1. mkader@cisco.comAVC_NFC_mkader Cisco () , 2012 . . Cisco 1

2. : Cisco , : 15:00 25 16:30 26 www.ceq.com.uaAVC_NFC_mkader Cisco () , 2012 . . Cisco 2 3. - - ? - ? - NBAR? - NBAR2 (NBAR )? - ? - ? - - - DPI/NBAR2 - - - AVC_NFC_mkader Cisco () , 2012 . . Cisco 3 4. AVC_NFC_mkader Cisco () , 2012 . . Cisco 4 5. web- NetFlow SEIM- " " NetFlowweb-NetFlow IP- web- AVC_NFC_mkader Cisco () , 2012 . . Cisco 55 6. NetflowAVC_NFC_mkader Cisco () , 2012 . . Cisco 6 7. - NetFlowAVC_NFC_mkader Cisco () , 2012 . . Cisco77 8. NetFlow - NetFlow - Command and Control NetFlow AVC_NFC_mkader Cisco () , 2012 . . Cisco 8 9. NetFlow - (2) NetFlow , C29AVC_NFC_mkader Cisco () , 2012 . . Cisco 9 10. (FIRST) *-ISAC ( ) - (DNS-OARC) , (NSIE) (DSIE) Infragard Bay Area APT (SIG) 1AVC_NFC_mkader Cisco () , 2012 . . Cisco 10 0 11. , DamballaSensorBaseSenderBaseFireEyeNetwitness 1AVC_NFC_mkader Cisco () , 2012 . . Cisco 11 1 12. AVC_NFC_mkader Cisco () , 2012 . . Cisco 1 212 13. NetFlow: A B C13AVC_NFC_mkader Cisco () , 2012 . . Cisco 13 14. NetFlow IOS, NX-OS # conf t (config)# mls netflow interface (config)# mls flow ip interface-full (config)# ip flow-export source (config)# ip flow-export version (config)# ip flow-export destination (config-int)# ip flow ingress #AVC_NFC_mkader Cisco () , 2012 . . Cisco14 14 15. IOS, NX-OS# conf t(config)# feature netflow(config)# flow record NetFlow (config)# match ip ipv4 source address NX-OS(config)# match ip ipv4 destination address(config)# flow exporter (config)# destination (config)# transport UDP 2055(config)# version (config)# source (config)# flow monitor (config)# record (config)# exporter (config-int)# ip flow monitor input(config)# end#AVC_NFC_mkader Cisco () , 2012 . . Cisco 1 515 16. ?AVC_NFC_mkader Cisco () , 2012 . . Cisco 16 17. (Network Based Application Recognition,NBAR) - Cisco . NBAR , . Cisco NBAR . , NBAR ASR1k, .. , , , . Application Visibility and Control (AVC). , , , QoS, NetFlow, IPV6 . , NBAR. , , .AVC_NFC_mkader Cisco () , 2012 . . Cisco 17 18. AVC_NFC_mkader Cisco () , 2012 . . Cisco 18 19. MC/BR / , Webex 1 MC/BR (IP-VPN)BRBR MC/BR 2BR(IPVPN, DMVPN) .BR - MC/BR AVC_NFC_mkader Cisco () , 2012 . . Cisco 19 20. ? 1 (IP-VPN) WEB . 2(IPVPN, DMVPN)AVC_NFC_mkader Cisco () , 2012 . . Cisco 20 21. 1 ? (IP-VPN) ? ? . 2(IPVPN, DMVPN)AVC_NFC_mkader Cisco () , 2012 . . Cisco 21 22. MC/BR ? 1MC/BR ? (IP-VPN) ? ?BR MC/BR . 2(IPVPN, DMVPN)BR MC/BRAVC_NFC_mkader Cisco () , 2012 . . Cisco 22 23. , , , , (SLA) , - AVC_NFC_mkader Cisco () , 2012 . . Cisco 23 24. SLA - , - , SLA , - - , - AVC_NFC_mkader Cisco () , 2012 . . Cisco 24 25. ?AVC_NFC_mkader Cisco () , 2012 . . Cisco 25 26. ? 1 2 : Skype, Bittorrent, Emule, Gnutella ..AVC_NFC_mkader Cisco () , 2012 . . Cisco 26 27. 1- : 2- : L4 1 2 , IANA ( L4)AVC_NFC_mkader Cisco () , 2012 . . Cisco 27 28. 1: :OSPF 1 OSPF: L3 IP- ( L3)AVC_NFC_mkader Cisco () , 2012 . . Cisco 28 29. MAC-IP- 010203040506192168010:::::... 010203040507192168011:::::... 01020308090119216812:::::... L2 2 1 L2, Ethertype:ARP, CDP (LLDP), VTP ..AVC_NFC_mkader Cisco () , 2012 . . Cisco 29 30. FFFF0000FFFF X "Moonbeam", "MyApplication" " " NBAR !AVC_NFC_mkader Cisco () , 2012 . . Cisco 30 31. "" :- L4, (, HTTP, FTP)- L3, (, ICMP, OSPF)- L2 (, ARP, CDP)- L7, .. (, Skype)- (, "MyApplication") , :- : "" - NBAR, , http://www.iana.org/protocols/http://www.iana.org/assignments/port-numbershttp://www.iana.org/assignments/protocol-numbers/http://www.iana.org/assignments/icmp-parametershttp://www.iana.org/assignments/arp-parameters/arp-parameters.xhtmlAVC_NFC_mkader Cisco () , 2012 . . Cisco 31 32. ?AVC_NFC_mkader Cisco () , 2012 . . Cisco 32 33. class-map match-all class-videomatch dscp ef ! policy-map policy_video class class-videobandwidth percent 30 ! interface GigabitEthernet 0 service-policy output policy_video : - QoS - SNMP MIB "CISCO-CLASS-BASED-QOS-MIB" : - ? - DSCP? - DSCP ? - DSCP?AVC_NFC_mkader Cisco () , 2012 . . Cisco 33 34. Router(config)# access-list 107 permit tcp any host 192.168.1.2 eq www IP-, : ? HTTP 80% AVC_NFC_mkader Cisco () , 2012 . . Cisco 34 35. HTTP ( Lancope) 4 AVC_NFC_mkader Cisco () , 2012 . . Cisco 35 36. HTTP ( Lancope) 7 AVC_NFC_mkader Cisco () , 2012 . . Cisco 36 37. HTTP , 80? - Skype, Bittorent, Red&Nimda, , Xbox LIVE, .. , HTTP - HTTP? - 80. 1.0 1.1 ? HTTP GET, PUT ? ? - 8080? - - , - - TCP 23? : - HTTP - - ( ) - AVC_NFC_mkader Cisco () , 2012 . . Cisco 37 38. AVC_NFC_mkader Cisco () , 2012 . . Cisco 38 39. TCP/UDP, TCP. , TCP/UDP . : FTP : - TCP UDPAVC_NFC_mkader Cisco () , 2012 . . Cisco 39 40. youtube? - , = www.youtube.com, "youtube" - : HTTP ( URL, mime) - DPI : - (RTP): , RTP RTP. : - " "AVC_NFC_mkader Cisco () , 2012 . . Cisco 40 41. , , : SAP TCP, SAP HTTP SAP Citrix - , SAP? - , 7 : IPv6 - IPv6 IPv4 : : - " "AVC_NFC_mkader Cisco () , 2012 . . Cisco 41 42. NBAR?AVC_NFC_mkader Cisco () , 2012 . . Cisco 42 43. L4-L7 (Protocol Discovery) MQC ( ) NBAR - , QoS Flexible NetFlow (FNF): NBAR NetFlow NBAR (DPI) PfR : ISR-G1 (85x, 87x, 18xx, 28xx, 38xx), ISR-G2 (86x, 88x, 89x, 19xx, 29xx, 39xx), 2600XM, 3700, 7200, 7301, 7304-NPE, ASR1000, 7600 FlexWAN SIP-200, catalyst 6000 supervisor 32 PISA ( ) - 1: NBAR ISR-G1 - 2: NBAR2 ( ) ISR-G2 ASR1000AVC_NFC_mkader Cisco () , 2012 . . Cisco 43 44. - - IP-, TCP/UDP :- - - AVC_NFC_mkader Cisco () , 2012 . . Cisco 44 45. NBAR TCP UDP " " ""AVC_NFC_mkader Cisco () , 2012 . . Cisco 45 46. (Protocol Discovery) - - : , , : (/), - CISCO-NBAR-PROTOCOL-DISCOVERY-MIB - : Flexible NetFlow Modular QoS ( ) - - NBAR QoS: (CBWFQ) (ToS DSCP)AVC_NFC_mkader Cisco () , 2012 . . Cisco 46 47. , NBAR CISCO-NBAR-PROTOCOL-DISCOVERY- MIB , Router(config)# interface fastethernet 0/0 Router(config-if)# ip nbar protocol-discovery Router# show ip nbar protocol-discovery [interface interface-spec][stats {byte-count|bit-rate|packet- count}][protocol protocol-name| top-n number}]AVC_NFC_mkader Cisco () , 2012 . . Cisco 47 48. Router# show ip nbar protocol-discovery top-n 5 GigabitEthernet0InputOutput-----------Protocol Packet CountPacket CountByte Count Byte Count5min Bit Rate (bps) 5min Bit Rate (bps)5min Max Bit Rate (bps) 5min Max Bit Rate (bps)---------------- ------------------------ ----------------------- Top-N skype 39575 285396415 1000 1000 20002000 icmp101100 NBAR 73606860 0 0 0 0 NBAR-PD- MIB snmp28 0 1988 0 Top-N 0 0 , 0 0 N netbios 90 738 0 0 0 0 0 unknown 205204 1497610404 0 0 00 Total 4130440944 26498092619839 60006000 70007000AVC_NFC_mkader Cisco () , 2012 . . Cisco 48 49. NBAR QoS: , CISCO-CLASS-BASED-QOS-MIB - Router(config)# class-map [match-any|match all] Router(config-cmap)# match protocol : AVC_NFC_mkader Cisco () , 2012 . . Cisco 49 50. class-map class-map match-any peer2peermatch protocol kazaa2match protocol gnutellamatch protocol fastrack policy-map class mappolicy-map limit-p2p class peer2peer bandwidth percent 10interface Serial1 service-policy input limit-p2pAVC_NFC_mkader Cisco () , 2012 . . Cisco 50 51. !! ! AVC_NFC_mkader range 8000 8001 interface Serial1set ip dscp AF21policy-map astronomyclass solar_system 8 ascii Moonbeam tcpclass-map solar_system ip nbar custom lunar_lightmatch protocol lunar_light service-policy output astronomy 12 A 6 9 S[ 9 T 4 2 I C 9 IP C , " - ) , e h ( "l x A u ( S n U " ( IC aI " aDP r ( l s c; g io M e d i( i o " t " t h c - ) m i Cisco () , 2012 . .c n " p - )e b " a - ) l" I a P - m " -) , " " 1 . 8 " 6" ] 1( "( 0 [ 0 so 0 , , u )r- ) ec " ) d | ( " e r , a Ciscots ng i e n ta 2o i 0 n 0] 1 0"-) 51 52. NBAR "custom-01", "custom-02" .. - : - NetFlow router(config)# ip nbar custom name [offset [format value]] [variable field-name field-length] [source|destinat ion] [tcp | udp] [range start end | port-number] 255 16 (121 NBAR2) (: URL, host ..) , , : router# NBAR Error: Specified port(s) are associated with : Router(config)# ip nbar port-map tcp|udpAVC_NFC_mkader Cisco () , 2012 . . Cisco 52 53. Router# show ip nbar protocol-discovery top-n 5 Serial0/0 InputOutputProtocol Packet CountPacket Count Byte Count Byte Count 5 minute bit rate (bps) 5 minute bit rate (bps) ---------- ----------------------------------------------- custom-01 40565 40565 "show" 25961602596160 3000 3000telnet395 75 285396415 MIB 00icmp101 100 7360 6860 00snmp280 1988 0"custom-0X" 00 netbios 9 0 7380 00unknown 205 204 1497610404 00Total 4130440944 26498092619839 30003000AVC_NFC_mkader Cisco () , 2012 . . Cisco 53 54. " " router(config)# ip nbar custom name [ offset [format value]] [variable field-name field-length [source|destination [tcp | udp] ]] [range start end | port-number]: UDP- (5000-5005) "0xNN" 20- router(config)# ip nbar custom virus_home 20 variablescid 1 dest udp range 5000 5005 router(config)# class-map active-craft router(config-cmap)# match protocol virus_home scid 0x15 router(config-cmap)# match protocol virus_home scid 0x21 router(config)# class-map passive-craft router(config-cmap)# match protocol virus_home scid 0x11 router(config-cmap)# match protocol virus_home scid 0x22AVC_NFC_mkader Cisco () , 2012 . . Cisco 54 55. NBAR2? (NBAR )AVC_NFC_mkader Cisco () , 2012 . . Cisco 55 56. SCE -0 +1100 IPv6IOS NBAR +150 NBAR NBAR2 - , NBAR NBAR Service Control Engine (SCE): , , .. : -0 NBAR2 ISR-G2 ASR1KAVC_NFC_mkader Cisco () , 2012 . . Cisco 56 57. NBAR2 , Cisco ~900 "" , 100 DPI : , P2P, ( ) MPE RTP, Skype, Bittorrent ( ) HTTP, NNTP, POP3 L7 L4 Telnet, SNMP, SSH 1990 20002010 2020AVC_NFC_mkader Cisco () , 2012 . . Cisco 57 58. 15.2(1)T1, IOS XE3.3.0S NBAR2 - , , NBAR SCE - - - IPv4, IPv6 ( IPv6 ..) - SCE ( Multi-Packet Engine) - , 121 , AVC_NFC_mkader Cisco () , 2012 . . Cisco58 59. IPv4 IPv6 1200900NBAR21002000 NBAR: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.htmlAVC_NFC_mkader Cisco () , 2012 . . Cisco 59 60. http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.htmlAVC_NFC_mkader Cisco () , 2012 . . Cisco 60 61. FILETOPIA VENTRILOISAKMPDNSSSL OPEN-VPNYAHOO ITUNES TEAMSPEAK WEBEX-MEETINGCISCO IP CAMERA STEAMMESSENGER VOIPNAPSTER PANDORTMPWINDOWS UPDATEWINNY RTMPEYAHOOMANOLITOPOCOWEBTHUNDERMESSENGER VOIP ENCRYPTED BITTORRENT GOOGLETALK-VOICE OVER SIPSSDPMAPLESTORYPPLIVEENCRYPTED EMULEGOOGLETALK-FT BABELGUM RADIUS TOMATOPANGICQ MS-WBTSTUN-NATPPSTREAMHTTP TUNNELSONGSARIFRING VOIP NETWORKING-GNUTELLA LIVEMEETING RTMPTEREDO IPV6 GURUGURU WASTE YAHOO-VOID-OVER-SIPGMAIL TUNNELED AYIYA IPV6 SORIBADAKUROSOCKS VIBER TUNNELED6RD IPV6MSN MESSENGER GRIDFTPDHT TUNNELEDVOIPISATAP IPV6 SLINGGMAILXMPP-CLIENT MEGAVIDEO TUNNELED STUN BAIDU MOVIE STUNGMAIL-CHAT NETFLIXGOOGLEEARTHMMSSSL GOOGLETALK-VIDEOGOOGLETALK-CHATAVC_NFC_mkader Cisco () , 2012 . . Cisco 61 62. ?AVC_NFC_mkader Cisco () , 2012 . . Cisco 62 63. 12.2(15)T, IOS XE 2.5 , NBAR , NBAR: - (/), - ( ) , top-n , AVC_NFC_mkader Cisco () , 2012 . . Cisco63 64. 15.2(1)T1, IOS XE3.3.0SRouter(config-if)# ip nbar protocol-discovery ?ipv4 Enable protocol discovery only for ipv4ipv6 Enable protocol discovery only for ipv6Router# show ip nbar protocol-discoveryinterface GigabitEthernet0/1/4 stats packet-count op-n 5 t Last clearing of "show ip nbar protocol-discovery" counters 00:00:34InputOutput----------- Protocol Packet Count Packet Count ------------------------ ------------------------ ------------- guruguru 030 ipv6-icmp32 unknown03 Total335 MIB, IPv4, IPv6, MIB , (CLI)AVC_NFC_mkader Cisco () , 2012 . . Cisco64 65. - : ifIndex IF-MIB - : cnpdAllStatsProtocolsIndexRouter# show snmp mib ifmib ifindexcnpdAllStatsInBytes(5),FastEthernet0/0: Ifindex = 1 cnpdAllStatsOutBytes(6) , cnpdAllStatsHCInPkt(7),FastEthernet1/0: Ifindex = 2 cnpdAllStatsHCOutPkts(8),Loopback0: Ifindex = 12cnpdAllStatsHCInBytes(9),cnpdAllStatsHCOutBytes(10),NMS% snmpwalk -c public cnpdAllStatsEntry cnpdAllStatsInBitRate(11),cnpdAllStatsProtocolName.2.1= STRING: "ftp"cnpdAllStatsOutBitRate(12)cnpdAllStatsProtocolName.2.2= STRING: "http"cnpdAllStatsHCInPkt.2.1= Counter32: 20cnpdAllStatsHCInPkt.2.2= Counter32: 8406...cnpdAllStatsHCOutPkts.2.1= Counter32: 10cnpdAllStatsHCOutPkts.2.2 = Counter32: 2830AVC_NFC_mkader Cisco () , 2012 . . Cisco 65 66. - / (. 5000)- - AVC_NFC_mkader Cisco () , 2012 . . Cisco 66 67. SNMP-cnpdSupportedProtocols cnpdAllStats NBAR cnpdTopNstats Top-N cnpdThresholdhistory cnpdStatus NBAR - , cnpdTopNconfig top-N -cnpdThresholdconfig -cnpdNotificationsconfig -cnpdMIBNotifications - SNMP: http://www.cisco.com/go/mibs ftp://ftp.cisco.com/pub/mibs/v2/CISCO-NBAR-PROTOCOL-DISCOVERY-MIB.myAVC_NFC_mkader Cisco () , 2012 . . Cisco 67 68. Router(config)# snmp-server enable traps cnpd SystemUpTime , t h ThresholdRisingEvent,Ifindex.3 Serial0/1 ThresholdFallingEvent ( + ) cnpdThresholdHistory = 1 / ( + ) = 5 / 33 = TelnetAVC_NFC_mkader Cisco () , 2012 . . Cisco 68 69. Class-Map Stats Table (cbQosCMstats)AVC_NFC_mkader Cisco () , 2012 . . Cisco 69 70. CISCO-CLASS-BASED-QOS-MIB cbQosObjectsTable cbQosPolicyIndex1055 cbQosObjectsIndex 1055 cbQosConfigIndex1040 cbQosObjectsTypepolicymap cbQosParentObjectsIndex 0cbQosPolicyIndex1055 cbQosObjectsIndex 1056 cbQosConfigIndex1033 cbQosObjectsTypeclassmap cbQosParentObjectsIndex 1055 cbQosPolicyIndex1055 cbQosObjectsIndex 1058 cbQosConfigIndex1037 cbQosObjectsTypematchStatement cbQosParentObjectsIndex 1056 cbQosPolicyIndex1055 cbQosObjectsIndex 1060 cbQosConfigIndex1039 cbQosObjectsTypematchStatement cbQosParentObjectsIndex 1056AVC_NFC_mkader Cisco () , 2012 . . Cisco 70 71. 2 4 IP- - ,, , Flexible NetFlow AVC_NFC_mkader Cisco () , 2012 . . Cisco 71 72. Router(config)# flow exporter my-exporter ? Router(config-flow-exporter)# destination 1.1.1.1Router(config)# flow recordmy-recordRouter(config-flow-record)# match ipv4 destination address Router(config-flow-record)#?match ipv4 source address Router(config-flow-record)#collect counter bytes Router(config)# flow monitor my-monitor ? Router(config-flow-monitor)# exporter my-exporter Router(config-flow-monitor)# record my-record Router(config)# interface s3/0 ? Router(config-if)# ip flow monitor my-monitor inputAVC_NFC_mkader Cisco () , 2012 . . Cisco 72 73. IOS XE 3.1.1S 15.0(1)Mrouter(config)# flow record app_recordrouter(config-flow-record)# match ipv4 source addressrouter(config-flow-record)# match ipv4 destination addressrouter(config-flow-record)# match application name (Cisco Prime Assurance)router# show flow mon cacheIPV4 SRC ADDR IPV4 DST ADDR APP NAME=============== =============== ===============10.0.1.110.0.1.2nbar rtcp10.0.1.110.0.1.2nbar ssh10.0.1.110.0.1.2nbar telnet10.0.1.110.0.1.2NBAR lunar_lightNBAR = NBAR Flexible NetFlow .AVC_NFC_mkader Cisco () , 2012 . . Cisco 73 74. IOS XE 3.4 S15.2(2)T - , DPI Cisco - IOS ISR, IOS-XE ASR1k, , IOS - : WAAS Express .. Cisco, - L4, .. IANA - L3, .. IANA - L2, .. Ethertype - L7: ( IANA L7) IETF - " IPFIX" - http://tools.ietf.org/html/draft-claise-export-application-info-in-ipfix-04, RFCAVC_NFC_mkader Cisco () , 2012 . . Cisco74 75. : - Engine: prot (IANA_L3_STANDARD, ID: 1) - Engine: port (IANA_L4_STANDARD, ID: 3) - Engine: NBAR (NBAR_CUSTOM, ID: 6) - Engine: cisco (CISCO_L7_GLOBAL, ID: 13) Router # show ip nbar protocol-id Protocol Name idtype ---------------------------------------------- ftp 21 L4 IANA http80 L4 IANA Router # show flow exporter option application table Engine: prot (IANA_L3_STANDARD, ID: 1) appID Name Description ----- ---- ----------- 1:8 egpExterior Gateway Protocol 1:47greGeneral Routing EncapsulationAVC_NFC_mkader Cisco () , 2012 . . Cisco 75 76. router(config)# flow record router(config-flow-record)# match application name [account-on-resolution ]Account-On-Resolution: , .. NBAR2 SYN unknown SYN-ACK , ACK, unknown"application name" "unknown" GET URL HTTP 200 OK FNF, , Eth0 Unknown 2Eth0HTTP3Eth0 HTTP1AVC_NFC_mkader Cisco () , 2012 . . Cisco 76 77. IOS XE 3.4S IOSFuturerouter(config)# sampler router(config-sampler)# mode {deterministic|random} 1 out-of router(config-sampler)# granularity {packet (default) | connection} : : NBAR => - - 1 10 , , FNF AVC_NFC_mkader Cisco () , 2012 . . Cisco 77 78. IOS XE 3.4S IOSFuturerouter(config)# flow monitor router(config-flow-monitor)# cache timeout event transaction-end FNF : ( ) , , - , "Transaction End", FNF , AVC_NFC_mkader Cisco () , 2012 . . Cisco 78 79. router(config)# flow record router(config-flow-record)#match application name router(config-flow-record)#match connection transaction-id router(config-flow-record)#collect connection new-connections router(config-flow-record)#collect connection sum-duration router(config-flow-record)#collect connection initiator router(config-flow-record)#collect flow end-reasonAVC NBAR (CFT) - initiator - new-connections - sum-duration - transaction-id AVC_NFC_mkader Cisco () , 2012 . . Cisco 79 80. router(config)# flow record router(config-flow-record)#match interface input router(config-flow-record)#match ipv4 source address router(config-flow-record)#match ipv4 destination address router(config-flow-record)#match application name account-on-resolution router(config-flow-record)#collect counter packets router(config-flow-record)#collect counter bytes router(config)# flow exporter router(config-flow-exporter)# destination router(config-flow-exporter)# option interface-table router(config-flow-exporter)# option application-table router(config-flow-exporter)# option application-attributes . router(config)# flow monitor . router(config-flow-monitor)#record router(config-flow-monitor)#exporter router(config-flow-monitor)#cache timeout event transaction-end router(config)# interface eth0/0 router(config-if)# ip flow monitor inputAVC_NFC_mkader Cisco () , 2012 . . Cisco 80 81. 15.2(1)T1, IOS XE3.3.0S IPv6 Flexible NetFlow router(config)# flow record app_record router(config-flow-record)# match ipv6 source address router(config-flow-record)# match ipv6 destination address router(config-flow-record)# match application nameRouter# show flow monitor APPIPv6 cache format tableIPV6 SOURCE ADDRESS IPV6 DESTINATION ADDRESS APPL NAME2A01:E35:8ABF:9510:FA1E:DFFF:FEE1:E789 2A01:E35:8ABF:9510:222:55FF:FEE6:BA98 httpAVC_NFC_mkader Cisco () , 2012 . . Cisco81 82. AVC_NFC_mkader Cisco () , 2012 . . Cisco 82 83. Protocol DiscoveryFlexible NetFlow , Flexible NetFlow NetFlow , "show" 5 : MIB 5 (IP-/ : / ) AVC_NFC_mkader Cisco () , 2012 . . Cisco 83 84. ?AVC_NFC_mkader Cisco () , 2012 . . Cisco 84 85. MC/BR 1 MC/BR (IP-VPN) BR BR BRMC/BR. 2 (IPVPN, DMVPN) ! class-map my-classBRmatch protocol match protocol MC/BR !AVC_NFC_mkader Cisco () , 2012 . . Cisco 85 86. 15.2(2)T1XE 3.4.0S MC/BR 1MC/BR(IP-VPN)BRBRBR MC/BR . 2 (IPVPN, DMVPN)!class-map my-classBR match protocol attribute category email!MC/BR : "email" - outlook, gmail, hotmail, yahoo-mailAVC_NFC_mkader Cisco () , 2012 . . Cisco 86 87. 15.2(2)T1 IOS XE3.4S file-sharingclient-serverftp-group n n n browsing other other y y ynet-adminrouting-protocolipsec-groupunassignedunassignedunassigned other tunneling-protocolsimap-groupinternet-privacy network-managementirc-groupinstant-messagingvoice-video-chat-collaborationkerberos-group email authentication-services ldap-group newsgroup databasesqlsvr-groupvoice-and-videonaming-servicesnetbios-group business-and-productivity-toolsterminal nntp-group industrial-protocols streaming pop3-groupgaming p2p-networkingsnmp-group obsoletep2p-file-transfertftp-group trojan control-and-signalingfasttrack-group layer3-over-ip inter-process-rpc gnutella-grouplocation-based-services remote-access-terminal skinny-grouplayer2-non-ip network-protocoledonkey-emule-group commercial-media-distribution bittorrent-grouprich-media-http-content smtp-grouplicense-manager windows-live-messanger-groupepayementyahoo-messenger-groupstorage flash-group backup-systemsskype-groupone-click-hostingcorba-groupAVC_NFC_mkader Cisco () , 2012 . . Cisco 87 88. IOS XE3.4S,IOS infuture , , , , p2p,, QoS "match" QoS , FnF , router(config-flow-exporter)# option application-attributes . AVC_NFC_mkader Cisco () , 2012 . . Cisco 88 89. - , "", , Yahoo-Messenger, Yahoo-VoIP-messenger Yahoo-VoIP-over-SIP "yahoo-messenger-group" - . , email, `gaming, `newsgroup .. - , . ,`routing- protocol, `database, streaming .. P2P-Technology: , , p2p ( ASR1000) Tunnel: , , Encrypted: , , AVC_NFC_mkader Cisco () , 2012 . . Cisco 89 90. http://www.cisco.com/en/US/partner/prod/collateral/ps7045/ps6129/ps6257/ps6135/cisco_insight.htmlAVC_NFC_mkader Cisco () , 2012 . . Cisco 90 91. (, "unassigned" "other"). , , : other skype, skinny, icq otheremail, browsing other epayment, storagePeer-to-peer p2p-tech-unassignedyes, no yes, noTunnel tunnel-unassigned yes, no Encrypted encrypted-unassignedAVC_NFC_mkader Cisco () , 2012 . . Cisco 91 92. class-maps : router(config-cmap)# match protocol attribute [proto col] router(config-cmap)# match protocol attribute category browsing [protocol] match protocol . , . , :router(config-cmap)# match protocol attribute category browsing http , : router(config-cmap)# match protocol http(config-cmap)#match protocol http "class-maps" "match not" MQC , "match protocol" router(config-cmap)# match protocol attribute sub-category otherAVC_NFC_mkader Cisco () , 2012 . . Cisco 92 93. router# show ip nbar protocol-attribute http Protocol Name : httpcategory : browsingsub-category : other application-group : otherp2p-technology : p2p-tech-notunnel : tunnel-no encrypted : encrypted-norouter# show ip nbar attribute ?application-groupapplication-group attributecategory category attributeencryptedEncrypted applicationsp2p-technology Applications based on p2p-technologysub-category sub-category attributetunnel Tunnelled applications|Output modifiers router# show ip nbar attribute category gaming blizwow World of Warcraft Gaming Protocol bnetbnet directplayDirectPlay directplay8 DirectPlay8 doomdoom Id Software ... ...AVC_NFC_mkader Cisco () , 2012 . . Cisco 93 94. NBAR HTTP, RTP, Citrix . QoS HTTPRouter(config-cmap)# match protocol http ?content-encoding Encoding mechanism used to package entity bodyfromE-mail of human controlling the user-agenthostHost name of Origin Server containing resourcelocationExact location of resource from requestmimeContent-Type of entity bodyreferer Address the resource request was obtained fromserverSoftware used by Origin Server handling requesturl Uniform Resource Locator pathuser-agentSoftware used by agent sending the request Flexible NetFlow AVC_NFC_mkader Cisco () , 2012 . . Cisco 94 95. Citrix Edonkey FastTrackGmail GnutellaKazaa2RTPWebex- meetingica-tagtext-chat file-transferfile-transfer file-transfer file-transfer audioaudioappfile-transfervideovideo search-file- payload- payload- name type typeCitrix: http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m1.html#wp1037938Fasttrack: http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m1.html#wp1038015Gnutella: http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m1.html#wp1038081RTP: http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m1.html#wp1038481HTTP: http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m1.html#wp1058795( )AVC_NFC_mkader Cisco () , 2012 . . Cisco 95 96. G0.711 ()0 ( -) 8 ( -) G0.721 ()2 - IP-, G0.722 ()9 , - , G0.723 ()4 G0.728 () 15 RTP- G.729 () 18 H.261 () 31 MPEG-1 (A/V) 14 (), 32 (),MPEG-2 (A/V) 33 (A-V) 96127Router(config)# match protocol rtp ?audiomatch voice packetspayload-type match an explicit PT (Payload Type)videomatch video packetsAVC_NFC_mkader Cisco () , 2012 . . Cisco 96 97. (RTP) RFC 1889 RTP - RFC18900 1 2 301234567890123456789012345678901 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |V=2|P|X| CC |M|PT| sequence number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | timestamp | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | synchronization source (SSRC) identifier| +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ |contributing source (CSRC) identifiers | | ....| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+AVC_NFC_mkader Cisco () , 2012 . . Cisco 97 98. 15.2(1)T (1st:WebEx clientRouter (config-cmap)# matchQ1 CY12)application webex-meeting version X 10.1.1.2 : : - : - : QoS , , AVC_NFC_mkader Cisco () , 2012 . . Cisco98 99. AVC_NFC_mkader Cisco () , 2012 . . Cisco 99 100. TCP/UDP? ? ? IANA- :! Greedy + ? (*) - : AVC_NFC_mkader Cisco () , 2012 . . Cisco100 101. # Q O S I P S Q S e c o F l i b l A C L e x e ! N t F l e o w Q O S AVC_NFC_mkader Cisco () , 2012 . . Cisco 101 102. 15.2(1)T XE 3.4.0S , IOS. IOS IOS-, IOS , PDLM ( ) : AVC_NFC_mkader Cisco () , 2012 . . Cisco 102 103. : config# ip nbar protocol-pack protocol pack file [force] :ip nbar protocol-pack harddisk:protocolPackFile no version :no ip nbar protocol-pack harddisk:protocolPackFile [force] ip nbar protocol-pack harddisk:protocolPackFileAVC_NFC_mkader Cisco () , 2012 . . Cisco 103 104. force : 1. IOS 2. Force . force , ()AVC_NFC_mkader Cisco () , 2012 . . Cisco 104 105. () , , :router# show ip nbar protocol-pack active | protocol pack file [detail] detail , . detail , , .AVC_NFC_mkader Cisco () , 2012 . . Cisco 105 106. , IPv6 , IPv6 IPv4 (v6 over v4): Teredo, isatap, 6to4, 6rd IPv4, IPv6 v6 over v4 IPv4 Modular QoS v4, v6 v4, v6 v6 over v4 IPv4AVC_NFC_mkader Cisco () , 2012 . . Cisco 106 107. 15.2(2)T1 XE 3.5S Router(config)# ip nbar classification tunneled-traffic ipv6inip |teredo - ipv6inip IPv6, 41 IPv4 - teredo IPv6, teredo IPv4, NBARAVC_NFC_mkader Cisco () , 2012 . . Cisco 107 108. AVC_NFC_mkader Cisco () , 2012 . . Cisco 108 109. ASR1000, ESP40/RP2 1500 (PD) : +/-20% PD + QoS: +/- 25% PD + QoS: +/-26 % PD + QoS + FNF: +/- 26% ASR1000 ESP, . .. - . - IP-- [.] [/] [ . [/] .] [./] ESP550.75 2.5 ESP1010 3.51.651505 ESP2020 5 3.5200 10 ESP4020 5 3.5200 10 - - NBAR2: RP, ESP - ISRG2 ESP: AVC_NFC_mkader Cisco () , 2012 . . Cisco 109 110. Router# show ip nbar resources flowNBAR flow statistics Maximum no of sessions allowed :1000000 Maximum memory usage allowed :367001 KBytes Active sessions:0 Active memory usage:43712 KBytes Peak session :1223 Peak memory usage:43712 KbytesRouter(config)# ip nbar resources flow max-session number of sessi onsRouter(config)# ip nbar resources protocol max-session link age inmultiple of system link age (secs.)AVC_NFC_mkader Cisco () , 2012 . . Cisco 110 111. Router# show ip nbar resources NBAR memory usage for tracking Stateful sessionsSystem link age: 30 secsInitial memory : 1160 KBytesMax initial memory : 2320 KBytesMemory expansion : 116 KBytesMax memory expansion : 116 KBytesMemory in use: 1160 KBytesMax memory allowed : 4640 KBytesActive links : 0Total links: 10000Flow Object in Use : 0 Router(config)# ip nbar resources flow max-session define max allowed session Router(config)# ip nbar resources system System link age (in seconds) initial memory (in Kbytes) amount of memory to expand by (in kBytes) Router(config)# ip nbar resources protocol Link age in multiples fo system link age (secs.)AVC_NFC_mkader Cisco () , 2012 . . Cisco 111 112. % NBAR ... Router# show ip nbar protocol-discovery top-n 5 Serial0/0 InputOutput ProtocolPacket CountPacket Count Byte Count Byte Count 5 minute bit rate (bps) 5 minute bit rate (bps) ---------- ------------------------ ------------------------ .. . .. . unknown205 20414976 104040 0 Total 41304 409442649809 26198393000 3000[(total unknown) 100] NBARrecognized (%) =[total ] http://www.cisco.com/go/easy http://forums.cisco.com/eforum/servlet/EEM?page=eemfn=scriptscriptId=2101AVC_NFC_mkader Cisco () , 2012 . . Cisco 112 113. Router# debug ip nbar unclassified-port-statsRouter# show ip nbar unclassified-port-statsPort Proto # of Packets------- -------- -------6346 tcp 34767927005udp 55043 : , Debug IP NBAR ! AVC_NFC_mkader Cisco () , 2012 . . Cisco 113 114. Router# clear ip nbar Clear all NBAR Protocol Discovery statistics? [yes]: Cleared NBAR Protocol Discovery statistics on all interfaces. NBAR packet capture is not enabled. NBAR state-graph tracing is not enabled Port Statistics for unclassified packets is not turned on. Router# clear ip nbar protocol-discovery interface fast ethernet 0 Clearing NBAR Protocol Discovery statistics on FastEthernet0. Proceed? [yes]: Router#AVC_NFC_mkader Cisco () , 2012 . . Cisco 114 115. ? - - : ( ) - , .. - NBAR , , HTTP HTTP 7 , CiscoAVC_NFC_mkader Cisco () , 2012 . . Cisco 115 116. DPI/NBAR2AVC_NFC_mkader Cisco () , 2012 . . Cisco 116 117. IP- MPLS , (, HTTP) - IPSec, IPSec- (v6 v4)-. , , SSL/TLS. , skype, gtalk IP- Out-of-order , , AVC_NFC_mkader Cisco () , 2012 . . Cisco 117 118. NBAR. NBAR Unknown NBAR : - - PDLM - RP - FP - - - . ip nbar resources flow RP AVC_NFC_mkader Cisco () , 2012 . . Cisco 118 119. - - , (DVTI)- Fast Etherchannel- IPv6, - , - (MLPPP) Multilink Frame Relay- (MPLS)- Overlay Transport Virtualization (OTV)- - VRF-Aware Service Infrastructure (VASI)- IPSec GETVPN , , NBAR NBAR (ISSU) 32 AVC_NFC_mkader Cisco () , 2012 . . Cisco 119 120. (CEF) - Fast EtherChannel - NBAR , IPSec - IPSec GETVPN . - , , NBAR - AVC_NFC_mkader Cisco () , 2012 . . Cisco 120 121. AVC_NFC_mkader Cisco () , 2012 . . Cisco 121 122. Class-map match-all business-critical match protocol citrix match access-group 101 50 % (50 class-map match-any browsing% match protocol attribute category browsing ) 30 % (=15 % )class-map match-any internal-browsing 60% ( match protocol http url *myserver.com* (50 % . ))policy-map internal-browsing-policy 70 % (=35 % class internal-browsing )bandwidth remaining percent 60policy-map my-network-policy class business-criticalprioritypolice cir percent 50 class browsingbandwidth remaining percent 30 :service-policy internal-browsing-policy 70 % : (=35 % interface eth0/050 % )service-policy output my-network-policy . : :30 % 60% (=15 % )AVC_NFC_mkader Cisco () , 2012 . . Cisco 122 123. 15.2(1)T1,IOS XE 3.3.0S IPv4 IPv6MC/BR IPv6 FlexibleNetFlow interface Gi1/1 1MC/BR ip nbar protocol-discovery [ipv4|ipv6] (IP-VPN) BR flow record app_recordBR match ipv6 source address BR match ipv6 destination address MC/BR - match application name 2 . (IPVPN, DMVPN)show flow monitor APPIPv6 cache format table BRIPV6 SOURCE ADDRESSIPV6 DESTINATION ADDRESS APPL MC/BRNAME2A01:E35:8ABF:9510:FA1E:DFFF:FEE1:E789 2A01:E35:8ABF:9510:222:55FF:FEE6:BA98 httpAVC_NFC_mkader Cisco () , 2012 . . Cisco123 124. , MC/BR v4 v6, 1 MC/BR(IPVPN)BR IPv6 BRBR MC/BR IPv4 . 2(IPVPN, DMVPN)BRclass-map my-class MC/BRmatch protocol sshAVC_NFC_mkader Cisco () , 2012 . . Cisco 124 125. 15.2(2)T1,IOS XE 3.5.0S IPv6 IPv4 (ISATAP, Teredo, 6to4,..) MC/BR IPv6 IPv4NBAR ISATAP 1MC/BRIPv6 IPv4(IPVPN)ISATAPBRIPv6 BRBR MC/BR - . 2(IPVPN, DMVPN) IPv6 NBAR HTTPBRinterface Gi1/1ip nbar classification tunneled-traffic ? MC/BRipv6inip Tunnel type ISATAP, 6to4 and 6RDteredo Tunnel type TEREDOAVC_NFC_mkader Cisco () , 2012 . . Cisco125 126. router(config)# class-map match-any MyVirusMaprouter(config-cmap)# match protocol http url *default.ida*router(config-cmap)# match protocol http url *cmd.exe*router(config-cmap)# match protocol http url *root.exe*router(config)# policy-map MyVirusPolicyrouter(config-pmap)# class MyVirusMaprouter(config-pmap-c)# set dscp 1router(config-pmap-c)# police 1000000 31250 31250 conform-action dropexceed-action drop violate-action droprouter(config)# interface serial 0/0router(config-if)# service-policy input MyVirusPolicyAVC_NFC_mkader Cisco () , 2012 . . Cisco 126 127. Router# show policy-map interface serial 0/0Serial0/0Service-policy input: MyVirusPolicyClass-map: MyVirusMap (match-any) 5 packets, 300 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: protocol http url *default.ida* 5 packets, 300 bytes 5 minute rate 0 bps Match: protocol http url *cmd.exe* 0 packets, 0 bytes 5 minute rate 0 bps Match: protocol http url *root.exe* 0 packets, 0 bytes 5 minute rate 0 bps police: 1000000 bps, 31250 limit, 31250 extended limit conformed 5 packets, 300 bytes; action: drop exceeded 0 packets, 0 bytes; action: drop violated 0 packets, 0 bytes; action: drop conformed 0 bps, exceed 0 bps, violate 0 bpsClass-map: class-default (match-any) 5 packets, 300 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: anyAVC_NFC_mkader Cisco () , 2012 . . Cisco 127 128. AVC_NFC_mkader Cisco () , 2012 . . Cisco 128 129. AVC_NFC_mkader Cisco () , 2012 . . Cisco 129 130. NetFlow SourceForge v5 v9v5 v5 , , ACL tcpdump Google CodeAVC_NFC_mkader Cisco () , 2012 . . Cisco130 130 131. Lancope AVC_NFC_mkader Cisco () , 2012 . . Cisco 1 3 1131 132. 1 3 2AVC_NFC_mkader Cisco () , 2012 . . Cisco 132 133. ? ? ?AVC_NFC_mkader Cisco () , 2012 . . Cisco 133