QoS: NBAR Configuration Guide, Cisco IOS XE Release 3S
Classifying Network Traffic Using NBAR
Classifying Network Traffic Using NBAR in Cisco Software
Last Updated: April 4, 2013
Network-Based Application Recognition (NBAR) is a classification engine that recognizes and classifies a wide variety of protocols and applications. When NBAR recognizes and classifies a protocol or an application, you can configure the network to apply the appropriate quality of service (QoS) for that application or traffic with the classified protocol.
This module contains an overview of classifying network traffic using NBAR in Cisco IOS software.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for Classifying Network Traffic Using NBAR in Cisco Software
NBAR does not support the following applications:
NBAR is not supported on the following logical interfaces:
The following virtual interfaces are supported depending on your release:
If protocol discovery is enabled on both the tunnel interface and the physical interface on which the tunnel interface is configured, the packets that are designated to the tunnel interface are counted on both interfaces. On the physical interface, the packets are classified and are counted based on the encapsulation. On the tunnel interface, packets are classified and are counted based on the Layer 7 protocol.
Information About Classifying Network Traffic Using NBAR in Cisco Software
NBAR is a classification engine that recognizes and classifies a wide variety of protocols and applications, including web-based and other difficult-to-classify applications and protocols that use dynamic TCP/UDP port assignments.
When NBAR recognizes and classifies a protocol or an application, the network can be configured to apply the appropriate QoS for that application or traffic with that protocol. The QoS is applied using the MQC.
NBAR introduces several classification features that identify applications and protocols from Layer 4 through Layer 7. These classification features are as follows:
NBAR includes a Protocol Discovery feature that provides an easy way to discover application protocols that are operating on an interface. For more information about Protocol Discovery, see the "Enabling Protocol Discovery" module.
NBAR includes the Protocol Pack feature that provides an easy way to load protocols and helps NBAR recognize additional protocols for network traffic classification. A protocol pack is set a of protocols developed and packed together. A new protocol pack can be loaded on the device to replace the default IOS protocol pack that is already present in the device.
Identifying and classifying network traffic is an important first step in implementing QoS. A network administrator can more effectively implement QoS in a networking environment after identifying the number and types of applications and protocols that are running on a network.
NBAR gives network administrators the ability to see the different types of protocols and the amount of traffic generated by each protocol. After NBAR gathers this information, users can organize traffic into classes. These classes can then be used to provide different levels of service for network traffic, thereby allowing better network management by providing the appropriate level of network resources for the network traffic.
NBAR is also used in Cisco Application Visibility and Control (AVC). With AVC, NBAR provides better application performance through better QoS and policing, and provides finer visibility about the network that is being used.
With AVC license, the following NBAR features are supported:
NBAR and Classification of HTTP Traffic
Classification of HTTP Traffic by a URL Host or MIME
NBAR can classify application traffic by looking beyond the TCP/UDP port numbers of a packet. This is called subport classification. NBAR looks into the TCP/UDP payload itself and classifies packets based on content, such as the transaction identifier, message type, or other similar data, within the payload.
Classification of HTTP traffic by a URL, a host, or a Multipurpose Internet Mail Extension (MIME) type is an example of subport classification. NBAR classifies HTTP traffic by the text within the URL or host fields of a request by using regular expression matching. HTTP client request matching in NBAR supports most HTTP request methods such as GET, PUT, HEAD, POST, DELETE, OPTIONS, CONNECT, and TRACE. The NBAR engine then converts the specified match string into a regular expression.
The figure below illustrates a network topology with NBAR in which Device Y is the NBAR-enabled device.
When specifying a URL for classification, include only the portion of the URL that follows the www.hostname.domain in the match statement. For example, for the URL www.cisco.com/latest/whatsnew.html, include only /latest/whatsnew.html with the match statement (for instance, match protocol http url /latest/whatsnew.html).
Host specifications are identical to URL specifications. NBAR performs a regular expression match on the host field contents inside an HTTP packet and classifies all packets from that host. For example, for the URL www.cisco.com/latest/whatsnew.html, include only www.cisco.com.
For MIME type matching, the MIME type can contain any user-specified text string. A list of the Internet Assigned Numbers Authority (IANA) supported MIME types can be found at the following URL:
When matching by MIME type, NBAR matches a packet containing the MIME type and all subsequent packets until the next HTTP transaction.
NBAR supports URL and host classification in the presence of persistent HTTP. NBAR does not classify packets that are part of a pipelined request. With pipelined requests, multiple requests are pipelined to the server before previous requests are serviced. Pipelined requests are not supported with subclassification and tunneled protocols that use HTTP as the transport protocol.
The NBAR Extended Inspection for HTTP Traffic feature allows NBAR to scan TCP ports that are not well known and to identify HTTP traffic that traverses these ports. HTTP traffic classification is no longer limited to the well-known and defined TCP ports.
Depending on your release, the Enable NBAR URI Extraction for HTTP Transactions for Persistent Connections feature supports extraction and export of the URL field per transaction, and not only the URL of the first transaction as supported in earlier releases. To enable multi-transaction, a protocol pack with 'Enhanced Web Classification' has to be installed. When an Enhanced Web Classification protocol pack is installed, the match connection transaction-id command configuration in flexible netflow tracks multiple HTTP transactions. For more information on tracking HTTP transactions, refer to Cisco IOS Flexible NetFlow Configuration Guide.
Classification of HTTP Traffic by Using HTTP Header Fields
NBAR introduces expanded ability for users to classify HTTP traffic by using information in the HTTP header fields.
HTTP works using a client/server model. HTTP clients open connections by sending a request message to an HTTP server. The HTTP server then returns a response message to the HTTP client (this response message is typically the resource requested in the request message from the HTTP client). After delivering the response, the HTTP server closes the connection and the transaction is complete.
HTTP header fields are used to provide information about HTTP request and response messages. HTTP has numerous header fields. For additional information on HTTP headers, see section 14 of RFC 2616: Hypertext Transfer Protocol--HTTP/1.1. This RFC can be found at the following URL:
NBAR is able to classify the following HTTP header fields:
Within NBAR, the match protocol http c-header-field command is used to specify that NBAR identify request messages (the "c" in the c-header-field portion of the command is for client). The match protocol http s-header-field command is used to specify response messages (the "s" in the s-header-field portion of the command is for server).
Combinations of Classification of HTTP Headers and URL Host or MIME Type to Identify HTTP Traffic
Note that combinations of URL, Host, MIME type, and HTTP headers can be used during NBAR configuration. These combinations provide customers with more flexibility to classify specific HTTP traffic based on their network requirements.
NBAR and Classification of Citrix ICA Traffic
NBAR can classify Citrix Independent Computing Architecture (ICA) traffic and perform subport classification of Citrix traffic based on the published application name or ICA tag number.
Classification of Citrix ICA Traffic by Published Application Name
NBAR can monitor Citrix ICA client requests for a published application that is destined to a Citrix ICA Master browser. After the client requests the published application, the Citrix ICA master browser directs the client to the server with the most available memory. The Citrix ICA client then connects to this Citrix ICA server for the application.
In server browser mode, NBAR statefully tracks and monitors traffic and performs a regular expression search on the packet contents for the published application name specified by the match protocol citrix command. The published application name is specified by using the app keyword and the application-name-string argument of the match protocol citrix command. For more information about the match protocol citrix command, see the Quality of Service Solutions Command Reference.
The Citrix ICA session triggered to carry the specified application is cached, and traffic is classified appropriately for the published application name.
Citrix ICA Client Modes
Citrix ICA clients can be configured in various modes. NBAR cannot distinguish among Citrix applications in all modes of operation. Therefore, network administrators might need to collaborate with Citrix administrators to ensure that NBAR properly classifies Citrix traffic.
A Citrix administrator can configure Citrix to publish Citrix applications individually or in Published Desktop Mode. In the Published Desktop Mode of operation, all applications within the published desktop of a client use the same TCP session. Therefore, differentiation among applications is impossible, and NBAR can be used to classify Citrix applications only as aggregates (by looking at port 1494).
The Published Application Mode for Citrix ICA clients is recommended when you use NBAR. In Published Application Mode, a Citrix administrator can configure a Citrix client in either Seamless or Nonseamless (windows) modes of operation. In Nonseamless Mode, each Citrix application uses a separate TCP connection, and NBAR can be used to provide interapplication differentiation based on the name of the published application.
Seamless Mode clients can operate in one of two submodes: session sharing or nonsession sharing. In seamless session sharing mode, all clients share the same TCP connection, and NBAR is not able to differentiate among applications. Seamless sharing mode is enabled by default in some software releases. In seamless nonsession sharing mode, each application for each client uses a separate TCP connection. NBAR can provide interapplication differentiation in seamless nonsession sharing mode.
Classification of Citrix ICA Traffic by ICA Tag Number
Citrix uses a TCP session each time an application is opened. In the TCP session, a variety of Citrix traffic may be intermingled in the same session. For example, print traffic may be intermingled with interactive traffic, causing interruption and delay for a particular application.
Most users would prefer printing to be handled as a background process that does not interfere with the processing of higher-priority traffic. To accommodate this printing preference, the Citrix ICA protocol includes the ability to identify Citrix ICA traffic based on the ICA tag number of the packet. The ability to identify, tag, and prioritize Citrix ICA traffic is referred to as ICA Priority Packet Tagging. With ICA Priority Packet Tagging, Citrix ICA traffic is categorized as high, medium, low, and background, depending on the ICA tag of the packet.
When ICA traffic priority tag numbers are used, and the priority of the traffic is determined, QoS features can be implemented to determine how the traffic will be handled. For example, QoS traffic policing can be configured to transmit or drop packets with a specific priority.
Citrix ICA Packet Tagging
The Citrix ICA tag is included in the first two bytes of the Citrix ICA packet, after the initial negotiations are completed between the Citrix client and server.
The first two bytes of the packet (byte 1 and byte 2) contain the byte count and the ICA priority tag number. Byte 1 contains the low-order byte count, and the first two bits of byte 2 contain the priority tags. The other six bits contain the high-order byte count.
The ICA priority tag value can be a number from 0 to 3. The number indicates the packet priority, with 0 being the highest priority and 3 being the lowest priority.
To prioritize Citrix traffic by the ICA tag number of the packet, you must specify the tag number using the ica-tag keyword and the ica-tag-value argument of the match protocol citrix command. For more information about the match protocol citrix command, see the Quality of Service Solutions Command Reference.
The table below contains information about different Citrix traffic and the respective priority tags.
NBAR and RTP Payload Type Classification
Real-time Transport Protocol (RTP) is a packet format for multimedia data streams. It can be used for media-on-demand and for interactive services such as Internet telephony. RTP consists of a data part and a control part. The control part is called Real-Time Transport Control Protocol (RTCP). RTCP is a separate protocol that is supported by NBAR. It is important to note that the NBAR RTP Payload Type Classification feature does not identify RTCP packets and that RTCP packets run on odd-numbered ports and RTP packets run on even-numbered ports.
The data part of RTP is a thin protocol that provides support for applications with real-time properties such as continuous media (audio and video), which includes timing reconstruction, loss detection, and security and content identification. RTP is discussed in RFC 1889 (A Transport Protocol for Real-Time Applications) and RFC 1890 (RTP Profile for Audio and Video Conferences with Minimal Control).
The RTP payload type is the data transported by RTP in a packet, for example, audio samples or compressed video data.
The NBAR RTP Payload Type Classification feature not only allows real-time audio and video traffic to be statefully identified, but can also differentiate on the basis of audio and video codecs to provide more granular QoS. The RTP Payload Type Classification feature, therefore, does a deep-packet inspection into the RTP header to classify RTP packets.
For more information on the classification of RTP with NBAR, see NBAR RTP Payload Classification.
NBAR and Classification of Custom Protocols and Applications
NBAR supports the use of custom protocols to identify custom applications. Custom protocols support static port-based protocols and applications that NBAR does not currently support. You can add to the set of protocols and application types that NBAR recognizes by creating custom protocols.
Custom protocols extend the capability of NBAR Protocol Discovery to classify and monitor additional static port applications and allow NBAR to classify nonsupported static port traffic.
Once the custom protocols are defined, you can then use them with the help of NBAR Protocol Discovery and the MQC to classify the traffic.
With NBAR supporting the use of custom protocols, NBAR can map static TCP and UDP port numbers to the custom protocols.
There are two types of custom protocols:
NBAR includes the following characteristics related to predefined custom protocols and applications:
NBAR includes the following characteristics related to user-defined custom protocols and applications:
This additional keyword and two additional arguments allow for creation of more than one custom protocol based on the same port numbers.
NBAR and Classification with Dynamic PDLMs
Dynamic Packet Description Language Modules (PDLMs) allow new protocol support or enhance existing protocol support for NBAR without the requirement of a specific Cisco release upgrade and device reload. If the support is for enhancing protocols for NBAR, the module version of the PDLMs should be greater than the existing version of the PDLMs. Subsequent Cisco releases incorporate support for these new protocols.
Dynamic PDLMs are platform-specific and have a Software Family Identifier (SFI) embedded in them. Dynamic PDLMs of other platforms cannot be loaded on Cisco ASR 1000 Series Aggregation Services Routers.
The match protocol (NBAR) command is used to classify traffic on the basis of protocols supported by NBAR. NBAR can classify the following types of protocols:
To view the list of protocols supported in a protocol pack, see NBAR Protocol Library.
NBAR Protocol Pack
The NBAR protocol pack provides an easy way to update protocols supported by NBAR without replacing the base IOS image that is already present in the device. A protocol pack is a set of protocols developed and packed together. For more information about loading an NBAR Protocol Pack, see the QoS: NBAR Configuration Guide. To view the list of protocols supported in a protocol pack, see NBAR Protocol Library.
NBAR and Classification of Peer-to-Peer File-Sharing Applications
The following applications are the most common peer-to-peer file-sharing applications supported by NBAR:
DirectConnect and eDonkey P2P protocols support the following subclassifications depending on your release:
The Gnutella file sharing became classifiable using NBAR in Cisco IOS XE Release 2.5.
Applications that use the Gnutella protocol are Bearshare, Gnewtellium, Gnucleus, Gtk-Gnutella, Limewire, Mutella, Phex, Qtella, Swapper, and Xolo. The traffic from the applications that use the Gnutella protocol will be classified as Gnutella and not as the respective application.
NBAR Multi stage Classification
NBAR supports a wide range of stateful network protocols such as HTTP classification by URL, Host and MIME type, FTP, TFTP, and so on. NBAR classifies static-port protocols such as those classifiable with access control lists (ACLs).
Multi stage classification reports the underlying protocol as a temporary classification instead of an unknown classification. For example, in earlier releases, to support cases like Video-over-HTTP, where the signature is found on the HTTP response packet, recursive classification over HTTP was allowed causing the first packet of HTTP flows to be reported as unknown, which in turn impacted the following:
Prior to NBAR multi stage classification, NBAR reported an unknown classification result until a final classification decision was reached. NBAR multi stage classification returns the most up-to-date classification decision. It modifies the data path to expose the underlying protocols from media partitioning (MP) recursive classification path--instead of returning "unknown" until a final classification is available, it returns the current (temporary) classification decision.
NBAR multi stage classification has the following characteristics:
If a system has a policy that matches a protocol like SOCKet Secure (SOCKS), which is an underlying protocol for AOL Instant Messenger (AIM) and Bittorrent, when all other protocols have failed (when other protocols are also enabled, either through protocol discovery or through FNF or explicitly through modular QoS CLI [MQC]), this policy would match the first packets of AIM or Bittorrent flows as SOCKS. Blocking the underlying protocol while allowing non underlying protocols is not possible with multi stage classification.
When a user configures different priorities for each classification on the traffic flow, the flow might be directed to different output queues. With multi stage classification more than one classification decision for a single traffic flow may occur. When the traffic is based on prioritized classification, we recommend that the underlying protocols get a higher priority (for example, HTTP get a higher priority than Video-over-HTTP).
Performance Routing (PfR)
When PfR checks the classification from NBAR to make a routing decision, it takes into account if this is a final classification or not. If it is not the final classification, no routing decision is made as it may split the traffic flow to many paths resulting in an "unknown" classification.
NBAR clients let the users know if the classification is temporary or not.
Depending on your release, there is a limit to the number of interfaces on which protocol discovery can be enabled. The following table provides details of the protocol discovery supported interface and the release number.
The number of bidirectional flows and the platforms supported are same for all releases. A new method to reduce the number of active flows based on quick aging is introduced.
Quick aging occurs under the following conditions:
The quick aging method reduces the number of flows required for NBAR operation up to three times or more depending on the network behavior.
The Cisco Cloud Services Router 1000V Series devices exhibit the same behavior as that of ESP5 with respect to flow scalability.
Flow Table Sizing
The ip nbar resources flow max-sessions command provides the option to override the default maximum flow sessions that are allowed in a flow table. The performance of the device with the NBAR feature depends on the memory size and the number of flows configured for the flow table. The flexibility to change the number of flows helps in increasing the performance of the system depending on the capacity of the device. To verify the NBAR flow statistics, use the show ip nbar resources flow command.
The following table provides the details of the platform and the flow size limits:
To reduce the memory impact, the recommended number of flows is 50,000, where such a configuration is sufficient.
NBAR Protocol Discovery
NBAR includes a feature called Protocol Discovery. Protocol discovery provides an easy way to discover protocol packets passing through an interface. For more information about Protocol Discovery, see the "Enabling Protocol Discovery" module.
NBAR Protocol Discovery MIB
The NBAR Protocol Discovery MIB expands the capabilities of NBAR Protocol Discovery by providing the following new functionalities through the Simple Network Management Protocol (SNMP):
For more information about the NBAR Protocol Discovery MIB, see the "Network-Based Application Recognition Protocol Discovery Management Information Base" module.
NBAR Configuration Processes
You can configure NBAR in the following two ways:
For more information about the NBAR configuration, see the QoS: NBAR Configuration Guide.
NBAR is restarted under the following circumstances.
Restart involves deactivating and reactivating NBAR. During this time, all packets are classified as 'Unknown' by NBAR. Once NBAR is reactivated, classification is activated.
NBAR and Multipacket Classification
Depending on your release, NBAR provides the ability to simultaneously search large number of multipacket signatures. This new technique is supported for many of the new protocols. This technique also provides improved performance and accuracy for other protocols. Along with the support for new signatures, the multipacket classification capabilities change NBAR behavior in the following ways:
NBAR on VRF Interfaces
Depending on your release, the NBAR IPv4 and IPv6 classification on VRF interfaces is supported.
NBAR and IPv6
Depending on your release, the following types of classification are supported:
NBAR Support for IPv6
Depending on your release, NBAR supports the following types of classification:
NBAR supports IPv6 in IPv4 (6-to-4, 6rd, and ISATAP), and teredo tunneled classification. The ip nbar classification tunneled-traffic command is used to enable the tunneled traffic classification. When the tunneled traffic classification is enabled, NBAR performs an application classification of IPv6 packets that are carried inside the IPv4 traffic. If the ip nbar classification tunneled-traffic command is disabled, the tunneled IPv6 packets are handled as IPv4 packets.
NBAR supports the capture of IPv6 fields and allows the creation of IPv6 traffic-based flow monitors. When you enable the ipv6 flow monitor command, the monitor is bound to the interface, NBAR classification is applied to the IPv6 traffic type, and Flexible NetFlow captures the application IDs in the IPv6 traffic flow.
NBAR Categorization and Attributes
The NBAR Categorization and Attributes feature provides the mechanism to match protocols or applications based on certain attributes. Categorizing the protocols and applications into different groups will help with reporting and performing group actions, such as applying QoS policies, on them. Attributes are statically assigned to each protocol or application, and they are not dependent on the traffic. The following attributes are available to configure the match criteria using the match protocol attribute command:
How to Classify Network Traffic Using NBAR in Cisco Software
Configuring Attribute-Based Protocol Match
Configuration Examples for Classifying Network Traffic Using NBAR in Cisco Software
Example: Classification of HTTP Traffic Using the HTTP Header Fields
In the following example, any request message that contains "email@example.com" in the user-agent, referer, or from field will be classified by NBAR. Typically, a term with a format similar to "firstname.lastname@example.org" would be found in the From header field of the HTTP request message.
Device(config)# class-map match-all class1 Device(config-cmap)# match protocol http from "email@example.com"
In the following example, any request message that contains "http://www.cisco.com/routers" in the User-Agent, Referer, or From field will be classified by NBAR. Typically, a term with a format similar to "http://www.cisco.com/routers" would be found in the Referer header field of the HTTP request message.
Device(config)# class-map match-all class2 Device(config-cmap)# match protocol http referer "http://www.cisco.com/routers"
In the following example, any request message that contains "CERN-LineMode/2.15" in the User-Agent, Referer, or From header field will be classified by NBAR. Typically, a term with a format similar to "CERN-LineMode/2.15" would be found in the User-Agent header field of the HTTP request message.
Device(config)# class-map match-all class3 Device(config-cmap)# match protocol http user-agent "CERN-LineMode/2.15"
In the following example, any response message that contains "CERN/3.0" in the Content-Base (if available), Content-Encoding, Location, or Server header field will be classified by NBAR. Typically, a term with a format similar to "CERN/3.0" would be found in the Server header field of the response message.
Device(config)# class-map match-all class4 Device(config-cmap)# match protocol http server "CERN/3.0"
In the following example, any response message that contains "http://www.cisco.com/routers" in the Content-Base (if available), Content-Encoding, Location, or Server header field will be classified by NBAR. Typically, a term with a format similar to "http://www.cisco.com/routers" would be found in the Content-Base (if available) or Location header field of the response message.
Device(config)# class-map match-all class5 Device(config-cmap)# match protocol http location "http://www.cisco.com/routers"
In the following example, any response message that contains "gzip" in the Content-Base (if available), Content-Encoding, Location, or Server header field will be classified by NBAR. Typically, the term "gzip" would be found in the Content-Encoding header field of the response message.
Device(config)# class-map match-all class6 Device(config-cmap)# match protocol http content-encoding "gzip"
Example: Combinations of Classification of HTTP Headers and URL Host or MIME Type to Identify HTTP Traffic
In the following example, HTTP header fields are combined with a URL to classify traffic. In this example, traffic with a User-Agent field of "CERN-LineMode/3.0" and a Server field of "CERN/3.0", along with host name "cisco.com" and URL "/routers", are classified using NBAR:
Device(config)# class-map match-all c-http Device(config-cmap)# match protocol http user-agent "CERN-LineMode/3.0" Device(config-cmap)# match protocol http server "CERN/3.0" Device(config-cmap)# match protocol http host cisco* Device(config-cmap)# match protocol http url /routers
Example: NBAR and Classification of Custom Protocols and Applications
In the following example, the custom protocol app-sales1 will identify TCP packets that have a source port of 4567 and that contain the term "SALES" in the fifth byte of the payload:
Device(config)# ip nbar custom app-sales1 5 ascii SALES source tcp 4567
In the following example, the custom protocol virus-home will identify UDP packets that have a destination port of 3000 and that contain "0x56" in the seventh byte of the payload:
Device(config)# ip nbar custom virus-home 7 hex 0x56 destination udp 3000
In the following example, the custom protocol media_new will identify TCP packets that have a destination or source port of 4500 and that have a value of 90 at the sixth byte of the payload:
Device(config)# ip nbar custom media_new 6 decimal 90 tcp 4500
In the following example, the custom protocol msn1 will look for TCP packets that have a destination or source port of 6700:
Device(config)# ip nbar custom msn1 tcp 6700
In the following example, the custom protocol mail_x will look for UDP packets that have a destination port of 8202:
Device(config)# ip nbar custom mail_x destination udp 8202
In the following example, the custom protocol mail_y will look for UDP packets that have destination ports between 3000 and 4000 inclusive:
Device(config)# ip nbar custom mail_y destination udp range 3000 4000
Example: NBAR and Classification of Peer-to-Peer File-Sharing Applications
The match protocol gnutella file-transfer regular-expression and match protocol fasttrack file-transfer regular-expression commands are used to enable Gnutella and FastTrack classification in a traffic class. The file-transfer keyword indicates that a regular expression variable will be used to identify specific Gnutella or FastTrack traffic. The regular-expression variable can be expressed as "*" to indicate that all FastTrack or Gnutella traffic be classified by a traffic class.
In the following example, all FastTrack traffic is classified into class map nbar:
Device(config)# class-map match-all nbar Device(config-cmap)# match protocol fasttrack file-transfer "*"
Similarly, all Gnutella traffic is classified into class map nbar in the following example:
Device(config)# class-map match-all nbar Device(config-cmap)# match protocol gnutella file-transfer "*"
Wildcard characters in a regular expression can also be used to identify specified Gnutella and FastTrack traffic. These regular expression matches can be used to match on the basis of a filename extension or a particular string in a filename.
In the following example, all Gnutella files that have the .mpeg extension are classified into class map nbar:
Device(config)# class-map match-all nbar Device(config-cmap)# match protocol gnutella file-transfer "*.mpeg"
In the following example, only Gnutella traffic that contains the characters "cisco" is classified:
Device(config)# class-map match-all nbar Device(config-cmap)# match protocol gnutella file-transfer "*cisco*"
The same examples can be used for FastTrack traffic:
Device(config)# class-map match-all nbar Device(config-cmap)# match protocol fasttrack file-transfer "*.mpeg"
Device(config)# class-map match-all nbar Device(config-cmap)# match protocol fasttrack file-transfer "*cisco*"
Example: Configuring Attribute-Based Protocol Match
The match protocol attributes command is used to configure different attributes as the match criteria for application recognition.
In the following example, the email-related applications category is configured as the match criterion:
Device# configure terminal Device(config)# class-map mygroup Device(config-cmap)# match protocol attribute category email
In the following example, skype-group applications are configured as the match criterion:
Device# configure terminal Device(config)# class-map apps Device(config-cmap)# match protocol attribute application-group skype-group
In the following example, encrypted applications are configured as the match criterion:
Device# configure terminal Device(config)# class-map my-class Device(config-cmap)# match protocol encrypted encrypted-yes
In the following example, Client-server subcategory applications are configured as the match criterion:
Device# configure terminal Device(config)# class-map newmap Device(config-cmap)# match protocol attribute sub-category client-server
In the following example, tunneled applications are configured as the match criterion:
Device# configure terminal Device(config)# class-map mygroup Device(config-cmap)# match protocol attribute tunnel tunnel-yes
The following sample output from the show ip nbar attribute command displays the details of all the attributes:
Device# show ip nbar attribute Name : category Help : category attribute Type : group Groups : email, newsgroup, location-based-services, instant-messaging, netg Need : Mandatory Default : other Name : sub-category Help : sub-category attribute Type : group Groups : routing-protocol, terminal, epayment, remote-access-terminal, nen Need : Mandatory Default : other Name : application-group Help : application-group attribute Type : group Groups : skype-group, wap-group, pop3-group, kerberos-group, tftp-group, bp Need : Mandatory Default : other Name : tunnel Help : Tunnelled applications Type : group Groups : tunnel-no, tunnel-yes, tunnel-unassigned Need : Mandatory Default : tunnel-unassigned Name : encrypted Help : Encrypted applications Type : group Groups : encrypted-yes, encrypted-no, encrypted-unassigned Need : Mandatory Default : encrypted-unassigned
The following sample output from the show ip nbar protocol-attribute command displays the details of the protocols:
Device# show ip nbar protocol-attribute Protocol Name : ftp category : file-sharing sub-category : client-server application-group : ftp-group tunnel : tunnel-no encrypted : encrypted-no Protocol Name : http category : browsing sub-category : other application-group : other tunnel : tunnel-no encrypted : encrypted-no Protocol Name : egp category : net-admin sub-category : routing-protocol application-group : other tunnel : tunnel-no encrypted : encrypted-no Protocol Name : gre category : net-admin sub-category : tunneling-protocols application-group : other tunnel : tunnel-yes encrypted : encrypted-no
Feature Information for Classifying Network Traffic Using NBAR
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Encryption--Encryption is the application of a specific algorithm to data so as to alter the appearance of the data, making it incomprehensible to those who are not authorized to see the information.
HTTP--Hypertext Transfer Protocol. The protocol used by web browsers and web servers to transfer files, such as text and graphic files.
IANA--Internet Assigned Numbers Authority. An organization operated under the auspices of the Internet Society (ISOC) as a part of the Internet Architecture Board (IAB). IANA delegates authority for IP address-space allocation and domain-name assignment to the InterNIC and other organizations. IANA also maintains a database of assigned protocol identifiers used in the TCP/IP stack, including autonomous system numbers.
LAN--Local-area network. A high-speed, low-error data network that covers a relatively small geographic area (up to a few thousand meters). LANs connect workstations, peripherals, terminals, and other devices in a single building or other geographically limited area. LAN standards specify cabling and signaling at the physical and data link layers of the Open System Interconnection (OSI) model. Ethernet, FDDI, and Token Ring are widely used LAN technologies.
MIME--Multipurpose Internet Mail Extension. The standard for transmitting nontext data (or data that cannot be represented in plain ASCII code) in Internet mail, such as binary, foreign language text (such as Russian or Chinese), audio, and video data. MIME is defined in RFC 2045, Multipurpose Internet Mail Extension (MIME) Part One: Format of Internet Message Bodies .
MPLS--Multiprotocol Label Switching. A switching method that forwards IP traffic using a label. This label instructs the routers and the switches in the network where to forward the packets based on preestablished IP routing information.
MQC--Modular quality of service command-line interface. A CLI that allows you to define traffic classes, create and configure traffic policies (policy maps), and then attach the policy maps to interfaces. Policy maps are used to apply the appropriate quality of service (QoS) to network traffic.
Protocol Discovery--A feature included with NBAR. Protocol Discovery provides a way to discover the application protocols that are operating on an interface.
QoS--Quality of service. A measure of performance for a transmission system that reflects its transmission quality and service availability.
RTCP--RTP Control Protocol. A protocol that monitors the QoS of an IPv6 real-time transport protocol (RTP) connection and conveys information about the ongoing session.
Stateful protocol--A protocol that uses TCP and UDP port numbers that are determined at connection time.
Static protocol--A protocol that uses well-defined (predetermined) TCP and UDP ports for communication.
Subport classification--The classification of network traffic by information that is contained in the packet payload, that is, information found beyond the TCP or UDP port number.
TCP--Transmission Control Protocol. A connection-oriented transport layer protocol that provides reliable full-duplex data transmission. TCP is part of the TCP/IP protocol stack.
Tunneling--Tunneling is an architecture that is designed to provide the services necessary to implement any standard point-to-point encapsulation scheme.
UDP--User Datagram Protocol. A connectionless transport layer protocol in the TCP /IP protocol stack. UDP is a simple protocol that exchanges datagrams without acknowledgments or guaranteed delivery, requiring that error processing and retransmission be handled by other protocols. UDP is defined in RFC 768, User Datagram Protocol .
WAN--Wide-area network. A data communications network that serves users across a broad geographic area and often uses transmission devices provided by common carriers.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2013 Cisco Systems, Inc. All rights reserved.