NBAR2 Protocol Pack 7.0.0
Release Notes for NBAR2 Protocol Pack 7.0.0
Downloads: This chapterpdf (PDF - 1.21MB) The complete bookPDF (PDF - 8.82MB) | Feedback

Release Notes for NBAR2 Protocol Pack 7.0.0

Release Notes for NBAR2 Protocol Pack 7.0.0

Release Notes for NBAR2 Protocol Pack 7.0.0

Overview

NBAR2 Protocol Pack 7.0.0 contains the Enhanced Web Classification feature that supports multi-transactions export of URLs. For more information on this feature, see Classifying Network Traffic Using NBAR.

The other features added in this protocol pack are as follows:
  • SSL sub-classification
  • RTP dynamic payload type sub-classification
  • Microsoft Lync Audio/Video separation
  • Non-encrypted Cisco-Jabber support
  • Enhanced industrial protocol support (Modbus, DNP3)
  • Enhanced support for Microsoft cloud applications

Supported Platforms

Network Based Application Recognition (NBAR) Protocol Pack 7.0.0 is supported on Cisco ASR 1000 Series Aggregation Services Routers.

New Protocols in NBAR2 Protocol Pack 7.0.0

The following protocols are added to NBAR2 Protocol Pack 7.0.0:

Common Name

Syntax Name

Description

Cisco Jabber Audio

cisco-jabber-audio

Cisco Jabber is a unified communications client application that provides presence, instant messaging (IM), voice, and video calling capabilities on many platforms. This protocol classifies the audio calls part of Cisco Jabber.

Cisco Jabber Control

cisco-jabber-control

Cisco Jabber is a unified communications client application that provides presence, instant messaging (IM), voice, and video calling capabilities on many platforms. This protocol classifies the control and signaling part of Cisco Jabber.

Cisco Jabber IM

cisco-jabber-im

Cisco Jabber is a unified communications client application that provides presence, instant messaging (IM), voice, and video calling capabilities on many platforms. This protocol classifies the text messaging part of Cisco Jabber.

Cisco Jabber Video

cisco-jabber-video

Cisco Jabber is a unified communications client application that provides presence, instant messaging (IM), voice, and video calling capabilities on many platforms. This protocol classifies the video calls part of Cisco Jabber.

Microsoft Lync Audio

ms-lync-audio

Microsoft Lync Audio is the audio calls support in MS Lync. This protocol classifies the voice part of video calls. The classification is based on STUN and RTP.

Microsoft Lync Video

ms-lync-video

Microsoft Lync video is the video calls support in MS Lync. This protocol classifies the visual part of the video call. The voice in the video call is classified as MS-Lync-Audio. The classification is based on STUN and RTP.

Microsoft Office Web Applications

ms-office-web-apps

Microsoft Office Web Apps is the web-based version of the Microsoft Office productivity suite. It includes the web-based versions of Microsoft Word, Microsoft Excel, Microsoft PowerPoint, and Microsoft OneNote. The web applications allow users to access their documents within a web browser and collaborate with other users online.

Microsoft SkyDrive

skydrive

Microsoft SkyDrive is a file hosting service that allows users to upload and sync files to a cloud storage and further access them from a web browser or a mobile application.

Modbus TCP/IP

modbus

Modbus is a standard communication protocol for connecting industrial electronic devices. Modbus TCP/IP uses the Modbus instruction set and wraps TCP/IP around it.

New Features in NBAR2 Protocol Pack 7.0.0

SSL Unique-name Sub-classification

In this protocol pack, a new sub-classification parameter called 'unique-name' is introduced for SSL. The unique-name parameter can be used to match SSL sessions of servers that are not known globally, or are not yet supported by NBAR. The unique-name will match the server name indication (SNI) field in the client request if the SNI field exists, or it will match the common name (CN) field in the first certificate of the server's response.

The feature also supports cases of SSL sessions that use session-id than the SSL sessions that use handshake.

The following example shows how an SSL based service with the server name as 'finance.cisco.com' is matched using unique-name:

class-map match-any cisco-finance

match protocol ssl unique-name finance.cisco.com


Note


The SSL sub-classification parameters have priority over the built in signatures. Therefore, when a 'unique-name' defined by a user matches a known application such as Facebook, it will not match the built in protocol but will match SSL with the configured sub-classification.



Note


Similar to the other sub-classification features, the classification result (for example, as seen in protocol-discovery), does not change and will remain as SSL. However, the flows matching the class maps (as shown in the leading example) will receive the services such as QoS and Performance monitor configured for them. To view the detailed matching statistics, refer to the policy map counters.


Reference: http:/​/​tools.ietf.org/​html/​rfc6101

RTP Dynamic Payload Type Sub-classification

In this protocol pack, the existing sub-classification parameters for 'RTP audio' and 'RTP video' are enhanced to detect RTP flows that use dynamic payload types (PT). Dynamic PTs are PTs in the dynamic range from 96 to 127 as defined in RTP RFC, and are selected online through the signaling protocols such as SIP and RTSP, for each session. In this protocol pack, only RTP sessions initiated using SIP will match by dynamic payload type.

There is no change in usability of the feature.

The following example shows how to detect RTP audio flows that include both static and dynamic PT:

class-map match-any generic-rtp-audio

match protocol rtp audio


Note


The RTP audio/video sub-classification parameters are generic in nature and will match only on generic RTP traffic. More specific classification such as ms-lync-audio, cisco-jabber-audio, facetime, and cisco-phone will not match as RTP, and therefore will not match the audio/video sub-classification.


Reference: http:/​/​tools.ietf.org/​html/​rfc3551

Modbus Function Code Subclassification

In this protocol pack, new sub-classification parameters are introduced for Modbus. The various sub-classification parameters can be used to match different function codes such as READ and WRITE operations of the Modbus protocol.

The parameters available for modbus protocol are as follows:

Parameter Name

Modbus Function Name

Modbus Function Code

read-coils

Read Coils

0x01

read-discrete-input

Read Discrete Inputs

0x02

read-holding-registers

Read Holding Registers

0x03

read-input-register

Read Input Register

0x04

write-single-coil

Write Single Coil

0x05

write-single-register

Write Single Register

0x06

read-exception-status

Read Exception Status

0x07

write-multiple-coils

Write Multiple Coils

0x0F

write-multiple-registers

Write Multiple Registers

0x10

read-file-record

Read File Record

0x14

write-file-record

Write File Record

0x15

mask-write-register

Mask Write Register

0x16

read-or-write-registers

Read/Write Multiple Registers

0x17

read-FIFO-Queue

Read FIFO Queue

0x18

encapsulated-transport

Encapsulated transport

0x2B

The following example shows how to match a modbus function code:

class-map match-any modbus-read-coils

match protocol modbus read-coils

Reference: http:/​/​www.modbus.org/​docs/​Modbus_​Messaging_​Implementation_​Guide_​V1_​0b.pdf

Updated Protocols in NBAR2 Protocol Pack 7.0.0

The following protocols are updated in NBAR2 Protocol Pack 7.0.0:

Protocol

Updates

blizwow

Updated signatures.

dnp

Updated signatures to support DNP 3.0.

espn-browsing

Updated signatures.

espn-video

Updated signatures.

imap

Updated signatures.

ms-office-365

Updated signatures.

outlook-web-service

Updated signatures to support outlook.com email service.

rtp

Updated signatures to support dynamic payload types.

sip

Updated signatures.

ssl

Updated signatures to support sub classification of unique-name

telnet

Updated signatures.

Deprecated Protocols in NBAR2 Protocol Pack 7.0.0

The following protocols are deprecated in NBAR2 Protocol Pack 7.0.0:
  • ghostsurf—service no longer available
  • guruguru—service no longer available
  • hotmail—replaced with outlook-web-service
  • livemeeting—replaced with ms-lync
  • megavideo—service no longer available
  • ms-lync-media—replaced with ms-lync-audio and ms-lync-video

Caveats in NBAR2 Protocol Pack 7.0.0


Note


If you have an account on Cisco.com, you can also use the Bug Toolkit to find select caveats of any severity. To reach the Bug Toolkit, log in to Cisco.com and go to http:/​/​www.cisco.com/​pcgi-bin/​Support/​Bugtool/​launch_​bugtool.pl. (If the defect that you have requested cannot be displayed, this may be due to one or more of the following reasons: the defect number does not exist, the defect does not have a customer-visible description yet, or the defect has been marked Cisco Confidential.)


Resolved Caveats in NBAR2 Protocol Pack 7.0.0

The following table lists the resolved caveats in NBAR2 Protocol Pack 7.0.0:

Resolved Caveat

Description

CSCue08462

Some Xunlei-KanKan traffic may be misclassified as Xunlei.

CSCuh63870

Video traffic generated by some ESPN websites might be misclassified as unknown.

CSCuh63889

Web traffic generated by some ESPN websites might be misclassified as unknown.

Known Caveats in NBAR2 Protocol Pack 7.0.0

The following table lists the known caveats in NBAR2 Protocol Pack 7.0.0:

Known Caveat

Description

CSCtx65481

Traffic generated by pcAnywhere for mac and pcAnywhere mobile app might be misclassified as unknown

CSCub62860

gtalk-video might be misclassified as rtp

CSCub89835

gbridge pc client might not be blocked

CSCuc43505

Traffic generated by AIM Pro might be misclassified as unknown and webex-meeting

CSCug12174

Under heavy SSL traffic, the following error message my appear: ": %STILE_CLIENT-4-MAX_LINK_TOUCH_WARN: F0: cpp_cp: NBAR number of flow-slinks threshold is reached, can't allocate more memory for flow-slinks"

CSCuh49380

PCoIP session-priority configuration limitation

CSCuh53623

Segmented packets are not classified when using NBAR sub classification

CSCuh95182

Some qqlive traffic may be misclassified as qq-accounts when qqlive is configured under a class-map

CSCui50424

When using Microsoft Lync in Office-365, the traffic might be misclassified as rtp or SSL

CSCui53625

SSL sub classification will not be matched if a built-in protocol was matched in the SSL client-hello message

CSCui58918

SIP related protocols classification and RTP sub-classification may fail when compact headers are used

CSCui58922

SIP related protocols classification and RTP sub-classification may fail when field extraction is activated and the 'contact' or 'from' fields do not contain '@'.

CSCui70613

Encrypted Cisco Jabber is not supported

CSCui72228

Matching under ms-office-web-apps attributes might be misclassified

CSCui76906

The drop policy may not work for ms-office-web-apps protocol

CSCui84201

The drop policy may not work for sky-drive protocol

CSCui85573

Cisco-jabber-video and cisco-phone might be misclassified when configured under a class-map

CSCui85652

Cisco-jabber-video for windows may not be classified correctly

CSCuj07892

Microsoft Lync might be misclassified in certain scenarios

Restrictions and Limitations in NBAR2 Protocol Pack 7.0.0

The following table lists the limitations and restrictions in NBAR2 Protocol Pack 7.0.0:

Protocol

Limitation/Restriction

bittorrent

http traffic generated by the bitcomet bittorrent client might be classified as http

capwap-data

For capwap-data to be classified correctly, capwap-control must also be enabled

ftp

During configuring QoS class-map with ftp-data, the ftp protocol must be selected. As an alternative, the ftp application group can be selected.

hulu

Encrypted video streaming generated by hulu might be classified as its underlying protocol rtmpe

logmein

Traffic generated by the logmein android app might be misclassified as ssl

ms-lync

Login and chat traffic generated by the ms-lync client might be misclassified as ssl

ms-lync 2013

Traffic generated by the mobile or mac app is not supported. ms-lync 2013 traffic if any, might be misclassified.

qq-accounts

Login to QQ applications which is not via web may not be classified as qq-accounts

secondlife

Voice traffic generated by secondlife might be misclassified as ssl

Downloading NBAR2 Protocol Packs

NBAR2 Protocol Packs are available for download as Software Type 'NBAR2 Protocol Pack' on cisco.com software download page (http:/​/​www.cisco.com/​cisco/​software/​navigator.html).

Additional References

Related Documents

Related Topic

Document Title

Application Visibility and Control

Application Visibility and Control Configuration Guide

Classifying Network Traffic Using NBAR

Classifying Network Traffic Using NBAR module

NBAR Protocol Pack

NBAR Protocol Pack module

QoS: NBAR Configuration Guide

QoS: NBAR Configuration Guide

QoS Command Reference

Quality of Service Solutions Command Reference