching method that forwards IP traffic using a label. This
label instructs the routers and the switches in the network where to forward the packets based on
preestablished IP routing information.
MQC —Modular quality of service command-line interface. A CLI that allows you to define traffic
classes, create and configure traffic policies (policy maps), and then attach the policy maps to interfaces.
Policy maps are used to apply the appropriate quality of service (QoS) to network traffic.
Protocol Discovery —A feature included with NBAR. Protocol Discovery provides a way to discover the
application protocols that are operating on an interface.
QoS —Quality of service. A measure of performance for a transmission system that reflects its
transmission quality and service availability.
RTCP —RTP Control Protocol. A protocol that monitors the QoS of an IPv6 Real-Time Transport
Protocol (RTP) connection and conveys information about the ongoing session.
Stateful protocol —A protocol that uses TCP and UDP port numbers that are determined at connection
time.
Static protocol —A protocol that uses well-defined (predetermined) TCP and UDP ports for
communication.
Subport classification —The classification of network traffic by information that is contained in the
packet payload, that is, information found beyond the TCP or UDP port number.
TCP —Transmission Control Protocol. A connection-oriented transport layer protocol that provides
reliable full-duplex data transmission. TCP is part of the TCP/IP protocol stack.
Tunneling —Tunneling is an architecture that is designed to provide the services necessary to implement
any standard point-to-point encapsulation scheme.
UDP —User Datagram Protocol. A connectionless transport layer protocol in the TCP /IP protocol stack.
UDP is a simple protocol that exchanges datagrams without acknowledgments or guaranteed delivery,
requiring that error processing and retransmission be handled by other protocols. UDP is defined in RFC
768, User Datagram Protocol .
WAN —Wide-area network. A data communications network that serves users across a broad geographic
area and often uses transmission devices provided by common carriers.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S.
and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be
actual addresses and phone numbers. Any examples, command display output, network topology diagrams,
and other figures included in the document are shown for illustrative purposes only. Any use of actual IP
addresses or phone numbers in illustrative content is unintentional and coincidental.
Note In the NBAR context, asymmetric flows are the flows in which different packets of the flow go through
different routers, for reasons such as load balancing implementation or asymmetric routing where packets
flow through different routes to different directions.
• NBAR processing. By design, NBAR processing is temporarily disabled during the In-Service
Software Upgrade (ISSU). The following syslog message indicates restart of NBAR classification
once ISSU is complete.
"%NBAR_HA-5-NBAR_INFO: NBAR sync DONE!"
• Multicast packet classification.
• Multiprotocol Label Switching (MPLS)-labeled packets. NBAR classifies IP packets only. You can,
however, use NBAR to classify IP traffic before the traffic is handed over to MPLS. Use the modular
quality of service (QoS) CLI (MQC) to set the IP differentiated services code point (DSCP) field on
the NBAR-classified packets and make MPLS map the DSCP setting to the MPLS experimental
(EXP) setting inside the MPLS header.
• Non-IP traffic.
• Packets that originate from or that are destined to the router running NBAR.
NBAR is not supported on the following logical interfaces:
• Dialer interfaces
• Fast Etherchannel
• Interfaces where tunneling or encryption is used
• Multilink Point-to-Point Protocol (MLPPP)
• Multiprotocol Label Switching (MPLS) VPN Routing and Forwarding (VRF)
• Port channel
• Tunneled interfaces (Generic Router Encapsulation [GRE], IP-IP, Layer 2 Tunneling Protocol [L2TP])
Note You cannot use NBAR to classify output traffic on a WAN link where tunneling or encryption is used.
Therefore, you should configure NBAR on other interfaces of the router (such as a LAN link) to perform
input classification before the traffic is switched to the WAN link.
Protocol discovery maintains the following per-protocol statistics for enabled interfaces:
• Total number of input packets and bytes
• Total number of output packets and bytes
• Input bit rates
• Output bit rates
These statistics can be used when you define classes and traffic policies (sometimes known as policy maps)
for each traffic class. The traffic policies (policy maps) are used to apply specific QoS features and
functionality to the traffic classes.
• Interface Scalability, page 101
Interface Scalability
In Cisco IOS XE Release 2.4 and earlier releases, there is no limit on the number of interfaces on which
protocol discovery can be enabled.
The table below provides the details of the protocol discovery supported interface and the release number.
In Cisco IOS XE Release 3.3S and later releases, NBAR supports the following classification:
• Static port-based classification and IP protocol-based classification for IPv6 packets.
• IPv4 and IPv6 classification for IPv4 and IPv6 VPN Routing and Forwarding (VRF) interfaces.
Note The NBAR Protocol Discovery MIB is not supported for the ip nbar protocol-discovery ipv4 and ip nbar
protocol-discovery ipv6 commands.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number [name-tag]
4. ip nbar protocol-discovery [ipv4 | ipv6]
5. end
DETAILED STEPS
Router> enable
Example:
Step 3 interface type number [name-tag] Configures an interface type and enters interface configuration mode.
• Enter the interface type and the interface number.
Example:
Router(config)# interface
fastethernet1/1/1
Step 4 ip nbar protocol-discovery [ipv4 | ipv6] Configures NBAR to discover traffic for all protocols that are known to
NBAR on a particular interface.
• (Optional) Enter the ipv4 keyword to enable protocol discovery
Example:
statistics collection for IPv4 packets, or enter the ipv6 keyword to
Router(config-if)# ip nbar protocol- enable protocol discovery statistics collection for IPv6 packets.
discovery
• Specifying either of these keywords enables the protocol discovery
statistics collection for the specified IP version only. If neither
keywords is specified, statistics collection is enabled for both IPv4 and
IPv6.
• The no form of this command is not required to disable a keyword
because the statistics collection is enabled for the specified keyword
only.
Example:
Router(config-if)# end
SUMMARY STEPS
1. enable
2. show policy-map interface type number
3. show ip nbar protocol-discovery [interface type number] [stats {byte-count | bit-rate | packet-
count| max-bit-rate}] [protocol protocol-name | top-n number]
4. exit
DETAILED STEPS
Router> enable
Step 2 show policy-map interface type number (Optional) Displays the packet and class statistics for all policy
maps on the specified interface.
• Enter the interface type and interface number.
Example:
Step 3 show ip nbar protocol-discovery [interface type Displays the statistics gathered by the NBAR Protocol
number] [stats {byte-count | bit-rate | packet-count| Discovery feature.
max-bit-rate}] [protocol protocol-name | top-n
• (Optional) Enter keywords and arguments to fine-tune the
number]
statistics displayed. For more information on each of the
keywords, refer to the show ip nbar protocol-discovery
command in Cisco IOS Quality of Service Solutions
Example:
Command Reference.
Router# show ip nbar protocol-discovery
interface Fastethernet1/1/1
Example:
Router# exit
Router> enable
Router(config-if)# end
In the following sample configuration, protocol discovery is enabled on Fast Ethernet interface 1/1/2 for
IPv6 packets:
Router> enable
Router(config-if)# end
In the following sample configuration, protocol discovery is enabled on Fast Ethernet interface 1/1/2 for
IPv6 packets. Later, the protocol discovery is enabled for IPv4 packets and this does not require the no
form for the ipv6 keyword.
Router> enable
Router(config-if)# end
FastEthernet2/0/1
Input Output
----- ------
Protocol Packet Count Packet Count
Byte Count Byte Count
30sec Bit Rate (bps) 30sec Bit Rate (bps)
30sec Max Bit Rate (bps) 30sec Max Bit Rate (bps)
--------------------------- ------------------------ ------------------------
rtp 3272685 3272685
242050604 242050604
768000 768000
2002000 2002000
gnutella 513574 513574
118779716 118779716
383000 383000
987000 987000
ftp 482183 482183
37606237 37606237
121000 121000
312000 312000
http 144709 144709
32351383 32351383
105000 105000
269000 269000
netbios 96606 96606
10627650 10627650
36000 36000
88000 88000
unknown 1724428 1724428
534038683 534038683
2754000 2754000
4405000 4405000
Total 6298724 6298724
989303872 989303872
4213000 4213000
8177000 8177000
Additional References
Related Documents
QoS commands: complete command syntax, Cisco IOS Quality of Service Solutions Command
command modes, command history, defaults, usage Reference
guidelines, and examples
Concepts and information about NBAR "Classifying Network Traffic Using NBAR"
module
Standards
Standard Title
No new or modified standards are supported, and --
support for existing standards has not been
modified.
MIBs
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/
provides online resources to download index.html
documentation, software, and tools. Use these
resources to install and configure the software and
to troubleshoot and resolve technical issues with
Cisco products and technologies. Access to most
tools on the Cisco Support and Documentation
website requires a Cisco.com user ID and
password.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S.
and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be
actual addresses and phone numbers. Any examples, command display output, network topology diagrams,
and other figures included in the document are shown for illustrative purposes only. Any use of actual IP
addresses or phone numbers in illustrative content is unintentional and coincidental.