Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IOS Software

Classifying Network Traffic Using NBAR

Downloads

Table Of Contents

Classifying Network Traffic Using NBAR

Contents

Prerequisites for Using NBAR

Restrictions for Using NBAR

Layer 2 NBAR Restrictions

Information About Using NBAR

NBAR Functionality

NBAR Benefits

NBAR and Classification of HTTP Traffic

Classification of HTTP Traffic by URL, Host, or MIME

Classification of HTTP Traffic Using the HTTP Header Fields

Combining Classification of HTTP Headers and URL, Host, or MIME Type to Identify HTTP Traffic

NBAR and Classification of Citrix ICA Traffic

Classification of Citrix ICA Traffic by Published Application Name

Classification of Citrix ICA Traffic by ICA Tag Number

NBAR and RTP Payload Type Classification

NBAR and Classification of Custom Protocols and Applications

NBAR and Classification of Peer-to-Peer File-Sharing Applications

NBAR and Classification of Streaming Protocols

NBAR and AutoQoS

NBAR and FWSM Integration

NBAR-Supported Protocols

NBAR Memory Management

NBAR Protocol Discovery

NBAR Protocol Discovery MIB

NBAR Configuration Processes

Where to Go Next

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Glossary


Classifying Network Traffic Using NBAR

First Published: April 4, 2006
Last Updated: September 22, 2008

Network-Based Application Recognition (NBAR) is a classification engine that recognizes and classifies a wide variety of protocols and applications. When NBAR recognizes and classifies a protocol or application, the network can be configured to apply the appropriate quality of service (QoS) for that application or traffic with that protocol.

This module contains overview information about classifying network traffic using NBAR. The processes for configuring NBAR are documented in separate modules.

Note This module includes information for both NBAR and Distributed Network-Based Application Recognition (dNBAR). dNBAR is NBAR used on the Cisco 7500 router with a Versatile Interface Processor (VIP) and on the Catalyst 6500 family of switches with a FlexWAN module or serial interface processor (SIP). The implementation of NBAR and dNBAR is identical. Therefore, unless otherwise noted, the term NBAR is used throughout this module to describe both NBAR and dNBAR. The term dNBAR is used only when applicable.

Contents

Prerequisites for Using NBAR

Restrictions for Using NBAR

Information About Using NBAR

Where to Go Next

Additional References

Glossary

Prerequisites for Using NBAR

CEF

Before you configure NBAR, you must enable Cisco Express Forwarding (CEF). For more information on CEF, see the "CEF Feature Roadmap" module.

Note This prerequisite does not apply if you are using Cisco IOS Release 12.2(18)ZYA.

Stateful Switchover Support

NBAR is currently not supported with Stateful Switchover (SSO). This restriction applies to the Catalyst 6500 switches and to the Cisco 7500 and Cisco 7600 series routers.

Memory Requirements for dNBAR

To use dNBAR on a Cisco 7500 series router, you must be using a slot controller (or VIP processor) that has 64 MB of DRAM or more. Therefore, before configuring dNBAR on your Cisco 7500 series router, review the DRAM specifications for your particular slot controller or VIP processor.

Restrictions for Using NBAR

NBAR does not support the following:

More than 24 concurrent URLs, hosts, or Multipurpose Internet Mail Extension (MIME) type matches.

Note For Cisco IOS Release 12.2(18)ZYA, the maximum number of concurrent URLs, hosts, or MIME type matches is 56.

Matching beyond the first 400 bytes in a packet payload in Cisco IOS releases before Cisco IOS Release 12.3(7)T. In Cisco IOS Release 12.3(7)T, this restriction was removed, and NBAR now supports full payload inspection. The only exception is that NBAR can inspect custom protocol traffic for only 255 bytes into the payload.

Non-IP traffic.

MPLS-labeled packets. NBAR classifies IP packets only. You can, however, use NBAR to classify IP traffic before the traffic is handed over to MPLS. Use the Modular Quality of Service (QoS) Command-Line Interface (CLI) (MQC) to set the IP differentiated services code point (DSCP) field on the NBAR-classified packets and make Multiprotocol Label Switching (MPLS) map the DSCP setting to the MPLS experimental (EXP) setting inside the MPLS header.

Multicast and other non-CEF switching modes.

Fragmented packets.

Pipelined persistent HTTP requests.

URL/host/MIME classification with secure HTTP.

Asymmetric flows with stateful protocols.

Packets that originate from or that are destined to the router running NBAR.

NBAR is not supported on the following logical interfaces:

Fast Etherchannel

Note Fast Etherchannels are supported in Cisco IOS Release 12.2(18)ZYA.

Dialer interfaces until Cisco IOS Release 12.2(4)T

Interfaces where tunneling or encryption is used

Note You cannot use NBAR to classify output traffic on a WAN link where tunneling or encryption is used. Therefore, you should configure NBAR on other interfaces of the router (such as a LAN link) to perform input classification before the traffic is switched to the WAN link.

Layer 2 NBAR Restrictions

The phrase "Layer 2 NBAR" refers to NBAR functionality used with Layer 2 interfaces (such as switchports, trunks, or Etherchannels).

Layer 2 NBAR functionality can also be used with service modules such as a Firewall Service Module (FWSM) and an Intrusion Detection Service Module (IDSM) with the following restriction. Layer 2 NBAR is not supported on Layer 2 interfaces that are configured as part of a service module (such as FWSM and IDSM) when those service modules are configured in inline mode (that is, network traffic is in a direct path through the service module).

Note This restriction does not apply to NBAR functionality that is used with Layer 3 interfaces.

However, Layer 2 NBAR is supported in non-inline mode with service modules even when using Switched Port Analyzer (SPAN), Remote SPAN (RSPAN), or VLAN Access Control List (VACL) Capture functionality to send traffic to a service module.

For more information about the FWSM and its connection features, see the "Configuring Advanced Connection Features" module of the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide.

For more information about the IDSM, see the "Configuring IDSM-2" module of the Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface.

For more information about SPAN or RSPAN, see the "Configuring SPAN and RSPAN" module of the Catalyst 6500 Series Software Configuration Guide.

For more information about VACL Capture, see the "VACL Capture for Granular Traffic Analysis with Cisco Catalyst 6000/6500 Running Cisco IOS Software" module.

Information About Using NBAR

Before classifying network traffic using NBAR, you should understand the following concepts:

NBAR Functionality

NBAR Benefits

NBAR and Classification of HTTP Traffic

NBAR and Classification of Citrix ICA Traffic

NBAR and RTP Payload Type Classification

NBAR and Classification of Custom Protocols and Applications

NBAR and Classification of Peer-to-Peer File-Sharing Applications

NBAR and Classification of Streaming Protocols

NBAR and AutoQoS

NBAR and FWSM Integration

NBAR-Supported Protocols

NBAR Memory Management

NBAR Protocol Discovery

NBAR Protocol Discovery MIB

NBAR Configuration Processes

NBAR Functionality

NBAR is a classification engine that recognizes and classifies a wide variety of protocols and applications, including web-based and other difficult-to-classify applications and protocols that use dynamic TCP/UDP port assignments.

When NBAR recognizes and classifies a protocol or application, the network can be configured to apply the appropriate QoS for that application or traffic with that protocol. The QoS is applied using the Modular Quality of Service Command-Line Interface (MQC).

Note For more information about NBAR and its relationship with the MQC, see the "Configuring NBAR Using the MQC" module.

Examples of the QoS features that can be applied to the network traffic (using the MQC) after NBAR has recognized and classified the application or protocol include the following:

Class-Based Marking

Class-Based Weighted Fair Queuing (CBWFQ)

Low Latency Queuing (LLQ)

Traffic Policing

Traffic Shaping

Note For Cisco IOS Release 12.2(18)ZYA on the Catalyst 6500 series switch (that is equipped with a Supervisor 32/programmable intelligent services accelerator [PISA]), only the QoS features listed below can be configured. These features can be configured (using the MQC) after NBAR has recognized and classified the application or protocol.

Traffic Classification

Traffic Marking

Traffic Policing

Note For more information about the QoS features, see the "Quality of Service Overview" module. For more information about the Catalyst 6500 series switch and QoS, see the "Configuring QoS" module of the Catalyst 6500 Series Software Configuration Guide.

NBAR introduces several classification features that identify applications and protocols from Layer 4 through Layer 7. These classification features include the following:

Statically assigned TCP and UDP port numbers.

Non-TCP and non-UDP IP protocols.

Dynamically assigned TCP and UDP port numbers.

This kind of classification requires stateful inspection; that is, the ability to inspect a protocol across multiple packets during packet classification.

Subport classification or classification based on deep-packet inspection.

Deep-packet classification is classification performed at a finer level of granularity. For instance, if a packet is already classified as HTTP traffic, it may be further classified by HTTP traffic with a specific URL.

Note Access control lists (ACLs) can also be used for classifying static port protocols. However, NBAR is easier to configure, and NBAR can provide classification statistics that are not available when ACLs are used.

NBAR includes a Protocol Discovery feature that provides an easy way to discover application protocols that are operating on an interface. For more information about Protocol Discovery, see the "Enabling Protocol Discovery" module.

Note NBAR classifies network traffic by application or protocol. Network traffic can be classified without using NBAR. For information about classifying network traffic without using NBAR, see the "Classifying Network Traffic" module.

NBAR Benefits

Improved Network Management

Identifying and classifying network traffic is an important first step in implementing QoS. A network administrator can more effectively implement QoS in a networking environment after identifying the amount and the variety of applications and protocols that are running on a network.

NBAR gives network administrators the ability to see the variety of protocols and the amount of traffic generated by each protocol. After gathering this information, NBAR allows users to organize traffic into classes. These classes can then be used to provide different levels of service for network traffic, thereby allowing better network management by providing the right level of network resources for network traffic.

NBAR and Classification of HTTP Traffic

This section includes information about the following topics:

Classification of HTTP Traffic by URL, Host, or MIME

Classification of HTTP Traffic Using the HTTP Header Fields

Combining Classification of HTTP Headers and URL, Host, or MIME Type to Identify HTTP Traffic

Classification of HTTP Traffic by URL, Host, or MIME

NBAR can classify application traffic by looking beyond the TCP/UDP port numbers of a packet. This is subport classification. NBAR looks into the TCP/UDP payload itself and classifies packets based on content within the payload such as that transaction identifier, message type, or other similar data.

Classification of HTTP traffic by URL, host, or Multipurpose Internet Mail Extension (MIME) type is an example of subport classification. NBAR classifies HTTP traffic by text within the URL or host fields of a request using regular expression matching. HTTP client request matching in NBAR supports most HTTP request methods such as GET, PUT, HEAD, POST, DELETE, OPTIONS, CONNECT, and TRACE. The NBAR engine then converts the specified match string into a regular expression.

Figure 1 illustrates a network topology with NBAR in which Router Y is the NBAR-enabled router.

Figure 1 Network Topology with NBAR

When specifying a URL for classification, include only the portion of the URL that follows the www.hostname.domain in the match statement. For example, for the URL www.cisco.com/latest/whatsnew.html, include only /latest/whatsnew.html with the match statement (for instance, match protocol http url /latest/whatsnew.html).

Note For Cisco IOS Release 12.2(18)ZY2 (and later) on the Cisco Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA, up to 56 parameters or sub-classifications can be specified with the match protocol http command. These parameters or sub-classifications can be a combination of any of the available match choices, such as host matches, MIME matches, server matches, and URL matches. For other Cisco IOS releases and platforms, the maximum is 24 parameters or sub-classifications.

Host specification is identical to URL specification. NBAR performs a regular expression match on the host field contents inside an HTTP packet and classifies all packets from that host. For example, for the URL www.cisco.com/latest/whatsnew.html, include only www.cisco.com.

For MIME type matching, the MIME type can contain any user-specified text string. A list of the IANA-supported MIME types can be found at the following URL:

http://www.iana.org/assignments/media-types/

When matching by MIME type, NBAR matches a packet containing the MIME type and all subsequent packets until the next HTTP transaction.

NBAR supports URL and host classification in the presence of persistent HTTP. NBAR does not classify packets that are part of a pipelined request. With pipelined requests, multiple requests are pipelined to the server before previous requests are serviced. Pipelined requests are a less commonly used type of persistent HTTP request.

In Cisco IOS Release 12.3(4)T, the NBAR Extended Inspection for HTTP Traffic feature was introduced. This feature allows NBAR to scan TCP ports that are not well known and to identify HTTP traffic that traverses these ports. HTTP traffic classification is no longer limited to the well-known and defined TCP ports.

Classification of HTTP Traffic Using the HTTP Header Fields

In Cisco IOS Release 12.3(11)T, NBAR introduced expanded ability for users to classify HTTP traffic using information in the HTTP header fields.

HTTP works using a client/server model. HTTP clients open connections by sending a request message to an HTTP server. The HTTP server then returns a response message to the HTTP client (this response message is typically the resource requested in the request message from the HTTP client). After delivering the response, the HTTP server closes the connection and the transaction is complete.

HTTP header fields are used to provide information about HTTP request and response messages. HTTP has numerous header fields. For additional information on HTTP headers, see section 14 of RFC 2616: Hypertext Transfer Protocol—HTTP/1.1. This RFC can be found at the following URL:

http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

NBAR is able to classify the following HTTP header fields:

For request messages (client to server), the following HTTP header fields can be identified using NBAR:

User-Agent

Referer

From

For response messages (server to client), the following HTTP header fields can be identified using NBAR:

Server

Location

Content-Encoding

Content-Base

Note Use of the Content-Base field has not been implemented by the HTTP community. (See RFC 2616 for details.) Therefore, the Content-Base field is not identified by NBAR on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA.

Within NBAR, the match protocol http c-header-field command is used to specify that NBAR identify request messages (the "c" in the c-header-field portion of the command is for client). The match protocol http s-header-field command is used to specify response messages (the "s" in the s-header-field portion of the command is for server).

Note For Cisco IOS Release 12.2(18)ZY2 (and later) on the Cisco Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA, the c-header-field and s-header-field keywords and associated arguments are not available. The same functionality is achieved by using the individual keywords and arguments. For more information, see the syntax of the match protocol http command in the Cisco IOS Quality of Service Solutions Command Reference.

Examples

In the following example, any request message that contains "somebody@cisco.com" in the User-Agent, Referer, or From fields will be classified by NBAR. Typically, a term with a format similar to "somebody@cisco.com" would be found in the From header field of the HTTP request message. 

class-map match-all class1

 match protocol http c-header-field "somebody@cisco.com"

In the following example, any request message that contains "http://www.cisco.com/routers" in the User-Agent, Referer, or From fields will be classified by NBAR. Typically, a term with a format similar to "http://www.cisco.com/routers" would be found in the Referer header field of the HTTP request message. 

class-map match-all class2

 match protocol http c-header-field "http://www.cisco.com/routers"

In the following example, any request message that contains "CERN-LineMode/2.15" in the User-Agent, Referer, or From header fields will be classified by NBAR. Typically, a term with a format similar to "CERN-LineMode/2.15" would be found in the User-Agent header field of the HTTP request message. 

class-map match-all class3

 match protocol http c-header-field "CERN-LineMode/2.15"

In the following example, any response message that contains "CERN/3.0" in the Content-Base (if available), Content-Encoding, Location, or Server header fields will be classified by NBAR. Typically, a term with a format similar to "CERN/3.0" would be found in the Server header field of the response message. 

class-map match-all class4

 match protocol http s-header-field "CERN/3.0"

In the following example, any response message that contains "http://www.cisco.com/routers" in the Content-Base (if available), Content-Encoding, Location, or Server header fields will be classified by NBAR. Typically, a term with a format similar to "http://www.cisco.com/routers" would be found in the Content-Base (if available) or Location header field of the response message. 

class-map match-all class5

 match protocol http s-header-field "http://www.cisco.com/routers"

In the following example, any response message that contains "gzip" in the Content-Base (if available), Content-Encoding, Location, or Server header fields will be classified by NBAR. Typically, the term "gzip" would be found in the Content-Encoding header field of the response message. 

class-map match-all class6

 match protocol http s-header-field "gzip"

Combining Classification of HTTP Headers and URL, Host, or MIME Type to Identify HTTP Traffic

Note that combinations of URL, Host, MIME type, and HTTP headers can be used during NBAR configuration. These combinations provide customers with more flexibility to classify specific HTTP traffic based on their network requirements.

Examples

In the following example, HTTP header fields are combined with a URL to classify traffic. In this example, traffic with a User-Agent field of "CERN-LineMode/3.0" and a Server field of "CERN/3.0," along with URL "www.cisco.com/routers," will be classified using NBAR: 

class-map match-all c-http 
 match protocol http c-header-field "CERN-LineMode/3.0" 
 match protocol http s-header-field "CERN/3.0" 
 match protocol http url "www.cisco.com/routers"

NBAR and Classification of Citrix ICA Traffic

NBAR can classify Citrix Independent Computing Architecture (ICA) traffic and perform subport classification of Citrix traffic based on the published application name or ICA tag number.

This section includes information about the following topics:

Classification of Citrix ICA Traffic by Published Application Name

Classification of Citrix ICA Traffic by ICA Tag Number

Classification of Citrix ICA Traffic by Published Application Name

NBAR can monitor Citrix ICA client requests for a published application destined to a Citrix ICA Master browser. After the client requests the published application, the Citrix ICA Master browser directs the client to the server with the most available memory. The Citrix ICA client then connects to this Citrix ICA server for the application.

Note For Citrix to monitor and classify traffic by the published application name, Server Browser Mode on the Master browser must be used.

In Server Browser Mode, NBAR statefully tracks and monitors traffic and performs a regular expression search on the packet contents for the published application name specified by the match protocol citrix command. The published application name is specified by using the app keyword and the application-name-string argument of the match protocol citrix command. For more information about the match protocol citrix command, see the Cisco IOS Quality of Service Solutions Command Reference.

The Citrix ICA session triggered to carry the specified application is cached, and traffic is classified appropriately for the published application name.

Citrix ICA Client Modes

Citrix ICA clients can be configured in various modes. NBAR cannot distinguish among Citrix applications in all modes of operation. Therefore, network administrators might need to collaborate with Citrix administrators to ensure that NBAR properly classifies Citrix traffic.

A Citrix administrator can configure Citrix to publish Citrix applications individually or as the entire desktop. In the Published Desktop mode of operation, all applications within the published desktop of a client use the same TCP session. Therefore, differentiation among applications is impossible, and NBAR can be used to classify Citrix applications only as aggregates (by looking at port 1494).

The Published Application mode for Citrix ICA clients is recommended when you use NBAR. In Published Application mode, a Citrix administrator can configure a Citrix client in either seamless or non-seamless (windows) modes of operation. In nonseamless mode, each Citrix application uses a separate TCP connection, and NBAR can be used to provide interapplication differentiation based on the name of the published application.

Seamless mode clients can operate in one of two submodes: session sharing or nonsession sharing. In seamless session sharing mode, all clients share the same TCP connection, and NBAR cannot differentiate among applications. Seamless sharing mode is enabled by default on some software releases. In seamless nonsession sharing mode, each application for each particular client uses a separate TCP connection. NBAR can provide interapplication differentiation in seamless nonsession sharing mode.

Note NBAR operates properly in Citrix ICA secure mode. Pipelined Citrix ICA client requests are not supported.

Classification of Citrix ICA Traffic by ICA Tag Number

Citrix uses one TCP session each time an application is opened. In the TCP session, a variety of Citrix traffic may be intermingled in the same session. For example, print traffic may be intermingled with interactive traffic, causing interruption and delay for a particular application. Most people would prefer that printing be handled as a background process and that printing not interfere with the processing of higher-priority traffic.

To accommodate this preference, the Citrix ICA protocol includes the ability to identify Citrix ICA traffic based on the ICA tag number of the packet. The ability to identify, tag, and prioritize Citrix ICA traffic is referred to as ICA Priority Packet Tagging. With ICA Priority Packet Tagging, Citrix ICA traffic is categorized as high, medium, low, and background, depending on the ICA tag of the packet.

When ICA traffic priority tag numbers are used, and the priority of the traffic is determined, QoS features can be implemented to determine how the traffic will be handled. For example, QoS traffic policing can be configured to transmit or drop packets with a specific priority.

Citrix ICA Packet Tagging

The Citrix ICA tag is included in the first two bytes of the Citrix ICA packet, after the initial negotiations are completed between Citrix client and server. These bytes are not compressed or encrypted.

The first two bytes of the packet (byte 1 and byte 2) contain the byte count and the ICA priority tag number. Byte 1 contains the low-order byte count, and the first two bits of byte 2 contain the priority tags. The other six bits contain the high-order byte count.

The ICA priority tag value can be a number from 0 to 3. The number indicates the packet priority, with 0 being the highest priority and 3 being the lowest priority.

To prioritize Citrix traffic by the ICA tag number of the packet, you specify the tag number using the ica-tag keyword and the ica-tag-value argument of the match protocol citrix command. For more information about the match protocol citrix command, see the Cisco IOS Quality of Service Solutions Command Reference.

NBAR and RTP Payload Type Classification

RTP is a packet format for multimedia data streams. It can be used for media-on-demand as well as for interactive services such as Internet telephony. RTP consists of a data and a control part. The control part is called Real-Time Transport Control Protocol (RTCP). RTCP is a separate protocol that is supported by NBAR. It is important to note that the NBAR RTP Payload Type Classification feature does not identify RTCP packets and that RTCP packets run on odd-numbered ports while RTP packets run on even-numbered ports.

The data part of RTP is a thin protocol that provides support for applications with real-time properties such as continuous media (audio and video), which includes timing reconstruction, loss detection, and security and content identification. RTP is discussed in RFC 1889 (A Transport Protocol for Real-Time Applications) and RFC 1890 (RTP Profile for Audio and Video Conferences with Minimal Control).

The RTP payload type is the data transported by RTP in a packet, for example audio samples or compressed video data.

NBAR RTP Payload Type Classification not only allows one to statefully identify real-time audio and video traffic but can also differentiate on the basis of audio and video codecs to provide more granular QoS. The RTP Payload Type Classification feature, therefore, looks deep into the RTP header to classify RTP packets.

NBAR and Classification of Custom Protocols and Applications

NBAR supports the use of custom protocols to identify custom applications. Custom protocols support static port-based protocols and applications that NBAR does not currently support. You can add to the set of protocols and application types that NBAR recognizes by creating custom protocols.

Custom protocols extend the capability of NBAR Protocol Discovery to classify and monitor additional static port applications and allows NBAR to classify nonsupported static port traffic.

Note For more information about specifying user-defined (custom) protocols, see the "Creating a Custom Protocol" module.

NBAR and Classification of Peer-to-Peer File-Sharing Applications

The following are the most common peer-to-peer file-sharing applications supported by NBAR:

BitTorrent

DirectConnect

eDonkey

eMule

FastTrack

Grokster

JTella

Kazaa (as well as Kazaa Lite and Kazaa Lite Resurrection)

Morpheus

Win MX

Gnutella Also Supported

Gnutella is another file-sharing protocol that became classifiable using NBAR in Cisco IOS Release 12.1(12c)E.

Applications that use the Gnutella protocol include Bearshare, Gnewtellium, Gnucleus, Gtk-Gnutella, Limewire, Mutella, Phex, Qtella, Swapper, and Xolo.

The match protocol gnutella file-transfer regular-expression and match protocol fasttrack file-transfer regular-expression commands are used to enable Gnutella and FastTrack classification in a traffic class. The file-transfer keyword indicates that a regular expression variable will be used to identify specific Gnutella or FastTrack traffic. The regular-expression variable can be expressed as "*" to indicate that all FastTrack or Gnutella traffic be classified by a traffic class.

In the following example, all FastTrack traffic is classified into class map nbar: 

class-map match-all nbar 
 match protocol fasttrack file-transfer "*"

Similarly, all Gnutella traffic is classified into class map nbar in the following example: 

class-map match-all nbar 
 match protocol gnutella file-transfer "*"

Wildcard characters in a regular expression can also be used to identify specified Gnutella and FastTrack traffic. These regular expression matches can be used to match on the basis of filename extension or a particular string in a filename.

In the following example, all Gnutella files that have the .mpeg extension will be classified into class map nbar. 

class-map match-all nbar 
 match protocol gnutella file-transfer "*.mpeg"

In the following example, only Gnutella traffic that contains the characters "cisco" is classified: 

class-map match-all nbar 
 match protocol gnutella file-transfer "*cisco*"

The same examples can be used for FastTrack traffic: 

class-map match-all nbar 
 match protocol fasttrack file-transfer "*.mpeg"

or 

class-map match-all nbar 
 match protocol fasttrack file-transfer "*cisco*"

NBAR and Classification of Streaming Protocols

In Cisco IOS Release 12.3(7)T, NBAR introduced support for Real Time Streaming Protocol (RTSP). RTSP is the protocol used for applications with steaming audio, such as the following:

Apple QuickTime

RealAudio (RealSystems G2)

Windows Media Services

NBAR and AutoQoS

Earlier Cisco IOS releases included two features that allow you to automate the deployment of QoS on your network: AutoQoS—Voice over IP (VoIP); and AutoQoS for the Enterprise. Both of these AutoQoS features take advantage of the traffic classification functionality of NBAR.

Note Cisco IOS Release 12.2(18)ZY (and later) does not support either the AutoQoS—Voice over IP (VoIP) feature or the AutoQoS for the Enterprise feature on the Catalyst 6500 series switch.

AutoQoS—VoIP

This feature was available with Cisco IOS Release 12.2(15)T. The AutoQoS—VoIP feature allows you to automate the deployment of QoS on your network and provides a means for simplifying the implementation and provisioning of QoS for VoIP traffic. For more information about the AutoQoS—VoIP feature and how it uses NBAR, see the "AutoQoS—VoIP" module.

AutoQoS for the Enterprise

This feature was available with Cisco IOS Release 12.3(11)T. The AutoQoS for the Enterprise feature allows you to automate the deployment of QoS in a general business environment, particularly for midsize companies and branch offices of larger companies. It expands on the functionality available with the AutoQoS—VoIP feature. For more information about the AutoQoS for the Enterprise feature and how it uses NBAR, see the "AutoQoS for the Enterprise" module.

NBAR and FWSM Integration

With Cisco IOS Release 12.2(18)ZYA, the functionality of NBAR to recognize protocols and applications has been integrated with the Firewall Service Module (FWSM) on the Catalyst 6500 series switch. Available with this release are the following commands that can be used for classifying and tagging traffic to the FWSM:

ip nbar protocol-tagging

show ip nbar protocol-tagging

For more information about the FWSM and its connection features, see the "Configuring Advanced Connection Features" module of the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide.

For more information about FWSM commands (including the two commands listed above), see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Service Module Command Reference Guide.

NBAR-Supported Protocols

The match protocol (NBAR) command is used to classify traffic on the basis of protocols supported by NBAR. NBAR is capable of classifying the following types of protocols:

Non-UDP and non-TCP IP protocols

TCP and UDP protocols that use statically assigned port numbers

TCP and UDP protocols that use statically assigned port numbers but still require stateful inspection

TCP and UDP protocols that dynamically assign port numbers and therefore require stateful inspection

Table 1 lists the NBAR-supported protocols available in Cisco IOS software, sorted by category. The table also provides information about the protocol type, the well-known port numbers (if applicable), the syntax for entering the protocol in NBAR, and the Cisco IOS release in which the protocol was initially supported. This table is updated when a protocol is added to a new Cisco IOS release train.

Many peer-to-peer file-sharing applications not listed in this table can be classified using FastTrack or Gnutella. See the "NBAR and Classification of Peer-to-Peer File-Sharing Applications" section for additional information.

RTSP can be used to classify various types of applications that use streaming audio. See the "NBAR and Classification of Streaming Protocols" section for additional information.

Note Support for some protocols can be added to NBAR using application recognition modules (also known as Packet Description Language Modules [PDLMs]). For more information about PDLMs, see the "Adding Application Recognition Modules" module.

Note Table 1 includes the NBAR-supported protocols available with the 12.2(18)ZY and 12.2(18)ZYA releases. Protocols included in the 12.2(18)ZY and 12.2(18)ZYA releases are supported on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA.

Table 1 NBAR-Supported Protocols 

Category
Protocol
Type
Well-Known Port Number
Description
Syntax
Cisco IOS Release

Enterprise Application

Citrix ICA

TCP/
UDP

TCP: 1494, 2512, 2513, 2598
UDP: 1604

Citrix ICA traffic

citrix
citrix app
citrix ica-tag

12.1(2)E
12.1(5)T

PCAnywhere

TCP/UDP

TCP: 5631, 65301
UDP: 22, 5632

Symantic PCAnywhere

pcanywhere

12.0(5)XE2
12.1(1)E
12.1(5)T

Novadigm

TCP/ UDP

3460-3465

Novadigm Enterprise Desktop Manager  (EDM)

novadigm

12.1(2)E
12.1(5)T

SAP

TCP

3300-3315 (sap-pgm. pdlm)
3200-3215 (sap-app. pdlm)
3600-3615 (sap-msg. pdlm)

Application server to application server traffic (sap-pgm.pdlm)

Client to application server traffic (sap-app.pdlm)

Client to message server traffic (sap-msg.pdlm)

sap

12.1E
12.2T
12.3
12.3T

Exchange1

TCP

135

MS-RPC for Exchange

exchange

12.0(5)XE2
12.1(1)E
12.1(5)T
12.2(18)ZY
12.2(18)ZYA

MAPI

TCP

135

Messaging Application Programming Interface

mapi

12.2(18)ZYA

Routing Protocol

BGP

TCP/ UDP

179

Border Gateway Protocol

bgp

12.0(5)XE2
12.1(1)E
12.1(5)T

EGP

IP

8

Exterior Gateway Protocol

egp

12.0(5)XE2
12.1(1)E
12.1(5)T

EIGRP

IP

88

Enhanced Interior Gateway Routing Protocol

eigrp

12.0(5)XE2
12.1(1)E
12.1(5)T

Routing Protocol (Continued)

OSPF

IP

89

Open Shortest Path First

ospf

12.3(8)T

RIP

UDP

520

Routing Information Protocol

rip

12.0(5)XE2
12.1(1)E
12.1(5)T

Database

SQL*NET

TCP/ UDP

1521

SQL*NET for Oracle

sqlnet

12.0(5)XE2
12.1(1)E
12.1(5)T

MS- SQLServer

TCP

1433

Microsoft SQL Server Desktop Videoconferencing

sqlserver

12.0(5)XE2
12.1(1)E
12.1(5)T

CIFS

TCP

139, 445

Common Internet File System

cifs

12.2(18)ZYA

Health

DiCom

TCP

Dynamically Assigned

Digital Imaging and Communications in Medicine

dicom

12.2(18)ZYA

HL7

TCP

Dynamically Assigned

Health Level Seven

hl7

12.2(18)ZYA

Financial

FIX

TCP

Dynamically Assigned

Financial Information Exchange

fix

12.2(18)ZYA

Security and Tunneling

GRE

IP

47

Generic Routing Encapsulation

gre

12.0(5)XE2
12.1(1)E
12.1(5)T

IPINIP

IP

4

IP in IP

ipinip

12.0(5)XE2
12.1(1)E
12.1(5)T

IPsec

IP

50, 51

IP Encapsulating Security Payload/
Authentication-
Header

ipsec

12.0(5)XE2
12.1(1)E
12.1(5)T

L2TP

UDP

1701

L2F/L2TP Tunnel

l2tp

12.0(5)XE2
12.1(1)E
12.1(5)T

MS-PPTP

TCP

1723

Microsoft Point-to-Point Tunneling Protocol for VPN

pptp

12.0(5)XE2
12.1(1)E
12.1(5)T

SFTP

TCP

990

Secure FTP

secure-ftp

12.0(5)XE2
12.1(1)E
12.1(5)T

Security and Tunneling (Continued)

SHTTP

TCP

443

Secure HTTP

secure-http

12.0(5)XE2
12.1(1)E
12.1(5)T
Cisco IOS XE Release 2.1

SIMAP

TCP/
UDP

585, 993

Secure IMAP

secure-imap

12.0(5)XE2
12.1(1)E
12.1(5)T

SIRC

TCP/
UDP

994

Secure IRC

secure-irc

12.0(5)XE2
12.1(1)E
12.1(5)T

SLDAP

TCP/
UDP

636

Secure LDAP

secure-ldap

12.0(5)XE2
12.1(1)E
12.1(5)T

SNNTP

TCP/
UDP

563

Secure NNTP

secure-nntp

12.0(5)XE2
12.1(1)E
12.1(5)T

SPOP3

TCP/
UDP

995

Secure POP3

secure-pop3

12.0(5)XE2
12.1(1)E
12.1(5)T

STELNET

TCP

992

Secure Telnet

secure-telnet

12.0(5)XE2
12.1(1)E
12.1(5)T

SOCKS

TCP

1080

Firewall Security Protocol

socks

12.0(5)XE2
12.1(1)E
12.1(5)T

SSH

TCP

22

Secured Shell

ssh

12.0(5)XE2
12.1(1)E
12.1(5)T

Network Management

ICMP

IP

1

Internet Control Message Protocol

icmp

12.0(5)XE2
12.1(1)E
12.1(5)T

SNMP

TCP/
UDP

161, 162

Simple Network Management Protocol

snmp

12.0(5)XE2
12.1(1)E
12.1(5)T

Syslog

UDP

514

System Logging Utility

syslog

12.0(5)XE2
12.1(1)E
12.1(5)T

Network Mail Services

IMAP

TCP/
UDP

143, 220

Internet Message Access Protocol

imap

12.0(5)XE2
12.1(1)E
12.1(5)T

POP3

TCP/
UDP

110

Post Office Protocol

pop3

12.0(5)XE2
12.1(1)E
12.1(5)T
Cisco IOS XE Release 2.1

Notes

TCP/
UDP

1352

Lotus Notes

notes

12.0(5)XE2
12.1(1)E
12.1(5)T

SMTP

TCP

25

Simple Mail Transfer Protocol

smtp

12.0(5)XE2
12.1(1)E
12.1(5)T

Directory

DHCP/
BOOTP

UDP

67, 68

Dynamic Host Configuration Protocol/Bootstrap Protocol

dhcp

12.0(5)XE2
12.1(1)E
12.1(5)T
Cisco IOS XE Release 2.1

Finger

TCP

79

Finger User Information Protocol

finger

12.0(5)XE2
12.1(1)E
12.1(5)T

DNS

TCP/
UDP

53

Domain Name System

dns

12.0(5)XE2
12.1(1)E
12.1(5)T
Cisco IOS XE Release 2.1

Kerberos

TCP/
UDP

88, 749

Kerberos Network Authentication Service

kerberos

12.0(5)XE2
12.1(1)E
12.1(5)T

LDAP

TCP/
UDP

389

Lightweight Directory Access Protocol

ldap

12.0(5)XE2
12.1(1)E
12.1(5)T

Streaming Media

CU-SeeMe

TCP/
UDP

TCP: 7648, 7649
UDP: 24032

Desktop Video Conferencing

cuseeme

12.0(5)XE2
12.1(1)E
12.1(5)T
Cisco IOS XE Release 2.1

Netshow

TCP/ UDP

Dynamically Assigned

Microsoft Netshow

netshow

12.0(5)XE2
12.1(1)E
12.1(5)T

RealAudio

TCP/ UDP

Dynamically Assigned

RealAudio Streaming Protocol

realaudio

12.0(5)XE2
12.1(1)E
12.1(5)T

StreamWorks

UDP

Dynamically Assigned

Xing Technology Stream Works Audio and Video

streamwork

12.0(5)XE2
12.1(1)E
12.1(5)T

VDOLive

TCP/ UDP

Static (7000) with inspection

VDOLive Streaming Video

vdolive

12.0(5)XE2
12.1(1)E
12.1(5)T

RTSP

TCP/ UDP

Dynamically Assigned

Real Time Streaming Protocol

rtsp

12.3(11)T
Cisco IOS XE Release 2.1

MGCP

TCP/ UDP

2427, 2428, 2727

Media Gateway Control Protocol

mgcp

12.3(7)T

YouTube2

TCP

Both static (80) and dynamically assigned

Online Video-Sharing Website

youtube

12.2(18)ZYA

Internet

FTP

TCP

Dynamically Assigned

File Transfer Protocol

ftp

12.0(5)XE2
12.1(1)E
12.1(5)T
Cisco IOS XE Release 2.1

Gopher

TCP/ UDP

70

Internet Gopher Protocol

gopher

12.0(5)XE2
12.1(1)E
12.1(5)T

HTTP

TCP

803

Hypertext Transfer Protocol

http

12.0(5)XE2
12.1(1)E
12.1(5)T
Cisco IOS XE Release 2.1

IRC

TCP/ UDP

194

Internet Relay Chat

irc

12.0(5)XE2
12.1(1)E
12.1(5)T

Telnet

TCP

23

Telnet Protocol

telnet

12.0(5)XE2
12.1(1)E
12.1(5)T
Cisco IOS XE Release 2.1

TFTP

UDP

Static (69) with inspection

Trivial File Transfer Protocol

tftp

12.0(5)XE2
12.1(1)E
12.1(5)T

NNTP

TCP/ UDP

119

Network News Transfer Protocol

nntp

12.0(5)XE2
12.1(1)E
12.1(5)T

Signaling

RSVP

UDP

1698, 1699

Resource Reservation Protocol

rsvp

12.0(5)XE2
12.1(1)E
12.1(5)T

RPC

NFS

TCP/ UDP

2049

Network File System

nfs

12.0(5)XE2
12.1(1)E
12.1(5)T

Sunrpc

TCP/ UDP

Dynamically Assigned

Sun Remote Procedure Call

sunrpc

12.0(5)XE2
12.1(1)E
12.1(5)T

MSN-messenger

TCP

1863

MSN Messenger Chat Messages4

msn-messenger

12.2(18)ZYA

Yahoo-messenger

TCP

5050, 5101

Yahoo Messenger Chat Messages

yahoo-messenger

12.2(18)ZYA

AOL-messenger

TCP

5190, 443

AOL Instant Messenger Chat Messages

aol-messenger

12.2(18)ZYA

Non-IP and LAN/
Legacy

NetBIOS

TCP/ UDP

137, 138, 139

NetBIOS over IP (MS Windows)

netbios

12.0(5)XE2
12.1(1)E
12.1(5)T

Misc.

NTP

TCP/ UDP

123

Network Time Protocol

ntp

12.0(5)XE2
12.1(1)E
12.1(5)T

Printer

TCP/ UDP

515

Printer

printer

12.1(2)E
12.1(5)T

X Windows

TCP

6000-6003

X11, X Windows

xwindows

12.0(5)XE2
12.1(1)E
12.1(5)T

r-commands

TCP

Dynamically Assigned

rsh, rlogin, rexec

rcmd

12.0(5)XE2
12.1(1)E
12.1(5)T

AppleQTC

TCP/UDP

458

Apple Quick Time

appleqtc

12.2(18)ZYA

Chargen

TCP/UDP

19

Character Generator

chargen

12.2(18)ZYA

ClearCase

TCP/UDP

371

Clear Case Protocol Software Informer

clearcase

12.2(18)ZYA

Corba

TCP/UDP

683, 684

Corba Internet Inter-Orb Protocol (IIOP)

corba-iiop

12.2(18)ZYA

Daytime

TCP/UDP

13

Daytime Protocol

daytime

12.2(18)ZYA

Doom

TCP/UDP

666

Doom

doom

12.2(18)ZYA

Echo

TCP/UDP

7

Echo Protocol

echo

12.2(18)ZYA

IBM DB2

TCP/UDP

523

IBM Information Management

ibm-db2

12.2(18)ZYA

IPX

TCP/UDP

213

Internet Packet Exchange

ipx

12.2(18)ZYA

ISAKMP

TCP/UDP

500

Internet Security Association and Key Management

isakmp

12.2(18)ZYA

ISI-GL

TCP/UDP

55

Interoperable Self Installation Graphics Language

isi-gl

12.2(18)ZYA

KLogin

TCP

543

KLogin

klogin

12.2(18)ZYA

KShell

TCP

544

KShell

kshell

12.2(18)ZYA

Misc. (Continued)

LockD

TCP/UDP

4045

LockD

lockd

12.2(18)ZYA

Microsoft-DS

TCP/UDP

445

Microsoft Directory Services

microsoftds

12.2(18)ZYA

Nickname

TCP/UDP

43

Nickname

nicname

12.2(18)ZYA

NPP

TCP/UDP

92

Network Payment Protocol

npp

12.2(18)ZYA

ORASRV

TCP

1525

ORASRV

ora-srv

12.2(18)ZYA

RTelnet

TCP/UDP

107

Remote Telnet Service

rtelnet

12.2(18)ZYA

RCP

TCP/UDP

469

Rate Control Protocol

rcp

12.2(18)ZYA

SQLExec

TCP/UDP

9088

SQL Exec

sqlexec

12.2(18)ZYA

Systat

TCP/UDP

11

System Statistics

systat

12.2(18)ZYA

TACACS

TCP/UDP

49, 65

Terminal Access Controller Access-Control System

tacacs

12.2(18)ZYA

Time

TCP/UDP

37

Time

time

12.2(18)ZYA

VNC

UDP

5800, 5900, 5901

Virtual Network Computing

vnc

12.2(18)ZYA

Whois++

TCP/UDP

63

Whois++

whois++

12.2(18)ZYA

XDMCP

UDP

177

X Display Manager Control Protocol

xdmcp

12.2(18)ZYA

Voice

H.323

TCP

Dynamically Assigned

H.323 Teleconferencing Protocol