Guest

Network Based Application Recognition (NBAR)

NBAR2 (Next Generation NBAR) Protocol Pack FAQ

  • Viewing Options

  • PDF (217.1 KB)
  • Feedback
Last updated: February 2013
This document contains common questions and answers regarding Cisco ® NBAR2 or Next Generation Network-Based Application Recognition (NBAR) Protocol Pack.
If you have any unanswered questions after reading this document, or require more clarifications, please email: nbar-pp@cisco.com
This FAQ is divided into following sections:

• NBAR Introduction

• Protocol Pack Introduction

• Protocol Pack Release

• Protocol Pack SLA (Service Level Agreement)

• Protocol Pack Licensing

• Protocol Pack Loading

• Miscellaneous

NBAR Introduction

Q. What is NBAR2?
A. NBAR2 (or Next Generation NBAR) is a re-architecture of NBAR based on the Service Control Engine (SCE) with advanced classification techniques, accuracy and many more signatures. NBAR2 is backward compatible and is supported on ISR-G2 and ASR1K platforms. NBAR2 is adopted as a Cisco cross platform protocol classification mechanism. It supports 1000 + application and sub-applications. Cisco adds/provides new signatures and signatures updates through monthly released protocol packs.
Q. What are the key benefits of NBAR2?
A. NABR2 offers following key benefits over NBAR:
Advanced classification techniques: NBAR2 leverage classification techniques from SCE, which allow classification of IPv4, IPv6 and v6 transition techniques. NBAR2 can classify evasive applications such as Skype and Tor, as well as business applications such as ms-lync, cloud applications such as office-365 and even mobile applications such as facetime etc. using advanced classification techniques.
Field extraction support: It provides the mechanism to extract pre-defined fields from packet headers, which can be exported via Flexible NetFlow (FNF) for reporting.
Categorization and attributes: It provides the mechanism to match protocols or applications based on statically assigned attributes such as application-group, category, sub-category, encrypted and tunnel. Categorizing the protocols and applications into different groups helps with reporting and applying Quality of Service (QoS) policies.
Common protocol library for NBAR2 across platforms: It offers platform independent signatures for NBAR2 supported platforms.
Signatures delivery through protocol pack: A protocol pack is a set of protocols developed and packaged together. Protocol packs are a means to distribute protocol updates outside the Cisco operating system release train and allows more rapid, more flexible and faster adjustment to market trends. Protocol packs can be loaded on the router without replacing the Cisco IOS or reloading the device.
Custom protocol using HTTP URL and/or host name: It provides the mechanism to define custom protocols to match based on HTTP URL and/or host name.
Q. Which platforms support NBAR2?
A. NBAR2 is supported on Cisco Network devices such as ISR-G2, ASR1K , ASA-CX and Wireless LAN Controller.
Q. Which protocols can NBAR2 classify?
A. The NBAR2 classification engine recognizes and classifies a wide variety of protocols and applications, including web-based and other difficult-to-classify applications and protocols that use dynamic TCP/UDP port assignments.
Please refer to the link below for the complete list of NBAR2 supported protocols:

Protocol Pack Introduction

Q. What is a protocol pack?
A. Traditionally, protocols were linked to CIsco operating software and customers had to upgrade Cisco operating software to get new protocol support. Protocol packs are a set of protocols developed and packaged together, and provide a means to distribute new protocols, protocol updates and bug fixes outside the Cisco operating software releases, and can be loaded on the network devices without replacing the Cisco operating software.
Q. Why is NBAR2 transitioning to a protocol pack model?
A. An application modules (also known as PDLM) were traditionally used to add new protocol support. A PDLM extends the list of protocols that NBAR can recognize.
As opposed to a PDLM, a protocol pack is a single compressed file that contains multiple PDL files. Protocol packs allow users to load a set of protocols together rather than load them separately.
Protocol packs provide an easy way to distribute new protocols, protocol updates and bug fixes.
Protocol packs are easy to load. It is easy to upgrade to a later, more updated protocol pack, or revert to a previous version of a protocol pack (this is dependent on compatibility constraints).
A protocol pack can be loaded on a device without replacing the Cisco OS image or rebooting the device.
With NBAR2 transition to protocol pack model, PDLM are not provided any more. NBAR users using PDLM are recommended to migrate to protocol packs.
Q. Which NBAR2 platforms support protocol pack releases?
A. Today, NBAR protocol packs are released for Cisco ISR-G2 and ASR1K platforms. The table below shows the minimum Cisco IOS /IOS-XE version required for loading a Protocol Pack:

Platform

Minimum IOS/IOS-XE Release

First Protocol Pack

ISR-G2

Cisco IOS 15.2(4)M

November 2012 (PP 2.1.0)

ASR1000

Cisco IOS-XE3.7

October 2012 (PP 2.1.0)

Note: please refer to the protocol packs support timeline in the SLA section below.

Q. Are protocol packs supported on NBAR-1 supported platforms such as Cisco ISR-G1, 7200, 7301 etc.?
A. Protocol packs are supported only on NBAR2 platforms.

Protocol Pack Release

Q. How frequently are protocol packs released?
A. Protocol packs are released monthly; major and minor packs released in alternate months.
Major protocol packs deliver new protocols (up to 10), signature updates and bug fixes, in addition to all previously supported protocols. Major protocol packs are numbered as: 1.0, 2.0, 3.0 and so on.
Minor protocol packs deliver signature updates and bug fixes only, in addition to previously supported protocols. Minor protocol packs are numbered as: 1.1, 2.1, .3.1 and so on.
Figure 1-The protocol pack release model with major and minor protocol pack releases in alternate months and the content in those packs:
The table below lists the protocol pack releases for 2012:

 

Jan

Feb

March

April

May

June

July

Aug

Sept

Oct

Nov

Dec

2012

--

--

--

--

--

--

1.0

1.1.

2.0

2.1

3.0

3.1

The PP 2.1 is a first Protocol Pack release on Cisco IOS (ISR-G2) and Cisco IOS-XE (ASR1K). The Cisco IOS-XE (ASR1K) protocol packs are released first, and then with a delay of ~three weeks Cisco IOS (ISR-G2) protocol packs are released.
If no updates and bug fixes to release, minor protocol pack in that month will not be released.
Q. How are protocol packs released?
A. The Cisco IOS (ISR-G2) and Cisco IOS-XE (ASR1K) protocol packs are released monthly on Cisco.com (CCO). Customers can download protocol packs for their routers from the CCO software download location: http://software.cisco.com/download/navigator.html
Q. Where do I find a protocol pack for my router on CCO?
A. NBAR users can download Cisco IOS (ISR-G2) and Cisco IOS-XE (ASR1K) protocol packs from the CCO software download page: http://software.cisco.com/download/navigator.html

CCO Location for ISR-G2

Download Home ( http://software.cisco.com/download/navigator.html) ->Products->Routers->Branch Routers->Cisco 3900 Series Integrated Services Routers >Cisco 3945 Integrated Services Routers > software on chassis > NBAR2 Protocol Packs->
-> Release 2.1.0
Description: ISR 3900 NBAR2 Protocol Pack 2.1.0
File name: pp-adv-isrg2-152-4M1-13-2.1.0.pack Size: 0.19mb

CCO Location for ASR1K:

Download Home ( http://software.cisco.com/download/navigator.html) ->Products->Routers->Service Provider Edge Routers->Cisco ASR 1000 Series Aggregation Services Routers->Cisco ASR 1006 Router > NBAR2 Protocol Packs->
-> Release 2.1.0
Description: ASR1k NBAR2 Protocol Pack 2.1.0
File name: pp-adv-asr1k-152-4S-13-2.1.0.pack Size: 0.19mb
Q. Does a user need special access or permission to download a protocol pack from the Cisco software download web page?
A. NBAR users having access to CCO can download NBAR protocol packs from the software download web page.
Q. Does a user need a license of any kind to access NBAR protocol packs?
A. NBAR users having a AVC (Application Visibility and Control) feature license can load and use protocol packs on routers. Please refer to the protocol pack licensing section in this document for more details.
Q. What is the protocol pack image name on CCO?
A. The protocol pack release name format is:
pp-adv-PLT-IOS-E-M.m.r.pack
pp: represents protocol pack
adv: represents advanced protocol pack (refer to the licensing section below for more details)
PLT: represents the platform for which the protocol pack is built. i.e. ISR-G2 or ASR1K
IOS: represents the base Cisco IOS/ IOS-XE image for the protocol pack
E: represents the NBAR engine version
M: represents the protocol pack release number
m: indicates whether this is a major or a minor protocol pack (i.e. 0 if it is a major protocol pack, and 1 if it is a minor protocol pack)
r: represents the rebuild number
For example:
An advanced protocol pack for a ISR-G2 product:
pp-adv-isrg2-152-4M1-13- M.m.0.pack
The bold M represents the major release number and bold m represents the minor release number.
pp-adv-isrg2-152-4M1-13- 2.0.0.pack (Major protocol pack release 2.0.0)
pp-adv-isrg2-152-4M1-13- 2.1.0.pack (Minor protocol pack release 2.1.0)
Q. Where do I find information about the content of the protocol pack?
A. Customers can refer to the protocol pack release notes for new contents of protocol packs. Please click on the link below to access release notes under the NBAR2 protocol pack section:

Protocol Pack SLA (Service Level Agreement)

The NBAR protocol pack SLA describes the types of services offered to NBAR2 supported platforms. Today NBAR protocol packs are released to ISR-G2 and ASR1K platforms. Cisco will use best effort to meet the target for all services. For any reason, if Cisco does not meet the target, Cisco customers are not entitled to make a compensation claim.
Services are outlined in the table below*:

Protocol Pack SLA

Target

Comments

Frequency of protocol pack

Monthly

Protocol packs are released every month for ISR-G2 and ASR1K platforms

Number of new protocols in a major protocol pack

~10

Number of new protocols in every major protocol pack

Protocol pack lifetime support

Please refer "protocol pack support model" table below

Protocol pack support for Cisco IOS and IOS-XE releases

*Please note: Information in the table above is subject to change without notice

Q. What is the support model for protocol packs?
A. Protocol pack support is aligned with the Cisco IOS/IOS-XE release support model. The support timeline is not for the protocol pack but for the base image. Extended Maintenance (EM) releases get more protocol packs compared to Standard Maintenance (SM) releases. Protocol packs on EM releases get support (critical bug fixes and PSIRT) for a longer duration as compared to standard maintenance releases. The table below summarizes the protocol pack support for different Cisco IOS/IOS-XE releases.
Table: Protocol Pack Support Model*

Platform

Current IOS Release

Releases

Protocol Pack Support

ISR-G2

T train (EM Release)

15.2(4)M

Monthly PP Phase = 12 months Critical Bug Fix Phase = 18 months

PSIRT Phase = 12 months

ISR-G2

T train (SM Release)

15.3(1)T

15.3(2)T

Monthly PP Phase = 6 months

Critical Bug Fix Phase = 6 months

PSIRT Phase = 6 months

ASR1000

S train (EM release)

IOS XE 3.7

Monthly PP Phase = 12 months

PSIRT Phase = 12 months

ASR1000

S Train (SM release)

IOS XE 3.8

Monthly PP Phase = 6 months

PSIRT Phase = 6 months

ASR1000

S train (SM release)

IOS XE 3.9

Monthly PP Phase = 6 months

PSIRT Phase = 6 months

Platform

New IOS Release

Releases

Protocol Pack Support

ISR-G2

T Train(EM Release)

15.3(3)T

Monthly PP Phase = 18 months

Critical Bug Fix Phase = 18 months

PSIRT Phase = 12 months

ISR-G2

T Train (SM release)

15.4(1)T

Monthly PP Phase = 6 months

Critical Bug Fix phase = 6 months

PSIRT Phase = 6 months

ASR1000

S Train (EM Release)

IOS XE 3.10

Monthly PP Phase = 18 months

Critical Bug Fix Phase = 18 months

PSIRT Phase = 12 months

ASR1000

S Train (SM release)

IOS XE 3.11

Monthly PP Phase = 6 months

Critical bug fix Phase = 6 months

PSIRT Phase = 6 months

* Please note: Information in table above is subject to change without notice

Extended Maintenance (EM) releases such as Cisco IOSXE 3.10 and Cisco IOS 15.3(3) T will have protocol pack support for 48 months. Of which, 18 months will be the protocol pack phase, followed by the next 18 months for the critical bug fix phase and then the next 12 months for the PSIRT phase.
Standard Maintenance (SM) releases such as Cisco IOS 15.4(1) T and Cisco IOS-XE 3.11 will have protocol pack support for 18 months. Protocol pack phase will be for 6 months, followed by 6 months of the critical bug fix phase and then the next 6 months will be the PSIRT phase.
Protocol pack support defines three phases:
Protocol Pack Phase: Monthly protocol packs are released in this phase. Bug fixes are provided in next possible protocol pack, giving priority to critical signature defects and PSIRT. Customers must provide sufficient information to reproduce and test the scenario that the signature does not detect.
Critical Bug Fix Phase: There are no monthly protocol packs in this phase. Only critical signature defects and PSIRT will be fixed / addressed during this phase. Customers must provide sufficient information to reproduce and test the scenario that the signature does not detect.
PSIRT Phase: There are no monthly protocol packs in this phase. Only PSIRT will be addressed during this phase. Customers must provide sufficient information to reproduce and test the scenario that the signature does not detect.
Cisco will use its best efforts to create a signature with the maximum fidelity possible, with the NBAR technology available at that time. However, in some rare cases, it may not be possible to create such a signature until additional details regarding the test scenario, that does not detect signature, have been discovered or disclosed. In these situations, rather than releasing a low-fidelity signature, Cisco will continue to assess the situation and gather additional data until a signature of sufficient fidelity can be released. Signatures may be improved over time to add additional detection capabilities.
Q. If a protocol pack can be used across a set of IOS image versions, how it will have different support timelines for SM and EM releases?
A. The support timeline is not for the protocol pack, but for the base image. A protocol pack is released every month-for the platforms and versions that support it. If PP9.0 is released only for 3.9 and up, users won't be able to use it for 3.7, because it will be rejected.

Protocol Pack Licensing

Q. Which license do NBAR users require to load protocol packs?
A. The NBAR2 users require the AVC (Application Visibility and Control) license on routers to load the protocol pack.

Platform

Cisco IOS / IOS-XE Image

Default Protocol Pack

ISR-G2

IP DATA Image (AVC License)

Advanced Protocol Pack

ISR-G2 (880 and 890)

Advanced IP Image (AVC License)

Advanced Protocol Pack

ASR1000

Requires AVC Feature License.

AVC license is supported with 1] Advanced IP Services (AIS) Image

2] Advanced Enterprise Image (AES)

Advanced Protocol Pack

AVC is licensed as part of the DATA image for ISR-G2 routers (1900, 2900 and 3900 series routers) and as part of the advanced IP image for 880 ad 890 series G2 routers. The default protocol pack with these images is also called "Advanced Protocol Pack".
The Cisco IOS IP base images for ISR-G2 routers include "Standard Protocol Pack". It is explained below in detail.
The "protocol pack" mentioned throughout this document refers to "Advanced Protocol Pack".
Q. What is the difference between an advanced and standard protocol pack?
A. The standard protocol pack provides an option for NBAR1 users to upgrade to NBAR2 maintaining NBAR1 capabilities. If NBAR1 had limitations, they will remain in the standard protocol pack and will not be fixed. It includes only a subset of protocols listed in table below and very limited NBAR2 functionality. It does not support NBAR2 features such as traffic categorization and attributes. It is not released on CCO, and there are no periodic releases and SLA associated with it. It is available as a default protocol pack in the IP Base image and does not require AVC license.

Platform

Cisco IOS / IOS-XE Image

Default Protocol Pack

ISR-G2

IP Base Image

Standard Protocol Pack

ISR-G2 (880 and 890)

IP Base Image

Standard Protocol Pack

The advanced protocol pack includes all NBAR2 supported protocols/applications. Support for new protocols/applications, signature updates and bug fixes are released periodically on CCO as explained above in this document in the "Protocol Pack Release" section. It carries SLA (Service Level Agreement) as explained above. It supports all NBAR2 advance features and is available as a default protocol pack in Cisco IOS/IOS-XE images with an AVC license.
All NBAR users are recommended to go for the "Advanced Protocol Pack".
Q. Which protocols / applications are supported in the standard protocol pack?
A. The table below lists the protocols / applications supported in the standard protocol pack.

Enterprise Applications

Security and Tunneling

Network Mail services

Internet

Citrix ica

gre

imap

ftp

pcanywhere

ipinip

Pop3

gopher

novadigm

ipsec

exchange

http

sap

L2tp

notes

irc

Routing Protocols

Ms-pptp

smtp

telnet

Bgp

sftp

Directory

tftp

egp

shttp

Dhcp/bootp

nntp

eigrp

simap

finger

netbios

ospf

sirc

dns

ntp

rip

sldap

kerberos

print

Network Management

snntp

ldap

x-windows

Icmp

Spop3

Streaming Media

Peer-to-Peer

snmp

stelnet

Cu-seeme

bittorrnt

syslog

socks

netshow

Direct connect

RPC

ssh

Streamworks

eDonky/eMule

nfs

Voice

vdolive

fasttrack

Sun-rpc

H323

rtsp

gnutella

Database

rtcp

mgcp

Kazaa

sqlnet

rtp

signalling

Winmx2.0

Ms-sql-server

sip

rsvp

 
 

Sccp/skinny

   
 

skype

   

Protocol Pack Loading

Q. How can users load/unload a protocol pack?
A. The compatible protocol pack must first be copied locally to the router.
The "ip nbar protocol-pack < protocol pack file>" command can be used to load a protocol pack on the router.
The command syntax is:
[no] ip nbar protocol-pack <protocol pack file> [force]
The <protocol pack file> can be loaded from either the disk or flash, i.e. anything which is local to the router.
ip nbar protocol-pack flash0:pp_file
To unload any previously loaded protocol pack "no" version of the above CLI should be executed.
no ip nbar protocol-pack flash0:pp_file
Alternatively, the following command will revert to the protocol pack that is built into the image.
Default protocol-pack
Q. What is the use of "force" option while loading/unloading a protocol pack?
A. Under normal circumstances, there are a number of checks that are performed before a protocol pack can be loaded. These include:

A] The version of the protocol pack should not be higher than the one in the base image.

B] The protocol pack must include all the protocols that are currently activated.

C] The protocol pack must include all the active attributes

If any of these checks fail, then the loading of the protocol pack is not allowed.
These checks can be bypassed, if the protocol pack load CLI is used with the "force" keyword.
ip nbar protocol-pack flash0:pp_file force
The CLI should be executed with the "force" argument in the following scenarios:

1. When the user needs to retain the loaded protocol pack configuration across the Cisco IOS version upgrades/downgrades.

2. The force option can be used to override the active protocols check. When the force option is used, the CLI will be accepted if protocol pack doesn't contain the current active protocol(s).

Q. Which show commands can users use for a protocol pack on the device?
A. The "show ip nbar protocol-pack active" command can be used to view the details of the current active protocol pack.
The command syntax is:
show ip nbar protocol-pack <active | protocol pack file> [detail]
This active protocol pack may be the one that is supplied with the base image or a custom protocol pack loaded by the user.
The "show ip nbar protocol-pack <protocol pack file>" command can be used to view the details of a non-loaded protocol pack file.
Without the "detail" argument, the protocol pack information such as name, publisher, and version will be displayed.
With the "detail" argument, the content of protocol pack in details such as the protocols and version in the pack will be displayed.
Q. Can a user load a protocol pack on any Cisco IOS/IOS-XE image?
A. The minimum IOS version required to load a NBAR protocol pack on a ISR-G2 platforms is Cisco IOS Software Release15.2(4) M.
Minimum IOS XE version required to load NBAR protocol pack on ASR1K platforms is Cisco IOS-XE 3.7.
Protocol packs are released to specific NBAR engine versions. For example, Cisco IOS XE3.7 has NBAR engine 13, so protocol packs for it are written for engine 13 (pp-adv-asr1k-152-4.S-13-3.0.0.pack).
Loading a protocol pack can be done if the engine version on the platform is the same or higher than the version required by the protocol pack (13 in the example above).
Therefore NBAR protocol pack 3.0.0 for Cisco IOS-XE 3.7 can be loaded on top of Cisco IOS-XE3.7 and Cisco IOS-XE3.8. But protocol pack 3.0.0 for Cisco IOS-XE 3.8 cannot be loaded on top of XE3.7
To view the NBAR engine version on the device, use:
Router#sh ip nbar version | include software
It is strongly recommended to use the protocol pack that is the exact match for the engine, and also recommended to use the latest protocol pack for the base image.
Q. What are the steps to upgrade the protocol pack on the router?
A. Case 1: Upgrade the protocol pack on the router running Cisco IOS-XE 3.7

A] Use the "show ip nbar protocol-pack active" command to check the current active protocol pack on device.

B] Download the latest compatible protocol pack for Cisco IOS-XE 3.7 from the Cisco software download page. The compatible protocol pack has the engine version the same as the Cisco IOS-XE 3.7 image. Copy the protocol pack to the disk (including on standby).

C] Load the new protocol pack using the command below:

Router#ip nbar protocol-pack flash0:pp_file

D] Verify that the new protocol pack is successfully loaded and is active.

Router#show ip nbar protocol-pack <active | protocol pack file> [detail]
Case 2: Protocol pack upgrade during IOS upgrade from Cisco IOS XE 3.7 to 3.8

A] Use the "show ip nbar protocol-pack active" command to check the current active protocol pack on the device. Assuming the current protocol pack is PP3.0.0 for XE3.7.

B] Download the protocol pack 3.0.0 for XE 3.8 or the latest compatible protocol pack from the Cisco software download page. The compatible protocol pack has the engine version the same as the Cisco IOS-XE 3.8 image. Copy the protocol pack to the disk (including on standby).

C] Upgrade the IOS to XE3.8 (at this point NBAR is working with a non-recommended protocol pack (3.0 for 3.7 on top of 3.8)

D] Load the new protocol pack using below command:

Router#ip nbar protocol-pack flash0:pp_file

E] Verify that new protocol pack is successfully loaded and is active.

Router#show ip nbar protocol-pack <active | protocol pack file> [detail]

Miscellaneous

Q. If I load incompatible protocol pack on my router, what is the impact?
A. If a user tries to load incompatible protocol pack on router, it will be rejected with an error message saying protocol pack is incompatible with underlying IOS NBAR software version. The Previous protocol pack will remain active on device.
Q. What is the impact of loading protocol pack to running traffic?
A. While loading protocol pack, data forwarding continues but Packets are classified as unknown (ID:0) till new protocol pack becomes active. Protocol pack loading time varies and it depends on protocol pack contents and platform. Users are not allowed to enter any cli till protocol pack loading is completed.
Q. The protocol pack file pp-adv-isrg2-152-4.M1-13-3.0.0.pack indicates IOS release as 15.2(4)M1. I have 15.2(4)M2, will the protocol pack work?
A. Yes, it will work. Major release such as 15.2(4)M and all its rebuilds (M1, M2, M3, etc) have same NBAR engine version. A protocol pack compatible with NBAR engine in IOS release 15.2(4)M will work with all its rebuilds such as 15.2(4)M1,15.2(4)M2, etc.
Q. How do I determine which PP is included with a particular IOS release? Does latest IOS release come with latest PP?
A. When Cisco IOS/IOS-XE image is released, it comes with integrated default protocol pack. This default protocol pack includes contents of protocol pack available at the time of integration. Protocol pack and IOS/IOS-XE images have different release cycles. So it is difficult to map particular protocol pack with IOS/IOS-XE image. It is also not guaranteed that new IOS/IOS-XE image will have any contents of latest protocol pack.