Cisco IOS XE Quality of Service Solutions Configuration Guide, Release 2
Classifying Network Traffic Using NBAR
Download this chapter
Classifying Network Traffic Using NBARClassifying Network Traffic Using NBAR
give_us_feedback

Table Of Contents

Classifying Network Traffic Using NBAR (Cisco IOS XE)

Finding Feature Information

Contents

Restrictions for Using NBAR

Information About Using NBAR

NBAR Functionality

NBAR Benefits

NBAR and Classification of HTTP Traffic

Classification of HTTP Traffic by URL, Host, or MIME

Classification of HTTP Traffic Using the HTTP Header Fields

Combinations of Classification of HTTP Headers and URL, Host, or MIME Type to Identify HTTP Traffic

NBAR and Classification of Citrix ICA Traffic

Classification of Citrix ICA Traffic by Published Application Name

Classification of Citrix ICA Traffic by ICA Tag Number

NBAR and RTP Payload Type Classification

NBAR and Classification of Custom Protocols and Applications

NBAR and Classification with Dynamic PDLM's

NBAR and Classification of Peer-to-Peer File-Sharing Applications

NBAR Scalability

Interface Scalability

Flow Scalability

NBAR-Supported Protocols

NBAR Protocol Discovery

NBAR Protocol Discovery MIB

NBAR Configuration Processes

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Feature Information for Classifying Network Traffic Using NBAR

Glossary


Classifying Network Traffic Using NBAR (Cisco IOS XE)

First Published: April 4, 2006
Last Updated: November 25, 2009

Network-Based Application Recognition (NBAR) is a classification engine that recognizes and classifies a wide variety of protocols and applications. When NBAR recognizes and classifies a protocol or application, the network can be configured to apply the appropriate quality of service (QoS) for that application or traffic with that protocol.

This module contains an overview of classifying network traffic using NBAR using Cisco IOS XE Software.

Finding Feature Information

For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Classifying Network Traffic Using NBAR" section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE Software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Restrictions for Using NBAR

Information About Using NBAR

Additional References

Feature Information for Classifying Network Traffic Using NBAR

Glossary

Restrictions for Using NBAR

NBAR does not support the following:

Non-IP traffic.

MPLS-labeled packets. NBAR classifies IP packets only. You can, however, use NBAR to classify IP traffic before the traffic is handed over to MPLS. Use the Modular Quality of Service (QoS) Command-Line Interface (CLI) (MQC) to set the IP differentiated services code point (DSCP) field on the NBAR-classified packets and make Multiprotocol Label Switching (MPLS) map the DSCP setting to the MPLS experimental (EXP) setting inside the MPLS header.

Multicast modes.

Asymmetric flows with stateful protocols.

Packets that originate from or that are destined to the router running NBAR.

NBAR is not supported on the following logical interfaces:

Dialer Interfaces

Fast Etherchannel

Interfaces where tunneling or encryption is used

MLPPP

MPLS VRF

Port Channel

Tunneled Interfaces (GRE, IP-IP, L2TP)

Note You cannot use NBAR to classify output traffic on a WAN link where tunneling or encryption is used. Therefore, you should configure NBAR on other interfaces of the router (such as a LAN link) to perform input classification before the traffic is switched to the WAN link.

Information About Using NBAR

Before classifying network traffic using NBAR, you should understand the following concepts:

NBAR Functionality

NBAR Benefits

NBAR and Classification of HTTP Traffic

NBAR and Classification of Citrix ICA Traffic

NBAR and RTP Payload Type Classification

NBAR and Classification of Custom Protocols and Applications

NBAR and Classification of Peer-to-Peer File-Sharing Applications

NBAR Scalability

NBAR-Supported Protocols

NBAR Protocol Discovery

NBAR Protocol Discovery MIB

NBAR Configuration Processes

NBAR Functionality

NBAR is a classification engine that recognizes and classifies a wide variety of protocols and applications, including web-based and other difficult-to-classify applications and protocols that use dynamic TCP/UDP port assignments.

When NBAR recognizes and classifies a protocol or application, the network can be configured to apply the appropriate QoS for that application or traffic with that protocol. The QoS is applied using the MQC.

Note For more information about the MQC, see the "Applying QoS Features Using the MQC" module.

NBAR introduces several classification features that identify applications and protocols from Layer 4 through Layer 7. These classification features include the following:

Statically assigned TCP and UDP port numbers.

Non-TCP and non-UDP IP protocols.

Dynamically assigned TCP and UDP port numbers.

This kind of classification requires stateful inspection; that is, the ability to inspect a protocol across multiple packets during packet classification.

Note Access control lists (ACLs) can also be used for classifying static port protocols. However, NBAR is easier to configure, and NBAR can provide classification statistics that are not available when ACLs are used.

NBAR includes a Protocol Discovery feature that provides an easy way to discover application protocols that are operating on an interface. For more information about Protocol Discovery, see the "Enabling Protocol Discovery" module.

Note NBAR classifies network traffic by application or protocol. Network traffic can be classified without using NBAR. For information about classifying network traffic without using NBAR, see the "Classifying Network Traffic" module.

NBAR Benefits

Improved Network Management

Identifying and classifying network traffic is an important first step in implementing QoS. A network administrator can more effectively implement QoS in a networking environment after identifying the amount and the variety of applications and protocols that are running on a network.

NBAR gives network administrators the ability to see the variety of protocols and the amount of traffic generated by each protocol. After gathering this information, NBAR allows users to organize traffic into classes. These classes can then be used to provide different levels of service for network traffic, thereby allowing better network management by providing the right level of network resources for network traffic.

NBAR and Classification of HTTP Traffic

This section includes information about the following topics:

Classification of HTTP Traffic by URL, Host, or MIME

Classification of HTTP Traffic Using the HTTP Header Fields

Combinations of Classification of HTTP Headers and URL, Host, or MIME Type to Identify HTTP Traffic

Classification of HTTP Traffic by URL, Host, or MIME

NBAR can classify application traffic by looking beyond the TCP/UDP port numbers of a packet. This is subport classification. NBAR looks into the TCP/UDP payload itself and classifies packets based on content within the payload such as that transaction identifier, message type, or other similar data.

Classification of HTTP traffic by URL, host, or Multipurpose Internet Mail Extension (MIME) type is an example of subport classification. NBAR classifies HTTP traffic by text within the URL or host fields of a request using regular expression matching. HTTP client request matching in NBAR supports most HTTP request methods such as GET, PUT, HEAD, POST, DELETE, OPTIONS, CONNECT, and TRACE. The NBAR engine then converts the specified match string into a regular expression.

Figure 1 illustrates a network topology with NBAR in which Router Y is the NBAR-enabled router.

Figure 1 Network Topology with NBAR

When specifying a URL for classification, include only the portion of the URL that follows the www.hostname.domain in the match statement. For example, for the URL www.cisco.com/latest/whatsnew.html, include only /latest/whatsnew.html with the match statement (for instance, match protocol http url /latest/whatsnew.html).

Host specification is identical to URL specification. NBAR performs a regular expression match on the host field contents inside an HTTP packet and classifies all packets from that host. For example, for the URL www.cisco.com/latest/whatsnew.html, include only www.cisco.com.

For MIME type matching, the MIME type can contain any user-specified text string. A list of the IANA-supported MIME types can be found at the following URL:

http://www.iana.org/assignments/media-types/

When matching by MIME type, NBAR matches a packet containing the MIME type and all subsequent packets until the next HTTP transaction.

NBAR supports URL and host classification in the presence of persistent HTTP. NBAR does not classify packets that are part of a pipelined request. With pipelined requests, multiple requests are pipelined to the server before previous requests are serviced. Pipelined requests are a less commonly used type of persistent HTTP request.

The NBAR Extended Inspection for HTTP Traffic feature allows NBAR to scan TCP ports that are not well known and to identify HTTP traffic that traverses these ports. HTTP traffic classification is no longer limited to the well-known and defined TCP ports.

Classification of HTTP Traffic Using the HTTP Header Fields

NBAR introduces expanded ability for users to classify HTTP traffic using information in the HTTP header fields.

HTTP works using a client/server model. HTTP clients open connections by sending a request message to an HTTP server. The HTTP server then returns a response message to the HTTP client (this response message is typically the resource requested in the request message from the HTTP client). After delivering the response, the HTTP server closes the connection and the transaction is complete.

HTTP header fields are used to provide information about HTTP request and response messages. HTTP has numerous header fields. For additional information on HTTP headers, see section 14 of RFC 2616: Hypertext Transfer Protocol—HTTP/1.1. This RFC can be found at the following URL:

http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

NBAR is able to classify the following HTTP header fields:

For request messages (client to server), the following HTTP header fields can be identified using NBAR:

User-Agent

Referer

From

For response messages (server to client), the following HTTP header fields can be identified using NBAR:

Server

Location

Content-Encoding

Within NBAR, the match protocol http user-agent mozila command is used to specify that NBAR identify request messages. The match protocol http server microsoft command is used to specify response messages.

Examples

In the following example, any request message that contains "somebody@cisco.com" in the User-Agent, Referer, or From fields will be classified by NBAR. Typically, a term with a format similar to "somebody@cisco.com" would be found in the From header field of the HTTP request message. 

class-map match-all class1

 match protocol http from "somebody@cisco.com"

In the following example, any request message that contains "http://www.cisco.com/routers" in the User-Agent, Referer, or From fields will be classified by NBAR. Typically, a term with a format similar to "http://www.cisco.com/routers" would be found in the Referer header field of the HTTP request message. 

class-map match-all class2

 match protocol http referer "http://www.cisco.com/routers"

In the following example, any request message that contains "CERN-LineMode/2.15" in the User-Agent, Referer, or From header fields will be classified by NBAR. Typically, a term with a format similar to "CERN-LineMode/2.15" would be found in the User-Agent header field of the HTTP request message. 

class-map match-all class3

 match protocol http user-agent "CERN-LineMode/2.15"

In the following example, any response message that contains "CERN/3.0" in the Content-Base (if available), Content-Encoding, Location, or Server header fields will be classified by NBAR. Typically, a term with a format similar to "CERN/3.0" would be found in the Server header field of the response message. 

class-map match-all class4

 match protocol http server "CERN/3.0"

In the following example, any response message that contains "http://www.cisco.com/routers" in the Content-Base (if available), Content-Encoding, Location, or Server header fields will be classified by NBAR. Typically, a term with a format similar to "http://www.cisco.com/routers" would be found in the Content-Base (if available) or Location header field of the response message. 

class-map match-all class5

 match protocol http location "http://www.cisco.com/routers"

In the following example, any response message that contains "gzip" in the Content-Base (if available), Content-Encoding, Location, or Server header fields will be classified by NBAR. Typically, the term "gzip" would be found in the Content-Encoding header field of the response message. 

class-map match-all class6

 match protocol http content-encoding "gzip"

Combinations of Classification of HTTP Headers and URL, Host, or MIME Type to Identify HTTP Traffic

Note that combinations of URL, Host, MIME type, and HTTP headers can be used during NBAR configuration. These combinations provide customers with more flexibility to classify specific HTTP traffic based on their network requirements.

Examples

In the following example, HTTP header fields are combined with a URL to classify traffic. In this example, traffic with a User-Agent field of "CERN-LineMode/3.0" and a Server field of "CERN/3.0," along with URL "www.cisco.com/routers," will be classified using NBAR: 

class-map match-all c-http 
 match protocol http user-agent "CERN-LineMode/3.0" 
 match protocol http server "CERN/3.0" 
 match protocol http url "www.cisco.com/routers"

NBAR and Classification of Citrix ICA Traffic

NBAR can classify Citrix Independent Computing Architecture (ICA) traffic and perform subport classification of Citrix traffic based on the published application name or ICA tag number.

This section includes information about the following topics:

Classification of Citrix ICA Traffic by Published Application Name

Classification of Citrix ICA Traffic by ICA Tag Number

Classification of Citrix ICA Traffic by Published Application Name

NBAR can monitor Citrix ICA client requests for a published application destined to a Citrix ICA Master browser. After the client requests the published application, the Citrix ICA Master browser directs the client to the server with the most available memory. The Citrix ICA client then connects to this Citrix ICA server for the application.

Note For Citrix to monitor and classify traffic by the published application name, Server Browser Mode on the Master browser must be used.

In Server Browser Mode, NBAR statefully tracks and monitors traffic and performs a regular expression search on the packet contents for the published application name specified by the match protocol citrix command. The published application name is specified by using the app keyword and the application-name-string argument of the match protocol citrix command. For more information about the match protocol citrix command, see the Cisco IOS Quality of Service Solutions Command Reference.

The Citrix ICA session triggered to carry the specified application is cached, and traffic is classified appropriately for the published application name.

Citrix ICA Client Modes

Citrix ICA clients can be configured in various modes. NBAR cannot distinguish among Citrix applications in all modes of operation. Therefore, network administrators might need to collaborate with Citrix administrators to ensure that NBAR properly classifies Citrix traffic.

A Citrix administrator can configure Citrix to publish Citrix applications individually or as the entire desktop. In the Published Desktop mode of operation, all applications within the published desktop of a client use the same TCP session. Therefore, differentiation among applications is impossible, and NBAR can be used to classify Citrix applications only as aggregates (by looking at port 1494).

The Published Application mode for Citrix ICA clients is recommended when you use NBAR. In Published Application mode, a Citrix administrator can configure a Citrix client in either seamless or non-seamless (windows) modes of operation. In nonseamless mode, each Citrix application uses a separate TCP connection, and NBAR can be used to provide interapplication differentiation based on the name of the published application.

Seamless mode clients can operate in one of two submodes: session sharing or nonsession sharing. In seamless session sharing mode, all clients share the same TCP connection, and NBAR cannot differentiate among applications. Seamless sharing mode is enabled by default on some software releases. In seamless nonsession sharing mode, each application for each particular client uses a separate TCP connection. NBAR can provide interapplication differentiation in seamless nonsession sharing mode.

Note NBAR operates properly in Citrix ICA secure mode. Pipelined Citrix ICA client requests are not supported.

Classification of Citrix ICA Traffic by ICA Tag Number

Citrix uses one TCP session each time an application is opened. In the TCP session, a variety of Citrix traffic may be intermingled in the same session. For example, print traffic may be intermingled with interactive traffic, causing interruption and delay for a particular application. Most people would prefer that printing be handled as a background process and that printing not interfere with the processing of higher-priority traffic.

To accommodate this preference, the Citrix ICA protocol includes the ability to identify Citrix ICA traffic based on the ICA tag number of the packet. The ability to identify, tag, and prioritize Citrix ICA traffic is referred to as ICA Priority Packet Tagging. With ICA Priority Packet Tagging, Citrix ICA traffic is categorized as high, medium, low, and background, depending on the ICA tag of the packet.

When ICA traffic priority tag numbers are used, and the priority of the traffic is determined, QoS features can be implemented to determine how the traffic will be handled. For example, QoS traffic policing can be configured to transmit or drop packets with a specific priority.

Citrix ICA Packet Tagging

The Citrix ICA tag is included in the first two bytes of the Citrix ICA packet, after the initial negotiations are completed between Citrix client and server. These bytes are not compressed or encrypted.

The first two bytes of the packet (byte 1 and byte 2) contain the byte count and the ICA priority tag number. Byte 1 contains the low-order byte count, and the first two bits of byte 2 contain the priority tags. The other six bits contain the high-order byte count.

The ICA priority tag value can be a number from 0 to 3. The number indicates the packet priority, with 0 being the highest priority and 3 being the lowest priority.

To prioritize Citrix traffic by the ICA tag number of the packet, you specify the tag number using the ica-tag keyword and the ica-tag-value argument of the match protocol citrix command. For more information about the match protocol citrix command, see the Cisco IOS Quality of Service Solutions Command Reference.

NBAR and RTP Payload Type Classification

RTP is a packet format for multimedia data streams. It can be used for media-on-demand as well as for interactive services such as Internet telephony. RTP consists of a data and a control part. The control part is called Real-Time Transport Control Protocol (RTCP). RTCP is a separate protocol that is supported by NBAR. It is important to note that the NBAR RTP Payload Type Classification feature does not identify RTCP packets and that RTCP packets run on odd-numbered ports while RTP packets run on even-numbered ports.

The data part of RTP is a thin protocol that provides support for applications with real-time properties such as continuous media (audio and video), which includes timing reconstruction, loss detection, and security and content identification. RTP is discussed in RFC 1889 (A Transport Protocol for Real-Time Applications) and RFC 1890 (RTP Profile for Audio and Video Conferences with Minimal Control).

The RTP payload type is the data transported by RTP in a packet, for example audio samples or compressed video data.

NBAR RTP Payload Type Classification not only allows one to statefully identify real-time audio and video traffic but can also differentiate on the basis of audio and video codecs to provide more granular QoS. The RTP Payload Type Classification feature, therefore, looks deep into the RTP header to classify RTP packets.

For more information on the classification of RTP with NBAR please refer to http://www.cisco.com/en/US/products/ps6616/products_white_paper09186a0080110040.shtml

NBAR and Classification of Custom Protocols and Applications

NBAR supports the use of custom protocols to identify custom applications. Custom protocols support static port-based protocols and applications that NBAR does not currently support. You can add to the set of protocols and application types that NBAR recognizes by creating custom protocols.

Custom protocols extend the capability of NBAR Protocol Discovery to classify and monitor additional static port applications and allows NBAR to classify nonsupported static port traffic.

Once the custom protocols are defined, we can then use them with the help of NBAR protocol discovery and the MQC to classify the traffic.

With NBAR supporting the use of custom protocols, NBAR can map static TCP and UDP port numbers to the custom protocols.

NBAR includes the following features related to custom protocols and applications:

Custom protocols had to be named custom-xx, with xx being a number.

Ten custom applications can be assigned using NBAR, and each custom application can have up to 16 TCP and 16 UDP ports each mapped to the individual custom protocol. The real-time statistics of each custom protocol can be monitored using Protocol Discovery.

The ability to inspect the payload for certain matching string patterns at a specific offset.

The ability to allow users to define the names of their custom protocol applications. The user-named protocol can then be used by Protocol Discovery, the Protocol Discovery MIB, the match protocol command, and the ip nbar port-map command as an NBAR-supported protocol.

The ability for NBAR to inspect custom protocols specified by traffic direction (that is, traffic heading toward a source or destination rather than traffic in both directions) if desired by the user.

CLI support that allows a user who is configuring a custom application to specify a range of ports rather specifying each port individually.

The variable keyword, the field-name argument, and the field-length argument were added to the ip nbar custom command.

This additional keyword and two additional arguments allow for creation of more than one custom protocol based on the same port numbers.

After creating a variable when creating a custom protocol, you can use the match protocol command to classify traffic on the basis of a specific value in the custom protocol.

Note For more information about these quality of service (QoS) commands, see the Cisco IOS Quality of Service Solutions Command Reference.

In the following example, the custom protocol app_sales1 will identify TCP packets that have a source port of 4567 and that contain the term "SALES" in the fifth byte of the payload: 

Router(config)# ip nbar custom app_sales1 5 ascii SALES source tcp 4567

In the following example, the custom protocol virus_home will identify UDP packets that have a destination port of 3000 and that contain "0x56" in the seventh byte of the payload: 

Router(config)# ip nbar custom virus_home 7 hex 0x56 destination udp 3000

NBAR and Classification with Dynamic PDLM's

Dynamic PDLM's allow new protocol support for NBAR without the requirement of an IOS release upgrade and router reload. Subsequent IOS releases incorporate support for these new protocols.

Note PDLM's must be loaded on both the RP's when using the ASR1006 redundant HW setup.

Dynamic PDLMs are platform specific, and will have Software Family Identifier(SFI) embedded in them. Dynamic PDLMs of other platforms cannot be loaded on ASR1000 series routers.

NBAR and Classification of Peer-to-Peer File-Sharing Applications

The following are the most common peer-to-peer file-sharing applications supported by NBAR:

BitTorrent

DirectConnect

eDonkey

eMule

FastTrack

Kazaa (as well as Kazaa Lite and Kazaa Lite Resurrection)

Win MX

In Cisco IOS Software Release XE 2.5 the DirectConnect and the eDonkey P2P protocols also support subclassifications.

eDonkey classifies both the eMule and the eDonkey traffic. eDonkey supports the following sub classification options:

file-transfer

search-file-name

text-chat

DirectConnect supports the file-transfer sub-protocol classification. example - match protocol fasttrack file-transfer.

Gnutella Also Supported

Gnutella is another file-sharing protocol that became classifiable using NBAR in Cisco IOS XE Release 2.5

Applications that use the Gnutella protocol include Bearshare, Gnewtellium, Gnucleus, Gtk-Gnutella, Limewire, Mutella, Phex, Qtella, Swapper, and Xolo.

The match protocol gnutella file-transfer regular-expression and match protocol fasttrack file-transfer regular-expression commands are used to enable Gnutella and FastTrack classification in a traffic class. The file-transfer keyword indicates that a regular expression variable will be used to identify specific Gnutella or FastTrack traffic. The regular-expression variable can be expressed as "*" to indicate that all FastTrack or Gnutella traffic be classified by a traffic class.

In the following example, all FastTrack traffic is classified into class map nbar: 

class-map match-all nbar 
 match protocol fasttrack file-transfer "*"

Similarly, all Gnutella traffic is classified into class map nbar in the following example: 

class-map match-all nbar 
 match protocol gnutella file-transfer "*"

Wildcard characters in a regular expression can also be used to identify specified Gnutella and FastTrack traffic. These regular expression matches can be used to match on the basis of filename extension or a particular string in a filename.

In the following example, all Gnutella files that have the .mpeg extension will be classified into class map nbar. 

class-map match-all nbar 
 match protocol gnutella file-transfer "*.mpeg"

In the following example, only Gnutella traffic that contains the characters "cisco" is classified: 

class-map match-all nbar 
 match protocol gnutella file-transfer "*cisco*"

The same examples can be used for FastTrack traffic: 

class-map match-all nbar 
 match protocol fasttrack file-transfer "*.mpeg"

or 

class-map match-all nbar 
 match protocol fasttrack file-transfer "*cisco*"

NBAR Scalability

Interface Scalability

In Cisco IOS Software Release 2.5 NBAR protocol discovery is supported only on 256 interfaces. There is no such limit for the NBAR MQC policies.

Flow Scalability

In Cisco IOS Software Release XE 2.5 the following are supported:

a maximum of 250K bidirectional flows on the ESP10 and the ESP20 hardware.

a maximum of 125K bidirectional flows on the ESP5.

If this limit is crossed or there is a memory flow constraint, new flows will be classified as Unknown.

NBAR-Supported Protocols

The match protocol (NBAR) command is used to classify traffic on the basis of protocols supported by NBAR. NBAR is capable of classifying the following types of protocols:

Non-UDP and non-TCP IP protocols

TCP and UDP protocols that use statically assigned port numbers

TCP and UDP protocols that use statically assigned port numbers but still require stateful inspection

TCP and UDP protocols that dynamically assign port numbers and therefore require stateful inspection

Table 1 lists the NBAR-supported protocols available in Cisco IOS XE Software, sorted by category. The table also provides information about the protocol type, the well-known port numbers (if applicable), the syntax for entering the protocol in NBAR, and the Cisco IOS XE Software release in which the protocol was initially supported. This table is updated when a protocol becomes supported in Cisco IOS XE Software.

f

Table 1 NBAR-Supported Protocols 

Category
Protocol
Type
Well-Known Port Number
Description
Syntax
Cisco IOS XE Release

Enterprise Applications

Novadigm

TCP/ UDP

3460-3465

Novadigm Enterprise Desktop Manager (EDM)

novadigm

Cisco IOS XE Release 2.3

Citrix (ICA, CGP, IMA, SB)

TCP/
UDP

TCP: 1494, 2512, 2513, 2598
UDP: 1604

Citrix ICA traffic

citrix
citrix app
citrix ica-tag

Cisco IOS XE Release 2.5

Oracle

TCP

1525

Oracle

ora-srv

Cisco IOS XE Release 2.3

PCAnywhere

TCP/UDP

TCP: 5631, 65301
UDP: 22, 5632

Symantic PCAnywhere

pcanywhere

Cisco IOS XE Release 2.3

SAP

TCP

3300-3315
3200-3215
3600-3615

SAP

sap

Cisco IOS XE Release 2.5

Exchange1

TCP

135

MS-RPC for Exchange

exchange

Cisco IOS XE Release 2.5

Routing Protocols

BGP

TCP/ UDP

179

Border Gateway Protocol

bgp

Cisco IOS XE Release 2.3

EGP

IP

8

Exterior Gateway Protocol

egp

Cisco IOS XE Release 2.3

EIGRP

IP

88

Enhanced Interior Gateway Routing Protocol

eigrp

Cisco IOS XE Release 2.3

OSPF

IP

89

Open Shortest Path First

ospf

Cisco IOS XE Release 2.3

RIP

UDP

520

Routing Information Protocol

rip

Cisco IOS XE Release 2.3

Database

SQL-exec

TCP/UDP

9088

SQL Exec

sqlexec

Cisco IOS XE Release 2.3

SQL*NET

TCP/ UDP

1521

SQL*NET for Oracle

sqlnet

Cisco IOS XE Release 2.5

Financial

FIX

TCP

Dynamically Assigned

Financial Information Exchange

fix

Cisco IOS XE Release 2.5

Security and Tunneling

GRE

IP

47

Generic Routing Encapsulation

gre

Cisco IOS XE Release 2.3

IPINIP

IP

4

IP in IP

ipinip

Cisco IOS XE Release 2.3

IPsec

IP

50, 51

IP Encapsulating Security Payload/
Authentication-
Header

ipsec

Cisco IOS XE Release 2.3

L2TP

UDP

1701

L2F/L2TP Tunnel

l2tp

Cisco IOS XE Release 2.3

PPTP

TCP

1723

Point-to-Point Tunneling Protocol for VPN

pptp

Cisco IOS XE Release 2.3

SFTP

TCP

990

Secure FTP

secure-ftp

Cisco IOS XE Release 2.3

SHTTP

TCP

443

Secure HTTP

secure-http

Cisco IOS XE Release 2.1

SIMAP

TCP/
UDP

585, 993

Secure IMAP

secure-imap

Cisco IOS XE Release 2.3

SIRC

TCP/
UDP

994

Secure IRC

secure-irc

Cisco IOS XE Release 2.3

SLDAP

TCP/
UDP

636

Secure LDAP

secure-ldap

Cisco IOS XE Release 2.3

SNNTP

TCP/
UDP

563

Secure NNTP

secure-nntp

Cisco IOS XE Release 2.3

SOCKS

TCP

1080

Firewall Security Protocol

socks

Cisco IOS XE Release 2.3

SPOP3

TCP/
UDP

995

Secure POP3

secure-pop3

Cisco IOS XE Release 2.3

SSH

TCP

22

Secured Shell

ssh

Cisco IOS XE Release 2.3

STELNET

TCP

992

Secure Telnet

secure-telnet

Cisco IOS XE Release 2.3

Network Management

ICMP

IP

1

Internet Control Message Protocol

icmp

Cisco IOS XE Release 2.3

SNMP

TCP/
UDP

161, 162

Simple Network Management Protocol

snmp

Cisco IOS XE Release 2.3

Syslog

UDP

514

System Logging Utility

syslog

Cisco IOS XE Release 2.3

Network Mail Services

IMAP

TCP/
UDP

143, 220

Internet Message Access Protocol

imap

Cisco IOS XE Release 2.3

Notes

TCP/
UDP

1352

Lotus Notes

notes

Cisco IOS XE Release 2.3

POP3

TCP/
UDP

110

Post Office Protocol

pop3

Cisco IOS XE Release 2.1

SMTP

TCP

25

Simple Mail Transfer Protocol

smtp

Cisco IOS XE Release 2.3

Directory

DHCP/
BOOTP

UDP

67, 68

Dynamic Host Configuration Protocol/Bootstrap Protocol

dhcp

Cisco IOS XE Release 2.1

DNS

TCP/
UDP

53

Domain Name System

dns

Cisco IOS XE Release 2.1

Finger

TCP

79

Finger User Information Protocol

finger

Cisco IOS XE Release 2.3

Kerberos

TCP/
UDP

88, 749

Kerberos Network Authentication Service

kerberos

Cisco IOS XE Release 2.3

LDAP

TCP/
UDP

389

Lightweight Directory Access Protocol

ldap

Cisco IOS XE Release 2.3

Internet

FTP

TCP

Dynamically Assigned

File Transfer Protocol

ftp

Cisco IOS XE Release 2.1

Gopher

TCP/ UDP

70

Internet Gopher Protocol

gopher

Cisco IOS XE Release 2.3

HTTP

TCP

80

Hypertext Transfer Protocol

http

Cisco IOS XE Release 2.1
Cisco IOS XE Release 2.5

IRC

TCP/ UDP

194

Internet Relay Chat

irc

Cisco IOS XE Release 2.3

NNTP

TCP/ UDP

119

Network News Transfer Protocol

nntp

Cisco IOS XE Release 2.3

Telnet

TCP

23

Telnet Protocol

telnet

Cisco IOS XE Release 2.1

TFTP

UDP

Static (69) with inspection

Trivial File Transfer Protocol

tftp

Cisco IOS XE Release 2.5

Signaling

AppleQTC

TCP/UDP

458

Apple Quick Time

appleqtc

Cisco IOS XE Release 2.3

Chargen

TCP/UDP

19

Character Generator

chargen

Cisco IOS XE Release 2.3

ClearCase

TCP/UDP

371

Clear Case Protocol Software Informer

clearcase

Cisco IOS XE Release 2.3

Corba

TCP/UDP

683, 684

Corba Internet Inter-Orb Protocol (IIOP)

corba-iiop

Cisco IOS XE Release 2.3

Daytime

TCP/UDP

13

Daytime Protocol

daytime

Cisco IOS XE Release 2.3

Doom

TCP/UDP

666

Doom

doom

Cisco IOS XE Release 2.3

Echo

TCP/UDP

7

Echo Protocol

echo

Cisco IOS XE Release 2.3

IBM DB2

TCP/UDP

523

IBM Information Management

ibm-db2

Cisco IOS XE Release 2.3

IPX

TCP/UDP

213

Internet Packet Exchange

server-ipx

Cisco IOS XE Release 2.3

ISAKMP

TCP/UDP

500

Internet Security Association and Key Management Protocol

isakmp

Cisco IOS XE Release 2.3

ISI-GL

TCP/UDP

55

Interoperable Self Installation Graphics Language

isi-gl

Cisco IOS XE Release 2.3

KLogin

TCP

543

KLogin

klogin

Cisco IOS XE Release 2.3

KShell

TCP

544

KShell

kshell

Cisco IOS XE Release 2.3

LockD

TCP/UDP

4045

LockD

lockd

Cisco IOS XE Release 2.3

MSSQL

TCP

1433

Microsoft Structured Query Language (SQL) Server

mssql

Cisco IOS XE Release 2.3

RSVP

IP/
UDP

IP: 46
UDP: 1698, 1699

Resource Reservation Protocol

rsvp

Cisco IOS XE Release 2.3

RPC

NFS

TCP/UDP

2049

Network File System

nfs

Cisco IOS XE Release 2.3

Sunrpc

TCP/ UDP

Dynamically Assigned

Sun Remote Procedure Call

sunrpc

Cisco IOS XE Release 2.5

Non-IP and LAN/
Legacy

NetBIOS

TCP/ UDP

137, 138, 139

NetBIOS over IP (MS Windows)

netbios

Cisco IOS XE Release 2.3

Nickname

TCP/UDP

43

Nickname

nicname

Cisco IOS XE Release 2.3

NPP

TCP/UDP

92

Network Payment Protocol

npp

Cisco IOS XE Release 2.3

Miscellaneous

NTP

TCP/ UDP

123

Network Time Protocol

ntp

Cisco IOS XE Release 2.3

Printer

TCP/ UDP

515

Printer

printer

Cisco IOS XE Release 2.3

RCP

TCP/UDP

469

Rate Control Protocol

rcp

Cisco IOS XE Release 2.3

RTelnet

TCP/UDP

107

Remote Telnet Service

rtelnet

Cisco IOS XE Release 2.3

Systat

TCP/UDP

11

System Statistics

systat

Cisco IOS XE Release 2.3

TACACS

TCP/UDP

49, 65

Terminal Access Controller Access-Control System

tacacs

Cisco IOS XE Release 2.3

Time

TCP/UDP

37

Time

time

Cisco IOS XE Release 2.3

VNC

TCP/UDP

5800, 5900, 5901

Virtual Network Computing

vnc

Cisco IOS XE Release 2.3

Whois++

TCP/UDP

63

Whois++

whois++

Cisco IOS XE Release 2.3

XDMCP

UDP

177

X Display Manager Control Protocol

xdmcp

Cisco IOS XE Release 2.3

X Windows

TCP

6000-6003

X Window System

xwindows

Cisco IOS XE Release 2.3

Voice

H.323

TCP

Dynamically Assigned

H.323 Teleconferencing Protocol

h323

Cisco IOS Release XE 2.1

SIP

TCP/UPD

5060

Session Initiation Protocol

sip

Cisco IOS XE Release 2.1

Skype2

TCP/UDP

Dynamically Assigned

VoIP Client Software

skype

Cisco IOS XE Release 2.1
Cisco IOS XE Release 2.5

RTP

TCP/ UDP

Dynamically Assigned

Real-Time Transport Protocol Payload Classification

rtp

Cisco IOS XE Release 2.5

Desktop Media

CUSeeMe

TCP/UDP

TCP: 7648, 7649
UDP: 24032

CU-SeeMe Desktop Video Conference

cuseeme

Cisco IOS XE Release 2.3

Streaming Media

RTSP

TCP

554

Real-Time Streaming Protocol

rtsp

Cisco IOS XE Release 2.3

Peer-to-Peer File-Sharing Applications

BitTorrent3

TCP

Dynamically Assigned, or
6881-6889

BitTorrent File Transfer Traffic

bittorrent

Cisco IOS XE Release 2.5

Direct Connect

TCP/ UDP

411

Direct Connect File Transfer Traffic

directconnect

Cisco IOS XE Release 2.5

eDonkey/ eMule

TCP

4662

eDonkey File-Sharing Application

eMule traffic is also classified as eDonkey traffic in NBAR.

edonkey

Cisco IOS XE Release 2.5

FastTrack

N/A

Dynamically Assigned

FastTrack

fasttrack

Cisco IOS XE Release 2.5

Gnutella

TCP

Dynamically Assigned

Gnutella

gnutella

Cisco IOS XE Release 2.5

KaZaA

TCP/ UPD

Dynamically Assigned

KaZaA

Note that earlier KaZaA version 1 traffic can be classified using FastTrack.

kazaa2

Cisco IOS XE Release 2.5

WinMX

TCP

6699

WinMX Traffic

winmx

Cisco IOS XE Release 2.5

1 For Cisco IOS XE Software Release 2.5, Cisco supports Exchange 03 and 07 only. MS client access is recognized, but web client access is not recognized.

2 Cisco software supports Skype 1.0, 2.5, and 3.0.

3 Cisco IOS XE Software Release 2.5, will not detect encrypted BitTorrent traffic.

NBAR Protocol Discovery

NBAR includes a feature called Protocol Discovery. Protocol Discovery provides an easy way to discover the application protocols that are operating on an interface. For more information about Protocol Discovery, see the "Enabling Protocol Discovery" module.

NBAR Protocol Discovery MIB

The NBAR Protocol Discovery Management Information Base (MIB) expands the capabilities of NBAR Protocol Discovery by providing the following new functionality through Simple Network Management Protocol (SNMP):

Enable or disable Protocol Discovery per interface.

Display Protocol Discovery statistics.

Configure and view multiple top-n tables that list protocols by bandwidth usage.

Configure thresholds based on traffic of particular NBAR-supported protocols or applications that report breaches and send notifications when these thresholds are crossed.

For more information about the NBAR Protocol Discovery MIB, see the "Network-Based Application Recognition Protocol Discovery Management Information Base" module.

NBAR Configuration Processes

Configuring NBAR consists of the following processes:

Enabling Protocol Discovery (required)

When you configure NBAR, the first process is to enable Protocol Discovery.

Configuring NBAR using the MQC (optional)

After you enable Protocol Discovery, you have the option to configure NBAR using the functionality of the MQC.

Additional References

The following sections provide references related to classifying network traffic using NBAR.

Related Documents

Related Topic
Document Title

QoS commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples

Cisco IOS Quality of Service Solutions Command Reference

Classifying network traffic if not using NBAR

"Classifying Network Traffic" module

Marking network traffic

"Marking Network Traffic" module

MQC

"Applying QoS Features Using the MQC" module

Protocol Discovery

"Enabling Protocol Discovery" module


Standards

Standards
Title

ISO 0009

File Transfer Protocol (FTP)

ISO 0013

Domain Names - Concepts and Facilities

ISO 0033

The TFTP Protocol (Revision 2)

ISO 0034

Routing Information Protocol

ISO 0053

Post Office Protocol - Version 3

ISO 0056

RIP Version 2


MIBs

MIBs
MIBs Link

No new or modified MIBs are supported, and support for existing MIBs has not been modified.

To locate and download MIBs for selected platforms, Cisco IOS XE Software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFC
Title

RFC 742

NAME/FINGER Protocol

RFC 759

Internet Message Protocol

RFC 768

User Datagram Protocol

RFC 792

Internet Control Message Protocol

RFC 793

Transmission Control Protocol

RFC 821

Simple Mail Transfer Protocol

RFC 827

Exterior Gateway Protocol

RFC 854

Telnet Protocol Specification

RFC 888

"STUB" Exterior Gateway Protocol

RFC 904

Exterior Gateway Protocol Formal Specification

RFC 951

Bootstrap Protocol

RFC 959

File Transfer Protocol

RFC 977

Network News Transfer Protocol

RFC 1001

Protocol Standard for a NetBIOS Service on a TCP/UDP Transport: Concepts and Methods

RFC 1002

Protocol Standard for a NetBIOS Service on a TCP/UDP Transport: Detailed Specifications

RFC 1057

RPC: Remote Procedure Call

RFC 1094

NFS: Network File System Protocol Specification

RFC 1112

Host Extensions for IP Multicasting

RFC 1157

Simple Network Management Protocol

RFC 1282

BSD Rlogin

RFC 1288

The Finger User Information Protocol

RFC 1305

Network Time Protocol

RFC 1350

The TFTP Protocol (Revision 2)

RFC 1436

The Internet Gopher Protocol

RFC 1459

Internet Relay Chat Protocol

RFC 1510

The Kerberos Network Authentication Service

RFC 1542

Clarifications and Extensions for the Bootstrap Protocol

RFC 1579

Firewall-Friendly FTP

RFC 1583

OSPF Version 2

RFC 1657

Definitions of Managed Objects for the Fourth Version of the Border Gateway Protocol

RFC 1701

Generic Routing Encapsulation

RFC 1730

Internet Message Access Protocol—Version 4

RFC 1771

A Border Gateway Protocol 4 (BGP-4)

RFC 1777

Lightweight Directory Access Protocol

RFC 1831

RPC: Remote Procedure Call Protocol Specification Version 2

RFC 1889

A Transport Protocol for Real-Time Applications

RFC 1890

RTP Profile for Audio and Video Conferences with Minimal Control

RFC 1928

SOCKS Protocol Version 5

RFC 1939

Post Office Protocol—Version 3

RFC 1945

Hypertext Transfer Protocol—HTTP/1.0

RFC 1964

The Kerberos Version 5 GSS-API Mechanism

RFC 2045

Multipurpose Internet Mail Extension (MIME) Part One: Format of Internet Message Bodies

RFC 2060

Internet Message Access Protocol—Version 4 rev1

RFC 2068

Hypertext Transfer Protocol—HTTP/1.1

RFC 2131

Dynamic Host Configuration Protocol

RFC 2205

Resource ReSerVation Protocol (RSVP)—Version 1 Functional Specification

RFC 2236

Internet Group Management Protocol, Version 2

RFC 2251

Lightweight Directory Access Protocol (v3)

RFC 2252

Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions

RFC 2253

Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names

RFC 2401

Security Architecture for the Internet Protocol

RFC 2406

IP Encapsulating Security Payload

RFC 2453

RIP Version 2

RFC 2616

Hypertext Transfer Protocol—HTTP/1.1

Note This RFC updates RFC 2068.


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport


Feature Information for Classifying Network Traffic Using NBAR

Table 2 lists the features in this module and provides links to specific configuration information.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS XE Software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Note Table 2 lists the Cisco IOS XE Software release that introduced support for a given feature in a given Cisco IOS XE Software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE Software release train also support that feature.

Table 2 Feature Information for Classifying Network Traffic Using NBAR (Cisco IOS XE) 

Feature Name
Releases
Feature Information

NBAR PDLM supported in ASR1000 Release 5

Cisco IOS XE Release 2.5

This feature was integrated into Cisco IOS XE Release 2.5. Additional NBAR-supported protocols were added for this release.

The following section provides information about this feature:

"NBAR-Supported Protocols" section.

The following command was modified: match protocol (NBAR)

NBAR Protocols

Cisco IOS XE Release 2.3

This feature was integrated into Cisco IOS XE Release 2.3. Additional NBAR-supported protocols were added for this release.

The following section provides information about this feature:

"NBAR-Supported Protocols" section.

The following command was modified: match protocol (NBAR).

NBAR Real-time Transport Protocol Payload Classification

Cisco IOS XE Release 2.1

This feature was introduced on Cisco ASR 1000 Series Routers.

The following section provides information about this feature:

NBAR-Supported Protocols.


Glossary

encryption—Encryption is the application of a specific algorithm to data so as to alter the appearance of the data, making it incomprehensible to those who are not authorized to see the information.

HTTP—Hypertext Transfer Protocol. The protocol used by web browsers and web servers to transfer files, such as text and graphic files.

IANA—Internet Assigned Numbers Authority. An organization operated under the auspices of the Internet Society (ISOC) as a part of the Internet Architecture Board (IAB). IANA delegates authority for IP address-space allocation and domain-name assignment to the InterNIC and other organizations. IANA also maintains a database of assigned protocol identifiers used in the TCP/IP stack, including autonomous system numbers.

LAN—local-area network. A high-speed, low-error data network that covers a relatively small geographic area (up to a few thousand meters). LANs connect workstations, peripherals, terminals, and other devices in a single building or other geographically limited area. LAN standards specify cabling and signaling at the physical and data link layers of the Open System Interconnection (OSI) model. Ethernet, FDDI, and Token Ring are widely used LAN technologies.

MIME—Multipurpose Internet Mail Extension. The standard for transmitting nontext data (or data that cannot be represented in plain ASCII code) in Internet mail, such as binary, foreign language text (such as Russian or Chinese), audio, and video data. MIME is defined in RFC 2045: Multipurpose Internet Mail Extension (MIME) Part One: Format of Internet Message Bodies.

MPLS—Multiprotocol Label Switching. A switching method that forwards IP traffic using a label. This label instructs the routers and the switches in the network where to forward the packets based on preestablished IP routing information.

MQC—Modular Quality of Service Command-Line Interface. A command-line interface that allows you to define traffic classes, create and configure traffic policies (policy maps), and then attach the policy maps to interfaces. The policy maps are used to apply the appropriate quality of service (QoS) to network traffic.

Protocol Discovery—A feature included with NBAR. Protocol Discovery provides a way to discover the application protocols that are operating on an interface.

QoS—quality of service. A measure of performance for a transmission system that reflects its transmission quality and service availability.

RTCP—RTP Control Protocol. A protocol that monitors the QoS of an IPv6 Real-Time Transport Protocol (RTP) connection and conveys information about the ongoing session.

stateful protocol—A protocol that uses TCP and UDP port numbers that are determined at connection time.

static protocol—A protocol that uses well-defined (predetermined) TCP and UDP ports for communication.

subport classification—The classification of network traffic by information that is contained in the packet payload; that is, information found beyond the TCP or UDP port number.

TCP—Transmission Control Protocol. A connection-oriented transport layer protocol that provides reliable full-duplex data transmission. TCP is part of the TCP/IP protocol stack.

tunneling—Tunneling is an architecture that is designed to provide the services necessary to implement any standard point-to-point encapsulation scheme.

UDP—User Datagram Protocol. A connectionless transport layer protocol in the TCP /IP protocol stack. UDP is a simple protocol that exchanges datagrams without acknowledgments or guaranteed delivery, requiring that error processing and retransmission be handled by other protocols. UDP is defined in RFC 768: User Datagram Protocol.

WAN—wide-area network. A data communications network that serves users across a broad geographic area and often uses transmission devices provided by common carriers.

CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0910R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2006-2009 Cisco Systems, Inc. All rights reserved.