Network Based Application Recognition NBAR

CB marking, and other MQC-based tools, can use NBAR to help classify traffic. By using the match protocol class-map subcommand, MQC can match protocols recognized by NBAR. This section describes NBAR, and includes examples of CB marking with NBAR.

NBAR classifies packets that are normally difficult to classify. For instance, some applications use dynamic port numbers, so a statically configured match command, looking for a particular UDP or TCP port number, just could not classify the traffic. NBAR can look past the UDP and TCP header, looking at the host name, URL, or MIME type in HTTP requests. NBAR can also look past the TCP and UDP headers to recognize application-specific information. For instance, NBAR allow recognition of different Citrix application types, and allows for searching for a portion of a URL string.

NBAR uses the classification information for two purposes. NBAR, without the help of other IOS features, can classify these difficult-to-classify protocols for the purpose of gathering statistics about the protocols. In fact, NBAR by itself provides classification and statistics, but no marking. NBAR also provides classification help for other QoS tools. Specifically, all MQC tools can refer to NBAR classifications for matching traffic.

The connection between NBAR and CB marking, or any other MQC tool, is through the match protocol class-map subcommand. An MQC tool can include the match protocol command under a class-map command. To do so, NBAR must be enabled on the same interface on which the class map is indirectly enabled through the service-policy interface subcommand.

A sample configuration and statistical display may help you make sense of NBAR. Tables 3-9 and 3-10 list the NBAR configuration and exec commands, respectively. Following the tables, Figure 3-12 diagrams the familiar network, where R3 performs CB marking based on NBAR classification of the URL string. Finally, Example 3-3 lists a sample NBAR and CB marking configuration, where CB marking matches a portion of an HTTP URL. The example includes a listing of NBAR statistics gathered on the interface. Table 3-9 Configuration Command Reference for NBAR

Command

Mode and Function

ip nbar protocol-discovery

Interface mode; enables NBAR for traffic entering the interface.

ip nbar port-map protocol-name [tcp | udp]

port-number

Global; tells NBAR to search for a protocol using a different port number than the well-known port. Also defines ports to be used by custom packet description language modules (PDLMs).

ip nbar pdlm pdlm-name

Global; extends the list of protocols recognized by NBAR by adding additional PDLMs.

NOTE You can download additional PDLMs from Cisco.com: www.cisco.com/cgi-bin/tablebuild.pl/pdlm

Table 3-10 Exec Command Reference for NBAR

Command

Function

show ip nbar protocol-discovery [interface interface-spec] [stats /byte-count | bit-rate | packet-count}][{protocol protocol-name | top-n number}]

Lists information about statistics for the discovered protocols. Statistics can be listed by interface, by protocol, or for just the top n protocols by volume.

show ip nbar port-map [protocol-name]

Lists the current ports in use by the discovered protocols.

Figure 3-12 CB Marking Sample Configuration 3

Clientl

Clientl

R4 I

3001 3002

R4 I

3001 3002

Example 3-3 uses the following criteria for marking packets:

• Any HTTP traffic whose URL contains the string "important" anywhere in the URL is marked with AF21.

• Any HTTP traffic whose URL contains the string "not-so" anywhere in the URL is marked with DSCP default.

All other traffic is marked with AF11.

Example 3-3 shows the configuration.

Example 3-3 Sample 3: CB Marking Based on URLs, Using NBAR for Classification ip cef

class-map http-impo match protocol http url "*important*"

class-map http-not match protocol http url "*not-so*"

class-map all-else match any

policy-map http class http-impo set ip dscp AF21

class http-not set ip dscp default

class class-default set ip DSCP AF11

interface fastethernet 0/0 ip nbar protocol-discovery service-policy input http

R3# show ip nbar protocol-discovery top-n 5

FastEthernet0/0

Input Output

Protocol Packet Count Packet Count

Byte Count Byte Count

5 minute bit rate (bps) 5 minute bit rate (bps)

eigrp

76

0

5624

0

0

0

bgp

0

0

0

0

0

0

citrix

0

0

0

0

0

0

cuseeme

0

0

0

0

0

0

Example 3-3 Sample 3: CB Marking Based on URLs, Using NBAR for Classification (Continued)

custom-01 0 0

unknown 5610 0

5665471 0

135000 0

Total 5851 0

5845277 0

135000 0

R3#show ip nbar protocol-discovery interface fastethernet 0/0 stats packet-count top-n 5

FastEthernet0/0

Input Output

Protocol Packet Count Packet Count http 721 428

eigrp 635 0

netbios 199 0

icmp 1 1

bgp 0 0

unknown 46058 63

Total 47614 492

Notice that the class map configuration does not specifically use the term NBAR. Two class maps, http-impo and http-not, use the match command, with the protocol keyword, which implies that the actual classification uses NBAR. NBAR has been enabled on FA0/0 with the ip nbar protocol discovery command—had NBAR not been enabled, the service-policy command would have been rejected. Also note that CEF forwarding must be enabled, using the ip cef global command, before NBAR will work.

NBAR can match URLs exactly, or with some wildcards. You can use the asterisk (*) to match any characters of any length. In this case, as long as the phrases "important" or "not-so" appear in the URL, the packets are matched by one of the two class maps, respectively. Interestingly, when downloading an object with HTTP, the URL does not flow in every packet. When classifying based on URL, NBAR matches all packets beginning with the matched URL, and then until another HTTP request for another URL flows inside the same TCP connection.

The show ip nbar protocol-discovery command lists statistics for NBAR-classified packets. However, just using that command in live networks does not help much, because it lists three lines of output per type of protocol that can be discovered by NBAR—not just the protocols NBAR actually discovered. Therefore, the optional parameters on the command are more useful. For instance, both commands shown in the preceding example use the top-n parameter to limit the output based on the highest-volume protocols. The show command can also limit the statistics for a single interface, or it can limit the statistics to just packet count, or byte count, or bit rate.

Unlike most other IOS features, you can upgrade NBAR without changing to a later IOS version. Cisco uses a feature called packet descriptor language modules (PDLMs) to define new protocols that NBAR should match. When Cisco decides to add one or more new protocols to the list of protocols that NBAR should recognize, it creates and compiles a PDLM. You can then download the PDLM from Cisco, copy it into Flash memory, and add the ip nbar pdlm pdlm-name command to the configuration, where pdlm-name is the name of the PDLM file in Flash memory. NBAR can then classify based on the protocol information from the new PDLM.

Advance SEO Techniques

Advance SEO Techniques

Turbocharge Your Traffic And Profits On Auto-Pilot. Would you like to watch visitors flood into your websites by the 1,000s, without expensive advertising or promotions? The fact is, there ARE people with websites doing exactly that right now. How is that possible, you ask? The answer is Advanced SEO Techniques.

Get My Free Ebook


Post a comment