Classifying Network Traffic Using NBAR
Download this chapter
Classifying Network Traffic Using NBARClassifying Network Traffic Using NBAR
give_us_feedback

Table Of Contents

Classifying Network Traffic Using NBAR

Contents

Prerequisites for Using NBAR

Restrictions for Using NBAR

Information About Using NBAR

NBAR Functionality

NBAR Benefits

NBAR and Classification of HTTP Traffic

Classification of HTTP Traffic by URL, Host, or MIME

Classification of HTTP Traffic Using the HTTP Header Fields

Combining Classification of HTTP Headers and URL, Host, or MIME Type to Identify HTTP Traffic

NBAR and Classification of Citrix ICA Traffic

Classification of Citrix ICA Traffic by Published Application Name

Classification of Citrix ICA Traffic by ICA Tag Number

NBAR and RTP Payload Type Classification

NBAR and Classification of Custom Protocols and Applications

NBAR and Classification of Peer-to-Peer File-Sharing Applications

NBAR and Classification of Streaming Protocols

NBAR and AutoQoS

NBAR-Supported Protocols

NBAR Memory Management

NBAR Protocol Discovery

NBAR Protocol Discovery MIB

NBAR Configuration Processes

Where to Go Next

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Glossary


Classifying Network Traffic Using NBAR

First Published: April 4, 2006
Last Updated: May 7, 2007

Network-Based Application Recognition (NBAR) is a classification engine that recognizes and classifies a wide variety of protocols and applications. When NBAR recognizes and classifies a protocol or application, the network can be configured to apply the appropriate quality of service (QoS) for that application or traffic with that protocol.

This module contains overview information about classifying network traffic using NBAR. The processes for configuring NBAR are documented in separate modules.

Note This module includes information for both NBAR and Distributed Network-Based Application Recognition (dNBAR). dNBAR is NBAR used on the Cisco 7500 router with a Versatile Interface Processor (VIP) and on the Catalyst 6000 family of switches with a FlexWAN module. The implementation of NBAR and dNBAR is identical. Therefore, unless otherwise noted, the term NBAR is used throughout this module to describe both NBAR and dNBAR. The term dNBAR is used only when applicable.

Contents

Prerequisites for Using NBAR

Restrictions for Using NBAR

Information About Using NBAR

Where to Go Next

Additional References

Glossary

Prerequisites for Using NBAR

CEF

Before you configure NBAR, you must enable Cisco Express Forwarding (CEF). For more information on CEF, see the Cisco IOS IP Switching Configuration Guide, Release 12.4.

Stateful Switchover Support

NBAR is currently not supported with Stateful Switchover (SSO). This restriction applies to the Catalyst 6500 switches and to the Cisco 7500 and Cisco 7600 series routers.

Memory Requirements for dNBAR

To use dNBAR on a Cisco 7500 series router, you must be using a slot controller (or VIP processor) that has 64 MB of DRAM or more. Therefore, before configuring dNBAR on your Cisco 7500 series router, review the DRAM specifications for your particular slot controller or VIP processor.

Restrictions for Using NBAR

NBAR does not support the following:

More than 24 concurrent URLs, hosts, or Multipurpose Internet Mail Extension (MIME) type matches.

Matching beyond the first 400 bytes in a packet payload in Cisco IOS releases before Cisco IOS Release 12.3(7)T. In Cisco IOS Release 12.3(7)T, this restriction was removed, and NBAR now supports full payload inspection. The only exception is that NBAR can inspect custom protocol traffic for only 255 bytes into the payload.

Non-IP traffic.

Multiprotocol Label Switching (MPLS)-labelled packets. NBAR classifies IP packets only. You can, however, use NBAR to classify IP traffic before the traffic is handed over to MPLS. Use the Modular Quality of Service (QoS) Command-Line Interface (CLI) (MQC) to set the IP differentiated services code point (DSCP) field on the NBAR-classified packets and make MPLS map the DSCP setting to the MPLS experimental (EXP) setting inside the MPLS header.

Multicast and other non-CEF switching modes.

Fragmented packets.

Pipelined persistent HTTP requests.

URL/host/MIME classification with secure HTTP.

Asymmetric flows with stateful protocols.

Packets that originate from or that are destined to the router running NBAR.

NBAR is not supported on the following logical interfaces:

Fast EtherChannel

Dialer interfaces until Cisco IOS Release 12.2(4)T

Interfaces where tunneling or encryption is used

Note You cannot use NBAR to classify output traffic on a WAN link where tunneling or encryption is used. Therefore, you should configure NBAR on other interfaces of the router (such as a LAN link) to perform input classification before the traffic is switched to the WAN link.

Information About Using NBAR

Before classifying network traffic using NBAR, you should understand the following concepts:

NBAR Functionality

NBAR Benefits

NBAR and Classification of HTTP Traffic

NBAR and Classification of Citrix ICA Traffic

NBAR and RTP Payload Type Classification

NBAR and Classification of Custom Protocols and Applications

NBAR and Classification of Peer-to-Peer File-Sharing Applications

NBAR and Classification of Streaming Protocols

NBAR and AutoQoS

NBAR-Supported Protocols

NBAR Memory Management

NBAR Protocol Discovery

NBAR Protocol Discovery MIB

NBAR Configuration Processes

NBAR Functionality

NBAR is a classification engine that recognizes and classifies a wide variety of protocols and applications, including web-based and other difficult-to-classify applications and protocols that use dynamic TCP/UDP port assignments.

When NBAR recognizes and classifies a protocol or application, the network can be configured to apply the appropriate QoS for that application or traffic with that protocol. The QoS is applied using the Modular Quality of Service Command-Line Interface (MQC).

Note For more information about NBAR and its relationship with the MQC, see the "Configuring NBAR Using the MQC" module.

Examples of the QoS features that can be applied to the network traffic (using the MQC) after NBAR has recognized and classified the application or protocol include the following:

Class-Based Marking

Class-Based Weighted Fair Queuing (CBWFQ)

Low Latency Queuing (LLQ)

Traffic Policing

Traffic Shaping

For Cisco IOS Release 12.2(18)ZY, on the Catalyst 6500 series switch (that is equipped with a Supervisor 32/programmable intelligent services accelerator [PISA] engine), QoS features such as the ones listed below can be configured. These features can be configured (using the MQC) after NBAR has recognized and classified the application or protocol.

Traffic Classification

Traffic Marking

Traffic Policing

Note For more information about the QoS features, see the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.4. For more information about the Catalyst 6500 series switch and QoS, see the "Configuring QoS" chapter of the Catalyst 6500 Series Software Configuration Guide, 8.5.

NBAR introduces several classification features that identify applications and protocols from Layer 4 through Layer 7. These classification features include the following:

Statically assigned TCP and UDP port numbers.

Non-TCP and non-UDP IP protocols.

Dynamically assigned TCP and UDP port numbers.

This kind of classification requires stateful inspection; that is, the ability to inspect a protocol across multiple packets during packet classification.

Subport classification or classification based on deep-packet inspection.

Deep-packet classification is classification performed at a finer level of granularity. For instance, if a packet is already classified as HTTP traffic, it may be further classified by HTTP traffic with a specific URL.

Note Access control lists (ACLs) can also be used for classifying static port protocols. However, NBAR is easier to configure, and NBAR can provide classification statistics that are not available when ACLs are used.

NBAR includes a Protocol Discovery feature that provides an easy way to discover application protocols that are operating on an interface. For more information about Protocol Discovery, see the "Enabling Protocol Discovery" module.

Note NBAR classifies network traffic by application or protocol. Network traffic can be classified without using NBAR. For information about classifying network traffic without using NBAR, see the "Classifying Network Traffic" module of the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.4.

NBAR Benefits

Improved Network Management

Identifying and classifying network traffic is an important first step in implementing QoS. A network administrator can more effectively implement QoS in a networking environment after identifying the amount and the variety of applications and protocols that are running on a network.

NBAR gives network administrators the ability to see the variety of protocols and the amount of traffic generated by each protocol. After gathering this information, NBAR allows users to organize traffic into classes. These classes can then be used to provide different levels of service for network traffic, thereby allowing better network management by providing the right level of network resources for network traffic.

NBAR and Classification of HTTP Traffic

This section includes information about the following topics:

Classification of HTTP Traffic by URL, Host, or MIME

Classification of HTTP Traffic Using the HTTP Header Fields

Combining Classification of HTTP Headers and URL, Host, or MIME Type to Identify HTTP Traffic

Classification of HTTP Traffic by URL, Host, or MIME

NBAR can classify application traffic by looking beyond the TCP/UDP port numbers of a packet. This is subport classification. NBAR looks into the TCP/UDP payload itself and classifies packets based on content within the payload such as that transaction identifier, message type, or other similar data.

Classification of HTTP traffic by URL, host, or Multipurpose Internet Mail Extension (MIME) type is an example of subport classification. NBAR classifies HTTP traffic by text within the URL or host fields of a request using regular expression matching. HTTP URL matching in NBAR supports most HTTP request methods such as GET, PUT, HEAD, POST, DELETE, and TRACE. The NBAR engine then converts the specified match string into a regular expression.

NBAR recognizes HTTP packets that contain the URL and classifies all packets that are sent to the source of the HTTP request. Figure 1 illustrates a network topology with NBAR in which Router Y is the NBAR-enabled router.

Figure 1 Network Topology with NBAR

When specifying a URL for classification, include only the portion of the URL that follows the www.hostname.domain in the match statement. For example, for the URL www.cisco.com/latest/whatsnew.html, include only /latest/whatsnew.html.

Host specification is identical to URL specification. NBAR performs a regular expression match on the host field contents inside an HTTP packet and classifies all packets from that host. For example, for the URL www.cisco.com/latest/whatsnew.html, include only www.cisco.com.

For MIME type matching, the MIME type can contain any user-specified text string. A list of the Internet Assigned Numbers Authority (IANA)-supported MIME types can be found at the following URL:

ftp://ftp.isi.edu/in-notes/iana/assignments/media-types/media-types

In MIME type matching, NBAR classifies the packet that contains the MIME type and all subsequent packets, which are sent to the source of the HTTP request.

NBAR supports URL and host classification in the presence of persistent HTTP. NBAR does not classify packets that are part of a pipelined request. With pipelined requests, multiple requests are pipelined to the server before previous requests are serviced. Pipelined requests are a less commonly used type of persistent HTTP request.

In Cisco IOS Release 12.3(4)T, the NBAR Extended Inspection for HTTP Traffic feature was introduced. This feature allows NBAR to scan TCP ports that are not well known and to identify HTTP traffic that traverses these ports. HTTP traffic classification is no longer limited to the well-known and defined TCP ports.

Classification of HTTP Traffic Using the HTTP Header Fields

In Cisco IOS Release 12.3(11)T, NBAR introduced expanded ability for users to classify HTTP traffic using information in the HTTP header fields.

HTTP works using a client/server model. HTTP clients open connections by sending a request message to an HTTP server. The HTTP server then returns a response message to the HTTP client (this response message is typically the resource requested in the request message from the HTTP client). After delivering the response, the HTTP server closes the connection and the transaction is complete.

HTTP header fields are used to provide information about HTTP request and response messages. HTTP has numerous header fields. For additional information on HTTP headers, see section 14 of RFC 2616: Hypertext Transfer Protocol—HTTP/1.1. This RFC can be found at the following URL:

http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

NBAR is able to classify the following HTTP header fields:

For request messages (client to server), the following HTTP header fields can be identified using NBAR:

User-Agent

Referer

From

For response messages (server to client), the following HTTP header fields can be identified using NBAR:

Server

Location

Content-Base

Content-Encoding

Within NBAR, the match protocol http c-header-field command is used to specify that NBAR identify request messages (the "c" in the c-header-field portion of the command is for client). The match protocol http s-header-field command is used to specify response messages (the "s" in the s-header-field portion of the command is for server).

Examples

In the following example, any request message that contains "somebody@cisco.com" in the User-Agent, Referer, or From fields will be classified by NBAR. Typically, a term with a format similar to "somebody@cisco.com" would be found in the From header field of the HTTP request message. 

match protocol http c-header-field "somebody@cisco.com"

In the following example, any request message that contains "http://www.cisco.com/routers" in the User-Agent, Referer, or From fields will be classified by NBAR. Typically, a term with a format similar to "http://www.cisco.com/routers" would be found in the Referer header field of the HTTP request message. 

match protocol http c-header-field "http://www.cisco.com/routers"

In the following example, any request message that contains "CERN-LineMode/2.15" in the User-Agent, Referer, or From header fields will be classified by NBAR. Typically, a term with a format similar to "CERN-LineMode/2.15" would be found in the User-Agent header field of the HTTP request message. 

match protocol http c-header-field "CERN-LineMode/2.15"

In the following example, any response message that contains "CERN/3.0" in the Content-Base, Content-Encoding, Location, or Server header fields will be classified by NBAR. Typically, a term with a format similar to "CERN/3.0" would be found in the Server header field of the response message. 

match protocol http s-header-field "CERN/3.0"

In the following example, any response message that contains "http://www.cisco.com/routers" in the Content-Base, Content-Encoding, Location, or Server header fields will be classified by NBAR. Typically, a term with a format similar to "http://www.cisco.com/routers" would be found in the Content-Base or Location header field of the response message. 

match protocol http s-header-field "http://www.cisco.com/routers"

In the following example, any response message that contains "gzip" in the Content-Base, Content-Encoding, Location, or Server header fields will be classified by NBAR. Typically, the term "gzip" would be found in the Content-Encoding header field of the response message. 

match protocol http s-header-field "gzip"

Combining Classification of HTTP Headers and URL, Host, or MIME Type to Identify HTTP Traffic

Note that combinations of URL, Host, MIME type, and HTTP headers can be used during NBAR configuration. These combinations provide customers with more flexibility to classify specific HTTP traffic based on their network requirements.

Examples

In the following example, HTTP header fields are combined with a URL to classify traffic. In this example, traffic with a User-Agent field of "CERN-LineMode/3.0" and a Server field of "CERN/3.0", along with URL "www.cisco.com," will be classified using NBAR: 

class-map match-all c-http 
 match protocol http c-header-field "CERN-LineMode/3.0" 
 match protocol http s-header-field "CERN/3.0" 
 match protocol http url "www.cisco.com"

NBAR and Classification of Citrix ICA Traffic

NBAR can classify Citrix Independent Computing Architecture (ICA) traffic and perform subport classification of Citrix traffic based on the published application name or ICA tag number.

This section includes information about the following topics:

Classification of Citrix ICA Traffic by Published Application Name

Classification of Citrix ICA Traffic by ICA Tag Number

Classification of Citrix ICA Traffic by Published Application Name

NBAR can monitor Citrix ICA client requests for a published application destined to a Citrix ICA Master browser. After the client requests the published application, the Citrix ICA Master browser directs the client to the server with the most available memory. The Citrix ICA client then connects to this Citrix ICA server for the application.

Note For Citrix to monitor and classify traffic by the published application name, Server Browser Mode on the Master browser must be used.

In Server Browser Mode, NBAR statefully tracks and monitors traffic and performs a regular expression search on the packet contents for the published application name specified by the match protocol citrix command. The published application name is specified by using the app keyword and the application-name-string argument of the match protocol citrix command. For more information about the match protocol citrix command, see the Cisco IOS Quality of Service Solutions Command Reference, Release 12.4T.

The Citrix ICA session triggered to carry the specified application is cached, and traffic is classified appropriately for the published application name.

Citrix ICA Client Modes

Citrix ICA clients can be configured in various modes. NBAR cannot distinguish among Citrix applications in all modes of operation. Therefore, network administrators might need to collaborate with Citrix administrators to ensure that NBAR properly classifies Citrix traffic.

A Citrix administrator can configure Citrix to publish Citrix applications individually or as the entire desktop. In the Published Desktop mode of operation, all applications within the published desktop of a client use the same TCP session. Therefore, differentiation among applications is impossible, and NBAR can be used to classify Citrix applications only as aggregates (by looking at port 1494).

The Published Application mode for Citrix ICA clients is recommended when you use NBAR. In Published Application mode, a Citrix administrator can configure a Citrix client in either seamless or non-seamless (windows) modes of operation. In nonseamless mode, each Citrix application uses a separate TCP connection, and NBAR can be used to provide interapplication differentiation based on the name of the published application.

Seamless mode clients can operate in one of two submodes: session sharing or nonsession sharing. In seamless session sharing mode, all clients share the same TCP connection, and NBAR cannot differentiate among applications. Seamless sharing mode is enabled by default on some software releases. In seamless nonsession sharing mode, each application for each particular client uses a separate TCP connection. NBAR can provide interapplication differentiation in seamless nonsession sharing mode.

Note NBAR operates properly in Citrix ICA secure mode. Pipelined Citrix ICA client requests are not supported.

Classification of Citrix ICA Traffic by ICA Tag Number

Citrix uses one TCP session each time an application is opened. In the TCP session, a variety of Citrix traffic may be intermingled in the same session. For example, print traffic may be intermingled with interactive traffic, causing interruption and delay for a particular application. Most people would prefer that printing be handled as a background process and that printing not interfere with the processing of higher-priority traffic.

To accommodate this preference, the Citrix ICA protocol includes the ability to identify Citrix ICA traffic based on the ICA tag number of the packet. The ability to identify, tag, and prioritize Citrix ICA traffic is referred to as ICA Priority Packet Tagging. With ICA Priority Packet Tagging, Citrix ICA traffic is categorized as high, medium, low, and background, depending on the ICA tag of the packet.

When ICA traffic priority tag numbers are used, and the priority of the traffic is determined, QoS features can be implemented to determine how the traffic will be handled. For example, QoS traffic policing can be configured to transmit or drop packets with a specific priority.

Citrix ICA Packet Tagging

The Citrix ICA tag is included in the first two bytes of the Citrix ICA packet, after the initial negotiations are completed between Citrix client and server. These bytes are not compressed or encrypted.

The first two bytes of the packet (byte 1 and byte 2) contain the byte count and the ICA priority tag number. Byte 1 contains the low-order byte count, and the first two bits of byte 2 contain the priority tags. The other six bits contain the high-order byte count.

The ICA priority tag value can be a number from 0 to 3. The number indicates the packet priority, with 0 being the highest priority and 3 being the lowest priority.

To prioritize Citrix traffic by the ICA tag number of the packet, you specify the tag number using the ica-tag keyword and the ica-tag-value argument of the match protocol citrix command. For more information about the match protocol citrix command, see the Cisco IOS Quality of Service Solutions Command Reference, Release 12.4T.

NBAR and RTP Payload Type Classification

RTP is a packet format for multimedia data streams. It can be used for media-on-demand as well as for interactive services such as Internet telephony. RTP consists of a data and a control part. The control part is called Real-Time Transport Control Protocol (RTCP). RTCP is a separate protocol that is supported by NBAR. It is important to note that the NBAR RTP Payload Type Classification feature does not identify RTCP packets and that RTCP packets run on odd-numbered ports while RTP packets run on even-numbered ports.

The data part of RTP is a thin protocol that provides support for applications with real-time properties such as continuous media (audio and video), which includes timing reconstruction, loss detection, and security and content identification. RTP is discussed in RFC 1889 (A Transport Protocol for Real-Time Applications) and RFC 1890 (RTP Profile for Audio and Video Conferences with Minimal Control).

The RTP payload type is the data transported by RTP in a packet, for example audio samples or compressed video data.

NBAR RTP Payload Type Classification not only allows one to statefully identify real-time audio and video traffic but can also differentiate on the basis of audio and video codecs to provide more granular QoS. The RTP Payload Type Classification feature, therefore, looks deep into the RTP header to classify RTP packets. NBAR RTP Payload Type Classification was first introduced in Cisco IOS Release 12.2(8)T and is also available in Cisco IOS Release 12.1(11b)E.

NBAR and Classification of Custom Protocols and Applications

NBAR supports the use of custom protocols to identify custom applications. Custom protocols support static port-based protocols and applications that NBAR does not currently support. You can add to the set of protocols and application types that NBAR recognizes by creating custom protocols.

Custom protocols extend the capability of NBAR Protocol Discovery to classify and monitor additional static port applications and allows NBAR to classify nonsupported static port traffic.

Note For more information about specifying user-defined (custom) protocols, see the "Creating a Custom Protocol" module.

NBAR and Classification of Peer-to-Peer File-Sharing Applications

The following are the most common peer-to-peer file-sharing applications supported by NBAR:

BitTorrent

DirectConnect

eDonkey

eMule

FastTrack

Grokster

JTella

Kazaa (as well as Kazaa Lite and Kazaa Lite Resurrection)

Morpheus

Win MX

Gnutella Also Supported

Gnutella is another file-sharing protocol that became classifiable using NBAR in Cisco IOS Release 12.1(12c)E.

Applications that use the Gnutella protocol include Bearshare, Gnewtellium, Gnucleus, Gtk-Gnutella, Limewire, Mutella, Phex, Qtella, Swapper, and Xolo.

The match protocol gnutella file-transfer regular-expression and match protocol fasttrack file-transfer regular-expression commands are used to enable Gnutella and FastTrack classification in a traffic class. The regular-expression variable can be expressed as "*" to indicate that all FastTrack or Gnutella traffic be classified by a traffic class.

In the following example, all FastTrack traffic is classified into class map nbar: 

class-map match-all nbar 
 match protocol fasttrack file-transfer "*"

Similarly, all Gnutella traffic is classified into class map nbar in the following example: 

class-map match-all nbar 
 match protocol gnutella file-transfer "*"

Wildcard characters in a regular expression can also be used to identify specified Gnutella and FastTrack traffic. These regular expression matches can be used to match on the basis of filename extension or a particular string in a filename.

In the following example, all Gnutella files that have the .mpeg extension will be classified into class map nbar. 

class-map match-all nbar 
 match protocol gnutella file-transfer "*.mpeg"

In the following example, only Gnutella traffic that contains the characters "cisco" is classified: 

class-map match-all nbar 
 match protocol gnutella file-transfer "*cisco*"

The same examples can be used for FastTrack traffic: 

class-map match-all nbar 
 match protocol fasttrack file-transfer "*.mpeg"

or 

class-map match-all nbar 
 match protocol fasttrack file-transfer "*cisco*"

NBAR and Classification of Streaming Protocols

In Cisco IOS Release 12.3(7)T, NBAR introduced support for Real Time Streaming Protocol (RTSP). RTSP is the protocol used for applications with steaming audio, such as the following:

Apple QuickTime

RealAudio (RealSystems G2)

Windows Media Services

NBAR and AutoQoS

Earlier Cisco IOS releases included two features that allow you to automate the deployment of QoS on your network: AutoQoS—Voice over IP (VoIP); and AutoQoS for the Enterprise. Both of these AutoQoS features take advantage of the traffic classification functionality of NBAR.

Note Cisco IOS Release 12.2(18)ZY does not support either the AutoQoS—Voice over IP (VoIP) feature or the AutoQoS for the Enterprise feature on the Catalyst 6500 series switch.

AutoQoS—VoIP

This feature was available with Cisco IOS Release 12.2(15)T. The AutoQoS—VoIP feature allows you to automate the deployment of QoS on your network and provides a means for simplifying the implementation and provisioning of QoS for VoIP traffic. For more information about the AutoQoS—VoIP feature and how it uses NBAR, see the AutoQoS—VoIP feature module, Release 12.2(15)T.

AutoQoS for the Enterprise

This feature was available with Cisco IOS Release 12.3(11)T. The AutoQoS for the Enterprise feature allows you to automate the deployment of QoS in a general business environment, particularly for midsize companies and branch offices of larger companies. It expands on the functionality available with the AutoQoS—VoIP feature. For more information about the AutoQoS for the Enterprise feature and how it uses NBAR, see the AutoQoS for the Enterprise feature module, Release 12.3(11)T.

NBAR-Supported Protocols

Table 1 lists the NBAR-supported protocols available in Cisco IOS software, sorted by category. The table also provides information about the protocol type, the well-known port numbers, the syntax for entering the protocol in NBAR, and the Cisco IOS release in which the protocol was initially supported.

Many peer-to-peer file-sharing applications not listed in this table can be classified using FastTrack or Gnutella. See the "NBAR and Classification of Peer-to-Peer File-Sharing Applications" section for additional information.

RTSP can be used to classify various types of applications that use streaming audio. See the "NBAR and Classification of Streaming Protocols" section for additional information.

Note Support for some protocols can be added to NBAR using application recognition modules (also known as Packet Description Language Modules [PDLMs]). For more information about PDLMs, see the "Adding Application Recognition Modules" module.

Table 1 NBAR-Supported Protocols 

Category
Protocol
Type
Well-Known Port Number
Description
Syntax
Cisco IOS Release1

Enterprise Application

Citrix ICA

TCP/
UDP

Dynamically Assigned

Citrix ICA traffic by application name

citrix
citrix app

12.1(2)E
12.1(5)T

PCAnywhere

TCP

5631, 65301

Symantic pcAnywhere

pcanywhere

12.0(5)XE2
12.1(1)E
12.1(5)T

PCAnywhere

UDP

22, 5632

Symantic pcAnywhere

pcanywhere

12.0(5)XE2
12.1(1)E
12.1(5)T

Novadigm

TCP/ UDP

3460-3465

Novadigm Enterprise Desktop Manager  (EDM)

novadigm

12.1(2)E
12.1(5)T

SAP

TCP

3300-3315 (sap-pgm. pdlm)
3200-3215 (sap-app. pdlm)
3600-3615 (sap-msg. pdlm)

Application server to application server traffic (sap-pgm.pdlm)

Client to application server traffic (sap-app.pdlm)

Client to message server traffic (sap-msg.pdlm)

sap

12.3
12.3T
12.2T
12.1E

Routing Protocol

BGP

TCP/ UDP

179

Border Gateway Protocol

bgp

12.0(5)XE2
12.1(1)E
12.1(5)T

EGP

IP

8

Exterior Gateway Protocol

egp

12.0(5)XE2
12.1(1)E
12.1(5)T

EIGRP

IP

88

Enhanced Interior Gateway Routing Protocol

eigrp

12.0(5)XE2
12.1(1)E
12.1(5)T

OSPF

TCP

Dynamically Assigned

Open Shortest Path First

ospf

12.3(8)T

RIP

UDP

520

Routing Information Protocol

rip

12.0(5)XE2
12.1(1)E
12.1(5)T

Database

SQL*NET

TCP/ UDP

Dynamically Assigned

SQL*NET for Oracle

sqlnet

12.0(5)XE2
12.1(1)E
12.1(5)T

MS- SQLServer

TCP

1433

Microsoft SQL Server Desktop Videocon-
ferencing

sqlserver

12.0(5)XE2
12.1(1)E
12.1(5)T

Security and Tunneling

GRE

IP

47

Generic Routing Encapsulation

gre

12.0(5)XE2
12.1(1)E
12.1(5)T

IPINIP

IP

4

IP in IP

ipinip

12.0(5)XE2
12.1(1)E
12.1(5)T

IPsec

IP

50, 51

IP Encapsulating Security Payload/
Authentication-
Header

ipsec

12.0(5)XE2
12.1(1)E
12.1(5)T

L2TP

UDP

1701

L2F/L2TP Tunnel

l2tp

12.0(5)XE2
12.1(1)E
12.1(5)T

MS-PPTP

TCP

1723

Microsoft Point-to-Point Tunneling Protocol for VPN

pptp

12.0(5)XE2
12.1(1)E
12.1(5)T

SFTP

TCP

990

Secure FTP

secure-ftp

12.0(5)XE2
12.1(1)E
12.1(5)T

SHTTP

TCP

443

Secure HTTP

secure-http

12.0(5)XE2
12.1(1)E
12.1(5)T

SIMAP

TCP/
UDP

585, 993

Secure IMAP

secure-imap

12.0(5)XE2
12.1(1)E
12.1(5)T

SIRC

TCP/
UDP

994

Secure IRC

secure-irc

12.0(5)XE2
12.1(1)E
12.1(5)T

SLDAP

TCP/
UDP

636

Secure LDAP

secure-ldap

12.0(5)XE2
12.1(1)E
12.1(5)T

SNNTP

TCP/
UDP

563

Secure NNTP

secure-nntp

12.0(5)XE2
12.1(1)E
12.1(5)T

SPOP3

TCP/
UDP

995

Secure POP3

secure-pop3

12.0(5)XE2
12.1(1)E
12.1(5)T

STELNET

TCP

992

Secure Telnet

secure-telnet

12.0(5)XE2
12.1(1)E
12.1(5)T

Security and Tunneling (continued)

SOCKS

TCP

1080

Firewall Security Protocol

socks

12.0(5)XE2
12.1(1)E
12.1(5)T

SSH

TCP

22

Secured Shell

ssh

12.0(5)XE2
12.1(1)E
12.1(5)T

Network Management

ICMP

IP

1

Internet Control Message Protocol

icmp

12.0(5)XE2
12.1(1)E
12.1(5)T

SNMP

TCP/
UDP

161, 162

Simple Network Management Protocol

snmp

12.0(5)XE2
12.1(1)E
12.1(5)T

Syslog

UDP

514

System Logging Utility

syslog

12.0(5)XE2
12.1(1)E
12.1(5)T

Network Mail Services

IMAP

TCP/
UDP

143, 220

Internet Message Access Protocol

imap

12.0(5)XE2
12.1(1)E
12.1(5)T

POP3

TCP/
UDP

110

Post Office Protocol

pop3

12.0(5)XE2
12.1(1)E
12.1(5)T

Exchange

TCP

135

MS-RPC for Exchange

exchange

12.0(5)XE2
12.1(1)E
12.1(5)T

Notes

TCP/
UDP

1352

Lotus Notes

notes

12.0(5)XE2
12.1(1)E
12.1(5)T

SMTP

TCP

25

Simple Mail Transfer Protocol

smtp

12.0(5)XE2
12.1(1)E
12.1(5)T

Directory

DHCP/
BOOTP

UDP

67, 68

Dynamic Host Configuration Protocol/ Bootstrap Protocol

dhcp

12.0(5)XE2
12.1(1)E
12.1(5)T

Finger

TCP

79

Finger User Information Protocol

finger

12.0(5)XE2
12.1(1)E
12.1(5)T

DNS

TCP/
UDP

53

Domain Name System

dns

12.0(5)XE2
12.1(1)E
12.1(5)T

Kerberos

TCP/
UDP

88, 749

Kerberos Network Authentication Service

kerberos

12.0(5)XE2
12.1(1)E
12.1(5)T

LDAP

TCP/
UDP

389

Lightweight Directory Access Protocol

ldap

12.0(5)XE2
12.1(1)E
12.1(5)T

Streaming Media

CU-SeeMe

TCP/
UDP

7648, 7649

Desktop Video Conferencing

cuseeme

12.0(5)XE2
12.1(1)E
12.1(5)T

CU-SeeMe

UDP

24032

Desktop Video Conferencing

cuseeme

12.0(5)XE2
12.1(1)E
12.1(5)T

Netshow

TCP/ UDP

Dynamically Assigned

Microsoft Netshow

netshow

12.0(5)XE2
12.1(1)E
12.1(5)T

RealAudio

TCP/ UDP

Dynamically Assigned

RealAudio Streaming Protocol

realaudio

12.0(5)XE2
12.1(1)E
12.1(5)T

StreamWorks

UDP

Dynamically Assigned

Xing Technology Stream Works Audio and Video

streamwork

12.0(5)XE2
12.1(1)E
12.1(5)T

VDOLive

TCP/ UDP

Dynamically Assigned

VDOLive Streaming Video

vdolive

12.0(5)XE2
12.1(1)E
12.1(5)T

Streaming Media/ Multimedia

RTSP

TCP/ UDP

Dynamically Assigned

Real Time Streaming Protocol

rtsp

12.3(11)T

MGCP

TCP/ UDP

2427, 2428, 2727

Media Gateway Control Protocol

mgcp

12.3(7)T

Internet

FTP

TCP

Dynamically Assigned

File Transfer Protocol

ftp

12.0(5)XE2
12.1(1)E
12.1(5)T

Gopher

TCP/ UDP

70

Internet Gopher Protocol

gopher

12.0(5)XE2
12.1(1)E
12.1(5)T

HTTP

TCP

802

Hypertext Transfer Protocol

http

12.0(5)XE2
12.1(1)E
12.1(5)T

IRC

TCP/ UDP

194

Internet Relay Chat

irc

12.0(5)XE2
12.1(1)E
12.1(5)T

Telnet

TCP

23

Telnet Protocol

telnet

12.0(5)XE2
12.1(1)E
12.1(5)T

TFTP

UDP

Dynamically Assigned

Trivial File Transfer Protocol

tftp

12.0(5)XE2
12.1(1)E
12.1(5)T

NNTP

TCP/ UDP

119

Network News Transfer Protocol

nntp

12.0(5)XE2
12.1(1)E
12.1(5)T

Signaling

RSVP

UDP

1698, 1699

Resource Reservation Protocol

rsvp

12.0(5)XE2
12.1(1)E
12.1(5)T

RPC

NFS

TCP/ UDP

2049

Network File System

nfs

12.0(5)XE2
12.1(1)E
12.1(5)T

Sunrpc

TCP/ UDP

Dynamically Assigned

Sun Remote Procedure Call

sunrpc

12.0(5)XE2
12.1(1)E
12.1(5)T

Non-IP and LAN/
Legacy

NetBIOS

TCP/ UDP

137, 138, 139

NetBIOS over IP (MS Windows)

netbios

12.0(5)XE2
12.1(1)E
12.1(5)T

Misc.

NTP

TCP/ UDP

123

Network Time Protocol

ntp

12.0(5)XE2
12.1(1)E
12.1(5)T

Printer

TCP/ UDP

515

Printer

printer

12.1(2)E
12.1(5)T

X Windows

TCP

6000-6003

X11, X Windows

xwindows

12.0(5)XE2
12.1(1)E
12.1(5)T

r-commands

TCP

Dynamically Assigned

rsh, rlogin, rexec

rcmd

12.0(5)XE2
12.1(1)E
12.1(5)T

Voice

H.323

TCP

Dynamically Assigned

H.323 Teleconferencing Protocol

h323

12.3(7)T

RTCP

TCP/ UDP

Dynamically Assigned

Real-Time Control Protocol

rtcp

12.1E
12.2T
12.3
12.3T
12.3(7)T

RTP

TCP/ UDP

Dynamically Assigned

Real-Time Transport Protocol Payload Classification

rtp

12.2(8)T

SIP

TCP/UPD

5060

Session Initiation Protocol

sip

12.3(7)T

SCCP/ Skinny

TCP

2000, 2001, 2002

Skinny Client Control Protocol

skinny

12.3(7)T

Skype3

TCP/UDP

Dynamically Assigned

Peer-to-Peer VoIP Client Software

Note Cisco currently supports Skype Version 1 only.

skype

12.4(4)T

Peer-to-Peer File-Sharing Applications

BitTorrent

TCP

Dynamically Assigned, or
6881-6889

BitTorrent File Transfer Traffic

bittorrent

12.4(2)T

Direct Connect

TCP/ UDP

411

Direct Connect File Transfer Traffic

directconnect

12.4(4)T

eDonkey/ eMule

TCP

4662

eDonkey File- Sharing Application

eMule traffic is also classified as eDonkey traffic in NBAR.

edonkey

12.3(11)T

FastTrack

N/A

Dynamically Assigned

FastTrack

fasttrack

12.1(12c)E

Gnutella

TCP

Dynamically Assigned

Gnutella

gnutella

12.1(12c)E

KaZaA

TCP/ UPD

Dynamically Assigned

KaZaA

Note that earlier KaZaA version 1 traffic can be classified using FastTrack.

kazaa2

12.2(8)T

 

WinMX

TCP

6699

WinMX Traffic

winmx

12.3(7)T

1 Indicates the Cisco IOS maintenance release that first supported the protocol. This table is updated when a protocol is added to a new Cisco IOS release train.

2 In Release 12.3(4)T, the NBAR Extended Inspection for Hypertext Transfer Protocol (HTTP) Traffic feature was introduced. This feature allows NBAR to scan TCP ports that are not well known and identify HTTP traffic traversing these ports.

3 Skype was introduced in Cisco IOS Release 12.4(4)T. As a result of this introduction, Skype is now native in (included with) the Cisco IOS software and uses the NBAR infrastructure new to Cisco IOS Release 12.4(4)T.

NBAR Memory Management

NBAR uses approximately 150 bytes of DRAM for each traffic flow that requires stateful inspection. (See Table 1 for a list of protocols supported by NBAR that require stateful inspection.) When NBAR is configured, it allocates 1 MB of DRAM to support up to 5000 concurrent traffic flows. NBAR checks to see if more memory is required to handle additional concurrent stateful traffic flows. If such a need is detected, NBAR expands its memory usage in increments of 200 Kb to 400 Kb.

NBAR Protocol Discovery

NBAR includes a feature called Protocol Discovery. Protocol Discovery provides an easy way to discover the application protocols that are operating on an interface. For more information about Protocol Discovery, see the "Enabling Protocol Discovery" module.

NBAR Protocol Discovery MIB

The NBAR Protocol Discovery Management Information Base (MIB) expands the capabilities of NBAR Protocol Discovery by providing the following new functionality through Simple Network Management Protocol (SNMP):

Enable or disable Protocol Discovery per interface.

Display Protocol Discovery statistics.

Configure and view multiple top-n tables that list protocols by bandwidth usage.

Configure thresholds based on traffic of particular NBAR-supported protocols or applications that report breaches and send notifications when these thresholds are crossed.

For more information about the NBAR Protocol Discovery MIB, see the Network-Based Application Recognition Protocol Discovery Management Information Base feature module, Release 12.2(15)T.

NBAR Configuration Processes

Configuring NBAR consists of the following processes:

Enabling Protocol Discovery (required)

When you configure NBAR, the first process is to enable Protocol Discovery.

Configuring NBAR using the MQC (required)

After you enable Protocol Discovery, the next process is to configure NBAR using the functionality of the MQC.

Adding application recognition modules (also known as Packet Description Language Modules [PDLMs]) (optional)

Adding PDLMs extends the functionality of NBAR by enabling NBAR to recognize additional protocols on your network.

Creating custom protocols (optional)

Custom protocols extend the capability of NBAR Protocol Discovery to classify and monitor additional static port applications and allow NBAR to classify nonsupported static port traffic.

Where to Go Next

Begin configuring NBAR by first enabling Protocol Discovery. To enable Protocol Discovery, see the "Enabling Protocol Discovery" module.

Additional References

The following sections provide references related to classifying network traffic using NBAR.

Related Documents

Related Topic
Document Title

QoS commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples

Cisco IOS Quality of Service Solutions Command Reference, Release 12.4T

QoS features and functionality

Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.4

QoS features and functionality on the Catalyst 6500 series switch

"Configuring PFC QoS" chapter of the Catalyst Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide, Release 12.2 ZY

Classifying network traffic if not using NBAR

"Classifying Network Traffic" module of the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.4

Marking network traffic

"Marking Network Traffic" module of the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.4

CISCO-NBAR-PROTOCOL-DISCOVERY MIB"

Network-Based Application Recognition Management Information Base feature module, Release 12.2(15)T

CEF

Cisco IOS IP Switching Configuration Guide, Release 12.4

AutoQoS1 and VoIP traffic

AutoQoS—VoIP feature module, Release 12.2(15)T

AutoQoS for the Enterprise*

AutoQoS for the Enterprise feature module, Release 12.3(11)T

NBAR Protocol Discovery MIB

Network-Based Application Recognition Protocol Discovery Management Information Base feature module, Release 12.2(15)T

Enabling Protocol Discovery

"Enabling Protocol Discovery" module

Configuring NBAR using the MQC

"Configuring NBAR Using the MQC" module

Adding application recognition modules (also known as PDLMs)

"Adding Application Recognition Modules" module

Creating a custom protocol

"Creating a Custom Protocol" module

1 Cisco IOS Release 12.2(18)ZY does not support either the AutoQoS—Voice over IP (VoIP) feature or the AutoQoS for the Enterprise feature on the Catalyst 6500 series switch.


Standards

Standards
Title

ISO 0009

File Transfer Protocol (FTP)

ISO 0013

Domain Names - Concepts and Facilities

ISO 0033

The TFTP Protocol (Revision 2)

ISO 0034

Routing Information Protocol

ISO 0053

Post Office Protocol - Version 3

ISO 0056

RIP Version 2


MIBs

MIBs
MIBs Link

CISCO-NBAR-PROTOCOL-DISCOVERY MIB

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFC
Title

RFC 742

NAME/FINGER Protocol

RFC 759

Internet Message Protocol

RFC 768

User Datagram Protocol

RFC 792

Internet Control Message Protocol

RFC 793

Transmission Control Protocol

RFC 821

Simple Mail Transfer Protocol

RFC 827

Exterior Gateway Protocol

RFC 854

Telnet Protocol Specification

RFC 888

"STUB" Exterior Gateway Protocol

RFC 904

Exterior Gateway Protocol Formal Specification

RFC 951

Bootstrap Protocol

RFC 959

File Transfer Protocol

RFC 977

Network News Transfer Protocol

RFC 1001

Protocol Standard for a NetBIOS Service on a TCP/UDP Transport: Concepts and Methods

RFC 1002

Protocol Standard for a NetBIOS Service on a TCP/UDP Transport: Detailed Specifications

RFC 1057

RPC: Remote Procedure Call

RFC 1094

NFS: Network File System Protocol Specification

RFC 1112

Host Extensions for IP Multicasting

RFC 1157

Simple Network Management Protocol

RFC 1282

BSD Rlogin

RFC 1288

The Finger User Information Protocol

RFC 1305

Network Time Protocol

RFC 1350

The TFTP Protocol (Revision 2)

RFC 1436

The Internet Gopher Protocol

RFC 1459

Internet Relay Chat Protocol

RFC 1510

The Kerberos Network Authentication Service

RFC 1542

Clarifications and Extensions for the Bootstrap Protocol

RFC 1579

Firewall-Friendly FTP

RFC 1583

OSPF Version 2

RFC 1657

Definitions of Managed Objects for the Fourth Version of the Border Gateway Protocol

RFC 1701

Generic Routing Encapsulation

RFC 1730

Internet Message Access Protocol—Version 4

RFC 1771

A Border Gateway Protocol 4 (BGP-4)

RFC 1777

Lightweight Directory Access Protocol

RFC 1831

RPC: Remote Procedure Call Protocol Specification Version 2

RFC 1889

A Transport Protocol for Real-Time Applications

RFC 1890

RTP Profile for Audio and Video Conferences with Minimal Control

RFC 1928

SOCKS Protocol Version 5

RFC 1939

Post Office Protocol—Version 3

RFC 1945

Hypertext Transfer Protocol—HTTP/1.0

RFC 1964

The Kerberos Version 5 GSS-API Mechanism

RFC 2045

Multipurpose Internet Mail Extension (MIME) Part One: Format of Internet Message Bodies

RFC 2060

Internet Message Access Protocol—Version 4 rev1

RFC 2068

Hypertext Transfer Protocol—HTTP/1.1

RFC 2131

Dynamic Host Configuration Protocol

RFC 2205

Resource ReSerVation Protocol (RSVP)—Version 1 Functional Specification

RFC 2236

Internet Group Management Protocol, Version 2

RFC 2251

Lightweight Directory Access Protocol (v3)

RFC 2252

Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions

RFC 2253

Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names

RFC 2326

Real Time Streaming Protocol (RTSP)

RFC 2401

Security Architecture for the Internet Protocol

RFC 2406

IP Encapsulating Security Payload

RFC 2453

RIP Version 2

RFC 2616

Hypertext Transfer Protocol—HTTP/1.1

Note This RFC updates RFC 2068.


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport


Glossary

encryption—Encryption is the application of a specific algorithm to data so as to alter the appearance of the data, making it incomprehensible to those who are not authorized to see the information.

HTTP—Hypertext Transfer Protocol. The protocol used by web browsers and web servers to transfer files, such as text and graphic files.

IANA—Internet Assigned Numbers Authority. An organization operated under the auspices of the Internet Society (ISOC) as a part of the Internet Architecture Board (IAB). IANA delegates authority for IP address-space allocation and domain-name assignment to the InterNIC and other organizations. IANA also maintains a database of assigned protocol identifiers used in the TCP/IP stack, including autonomous system numbers.

LAN—local-area network. A high-speed, low-error data network that covers a relatively small geographic area (up to a few thousand meters). LANs connect workstations, peripherals, terminals, and other devices in a single building or other geographically limited area. LAN standards specify cabling and signaling at the physical and data link layers of the Open System Interconnection (OSI) model. Ethernet, FDDI, and Token Ring are widely used LAN technologies.

MIME—Multipurpose Internet Mail Extension. The standard for transmitting nontext data (or data that cannot be represented in plain ASCII code) in Internet mail, such as binary, foreign language text (such as Russian or Chinese), audio, and video data. MIME is defined in RFC 2045: Multipurpose Internet Mail Extension (MIME) Part One: Format of Internet Message Bodies.

MPLS—Multiprotocol Label Switching. A switching method that forwards IP traffic using a label. This label instructs the routers and the switches in the network where to forward the packets based on preestablished IP routing information.

MQC—Modular Quality of Service Command-Line Interface. A command-line interface that allows you to define traffic classes, create and configure traffic policies (policy maps), and then attach the policy maps to interfaces. The policy maps are used to apply the appropriate quality of service (QoS) to network traffic.

PDLM—Packet Description Language Module. A file that contains Packet Description Language statements used to define the signature of one or more application protocols.

Protocol Discovery—A feature included with NBAR. Protocol Discovery provides a way to discover the application protocols that are operating on an interface.

QoS—quality of service. A measure of performance for a transmission system that reflects its transmission quality and service availability.

RTCP—RTP Control Protocol. A protocol that monitors the QoS of an IPv6 Real-Time Transport Protocol (RTP) connection and conveys information about the ongoing session.

RTSP—Real Time Streaming Protocol. A means for enabling the controlled delivery of real-time data, such as audio and video. Sources of data can include both live data feeds, such as live audio and video, and stored content, such as prerecorded events. RTSP is designed to work with established protocols, such as Real-Time Transport Protocol (RTP) and HTTP.

stateful protocol—A protocol that uses TCP and UDP port numbers that are determined at connection time.

static protocol—A protocol that uses well-defined (predetermined) TCP and UDP ports for communication.

subport classification—The classification of network traffic by information that is contained in the packet payload; that is, information found beyond the TCP or UDP port number.

TCP—Transmission Control Protocol. A connection-oriented transport layer protocol that provides reliable full-duplex data transmission. TCP is part of the TCP/IP protocol stack.

tunneling—Tunneling is an architecture that is designed to provide the services necessary to implement any standard point-to-point encapsulation scheme.

UDP—User Datagram Protocol. A connectionless transport layer protocol in the TCP /IP protocol stack. UDP is a simple protocol that exchanges datagrams without acknowledgments or guaranteed delivery, requiring that error processing and retransmission be handled by other protocols. UDP is defined in RFC 768: User Datagram Protocol.

WAN—wide-area network. A data communications network that serves users across a broad geographic area and often uses transmission devices provided by common carriers.

Note See Internetworking Terms and Acronyms for terms not included in this glossary.

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2006-2007 Cisco Systems, Inc. All rights reserved.