dtnbarad(network-based application recognition)
TRANSCRIPT
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
1/54
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
2005 Cisco Systems, Inc. All rights reserved.
Network-Based Application Recognition andDistributed Network-Based ApplicationRecognition
This document provides information for the Network-Based Application Recognition (NBAR) and the
Distributed Network-Based Application Recognition (dNBAR) features. This document contains all of
the updates made to the NBAR and dNBAR features.
Before proceeding, it is important to note that the dNBAR feature, which introduced NBAR on the Cisco
7500 with a Versatile Interface Processor (VIP) and the Catalyst 6000 family switch with a FlexWAN
module, is identical in implementation to NBAR. Therefore, unless otherwise noted, the term NBAR is
used throughout this document to describe both the NBAR and dNBAR feature. The term dNBAR is used
only when appropriate.
This document includes information on the benefits of NBAR, supported platforms, restrictions,
definitions, and revised command syntax.
History for the NBAR and dNBAR Features1
Cisco IOS Release Modification
12.0(5)XE2 This feature was introduced. The first implementation of the NBAR
feature was available on Cisco 7100 and Cisco 7200 series routers.
12.1(1)E Subport classification of HTTP traffic by host name for NBAR was
introduced. The variable-field-name value options were also added to the
match protocol (NBAR) command.
12.1(5)T This feature was integrated into Cisco IOS Release 12.1(5) T.
12.1(6)E
12.2(4)T3
The dNBAR feature, which introduced NBAR functionality on the Cisco
7500 series router with a VIP and the Catalyst 6000 family switch with a
FlexWAN module, was introduced.
12.2(14)S NBAR and dNBAR were introduced in Cisco IOS Release 12.2 S. The
12.2 S version of NBAR includes everything available on the 12.1 E and12.2 T implementations of NBAR with the exception of platform support
for platforms not supported by 12.2 S.
12.2(15)T The Protocol Discovery MIB was introduced.
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
2/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
Content
2
Cisco IOS Release 12.4(4) T
Content Prerequisites for NBAR, page 3
Feature Overview, page 4
How to Configure NBAR, page 23
Monitoring and Maintaining NBAR, page 30
Configuration Examples, page 30
Technical Assistance, page 34
Command Reference, page 34
Glossary, page 53
12.3(4)T NBAR PDLM Versioning was introduced. This feature introduced
versioning of PDLM protocols and the show ip nbar version command.
See the IP NBAR PDLM Module Versioning section on page 16 foradditional information regarding this feature.
The NBAR User-Defined Custom Application Classification feature was
introduced. See the Classification of Custom Applications section on
page 13 for additional information on the enhancements to the custom
protocol that were introduced as part of this feature.
The NBAR Extended Inspection for HTTP Traffic feature was introduced.
This feature allows NBAR to scan TCP ports that are not well-known and
identify HTTP traffic traversing these ports.
12.3(7)T Restrictions on the number of bytes of payload that could be inspected by
NBAR were removed. NBAR can now inspect the full packet payload.
12.3(11)T The ability to classify traffic using HTTP header fields was introduced.
The c-header-field and s-header-field options were added to the matchprotocol http command.
12.4(1) The variable keyword, thefield-name argument, and the field-length
arguments were added to the ip nbar custom command. This new
keyword and additional arguments allow sub-classification of custom
traffic in NBAR.
12.4(4)T Support was added for Direct Connect and Skype protocols.
1. This feature history table only contains enhancements to the overall NBAR feature. It does not include the introduction of
new NBAR-supported protocols or the introduction of NBAR on new platforms. For information relating to when protocols
were introduced on NBAR, see the Supported Protocols section on page 16. For information about when NBAR was
introduced on a platform, see the Access Cisco Feature Navigator at http://www.cisco.com/go/f.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image
support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on
Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at
the login dialog box and follow the instructions that appear.
History for the NBAR and dNBAR Features1 (continued)
Cisco IOS Release Modification
http://www.cisco.com/go/fnhttp://www.cisco.com/go/fnhttp://www.cisco.com/go/fnhttp://www.cisco.com/go/fn -
8/2/2019 Dtnbarad(Network-Based Application Recognition)
3/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
Prerequisites for NBAR
3
Cisco IOS Release 12.4(4) T
Appendix, page 53
Prerequisites for NBAR
CEF
You must enable Cisco Express Forwarding (CEF) before you configure NBAR. For more information
on CEF, refer to the Cisco IOS Release 12.2 Cisco IOS Switching Services Configuration Guide.
RestrictionsNBAR is currently not supported with Stateful Switchover (SSO). This applies to the Catalyst 6500,
Cisco 7600 and Cisco 7500.
Also, the NBAR feature does not support the following:
More than 24 concurrent URLs, hosts, or MIME type matches.
Matching beyond the first 400 bytes in a packet payload in Cisco IOS releases before Cisco IOS
Release 12.3(7)T. In Cisco IOS Release 12.3(7)T, this restriction was removed and NBAR now
supports full payload inspection. The only exception is that NBAR can only inspect custom protocol
traffic for 255 bytes into the payload.
Non-IP traffic.
MPLS-labelled packets. NBAR only classifies IP packets. You can, however, use NBAR to classify
IP traffic before the traffic is handed over to MPLS. Use the Modular QoS CLI (MQC) to set the IP
DSCP field on the NBAR-classified packets and make MPLS map the DSCP setting to the MPLS
EXP setting inside the MPLS header.
Multicast and other non-CEF switching modes.
Fragmented packets. Pipelined persistent HTTP requests.
URL/host/MIME classification with secure HTTP.
Asymmetric flows with stateful protocols.
Packets originating from or destined to the router running NBAR.
NBAR is not supported on the following logical interfaces:
For VLAN setups, NBAR only works on interfaces setup as VLAN 1. NBAR does not work with
any other VLAN number.
Fast EtherChannel.
Interfaces where tunneling or encryption is used.
NBAR was not supported on Dialer interfaces until Cisco IOS Release 12.2(4)T.
Note NBAR cannot be used to classify output traffic on a WAN link where tunneling or encryption is used.
Therefore, NBAR should be configured on other interfaces on the router (such as a LAN link) to perform
input classification before the traffic is switched to the WAN link for output.
However, NBAR Protocol Discovery is supported on interfaces where tunneling or encryption is used.
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
4/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
Information About NBAR
4
Cisco IOS Release 12.4(4) T
You can enable Protocol Discovery directly on the tunnel or on the interface where encryption is
performed to gather key statistics on the various applications that are traversing the interface. The input
statistics also show the total number of encrypted/tunneled packets received in addition to the
per-protocol breakdowns.
In order to run Distributed NBAR on a Cisco 7500 series router, you must be using a processor that has
64 MB of DRAM or more. At the time of this publication, the following processors met this requirement:
VIP2-50, VIP4-50, VIP4-80, and VIP6-80
GEIP and GEIP+
SRPIP
Information About NBARThe following sections provide information about NBAR.
Feature Overview
The purpose of IP Quality of Service (QoS) is to provide appropriate network resources (bandwidth,
delay, jitter, and packet loss) to applications. QoS maximizes the return on investments on network
infrastructure by ensuring that mission critical applications get the required performance and noncritical
applications do not hamper the performance of critical applications.
IP QoS can be deployed by defining classes or categories of applications. These classes are defined by
using various classification techniques available in Cisco IOS software. After these classes are defined
and attached to an interface, the desired QoS features, such as Marking, Congestion Management,
Congestion Avoidance, Link Efficiency mechanisms, or Policing and Shaping can then be applied to the
classified traffic to provide the appropriate network resources amongst the defined classes.
Classification, therefore, is an important first step in configuring QoS in a network infrastructure.
NBAR is a classification engine that recognizes a wide variety of applications, including web-based and
other difficult-to-classify protocols that utilize dynamic TCP/UDP port assignments. When an
application is recognized and classified by NBAR, a network can invoke services for that specific
application. NBAR ensures that network bandwidth is used efficiently by classifying packets and then
applying QoS to the classified traffic. Some examples of class-based QoS features that can be used on
traffic after the traffic is classified by NBAR include:
Class-Based Marking (the set command)
Class-Based Weighted Fair Queueing (the bandwidth and queue-limit commands)
Low Latency Queueing (the priority command)
Traffic Policing (the police command)
Traffic Shaping (the shape command)
Note The NBAR feature is used for classifying traffic by protocol. The other class-based QoS features
determine how the classified traffic is forwarded and are documented separately from NBAR.
Furthermore, NBAR is not the only method of classifying network traffic so that QoS features can be
applied to classified traffic.
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
5/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
Information About NBAR
5
Cisco IOS Release 12.4(4) T
For information on the class-based features that can be used to forward NBAR-classified traffic, see the
individual feature modules for the particular class-based feature as well as the Cisco IOS Quality of
Service Solutions Guide.
Many of the non-NBAR classification options for QoS are documented in the Modular Quality of
Service Command-Line Interface section of the Cisco IOS Quality of Service Solutions Guide. These
commands are configured using the match command in class map configuration mode.
NBAR introduces several new classification features that identify applications and protocols from
Layer 4 through Layer 7:
Statically assigned TCP and UDP port numbers.
Non-UDP and non-TCP IP protocols.
Dynamically assigned TCP and UDP port numbers. Classification of such applications requires
stateful inspection; that is, the ability to discover the data connections to be classified by parsing the
connections where the port assignments are made.
Sub-port classification or classification based on deep packet inspection; that is, classification by
looking deeper into the packet.
NBAR can classify static port protocols. Although access control lists (ACLs) can also be used for this
purpose, NBAR is easier to configure and can provide classification statistics that are not available when
using ACLs.
NBAR includes a Protocol Discovery feature that provides an easy way to discover application protocols
that are transversing an interface. The Protocol Discovery feature discovers any protocol traffic
supported by NBAR. Protocol Discovery maintains the following per-protocol statistics for enabled
interfaces: total number of input and output packets and bytes, and input and output bit rates. The
Protocol Discovery feature captures key statistics associated with each protocol in a network that can be
used to define traffic classes and QoS policies for each traffic class.
BenefitsAbility to Identify and Classify Network Traffic by Protocol
Identifying and classifying network traffic is an important first step in implementing QoS. A network
administrator can more effectively implement QoS in a networking environment after identifying the
amount and the variety of applications and protocols running on a network.
NBAR gives network administrators the ability to see the variety of protocols and the amount of traffic
generated by each protocol. After gathering this information, NBAR allows users to implement classes
of traffic. These classes of traffic can then be used to provide different levels of service for network
traffic, therefore allowing better network management by providing the right level of network resources
for network traffic.
Configuring NBAR in a Network
This section provides information on several topics that could be useful to individuals configuring
NBAR in their networks. The following topics are covered in this section:
Catalyst 6000 Family Switches Without FlexWAN Modules Application Notes, page 6
Packet Description Language Module, page 8
Classification of HTTP Traffic, page 8
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
6/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
Information About NBAR
6
Cisco IOS Release 12.4(4) T
Classification of Citrix ICA Traffic, page 10
RTP Payload Type Classification, page 12
Classification of Custom Applications, page 13
Classification of Peer-to-Peer File-Sharing Applications, page 14
Classification of Streaming Protocols, page 16
IP NBAR PDLM Module Versioning, page 16
Supported Protocols, page 16
Catalyst 6000 Family Switches Without FlexWAN Modules Application Notes
When NBAR is enabled on a Catalyst 6000 without a FlexWAN module interface, all traffic flows
entering or leaving the NBAR-enabled interface will be processed in software on the Multilayer Switch
Feature Card 2 (MSFC2).
The following other restrictions should also be noted when running NBAR:
NBAR can only be implemented on an MSFC2 with Supervisor Engine 1 or Supervisor Engine 2.
NBAR Protocol Discovery or QoS service policies using NBAR to match protocols cannot co-exist
on an interface that contains Catalyst 6000-specific QoS actions. Refer to the Catalyst 6000 QoS
Guide for Catalyst 6000-specific QoS actions.
Table 1 provides configuration results when NBAR is added to an interface. The results vary depending
on the current configuration of the policy map on the interface.
Table 1 NBAR Behavior Descriptions
Current Policy Map State Action Result
At least one service policy with
platform-specific QoS action in the
policy map is attached to interface.
Enable Protocol
Discovery on the
interface.
Protocol Discovery is
rejected.
No service policies on the interface have
NBAR or a platform-specific QoS action
in the policy map.
Enable Protocol
Discovery on the
interface.
Protocol Discovery is
accepted, but the service
policy is disabled from the
interface.
A service policy on the interface
contains match protocol NBAR
commands.
Enable Protocol
Discovery on the
interface.
Protocol Discovery is
accepted.
No policy map is on the interface. Enable Protocol
Discovery on the
interface.
The command is accepted.
Traffic is processed on the
MSFC2 once the command
is accepted.
No policy map is on the interface. Disable Protocol
Discovery.
The command is accepted.
Traffic is no longer
processed on the MSFC2.
No service policies on the interface have
platform-specific QoS actions or match
protocol NBAR commands.
Disable Protocol
Discovery.
Protocol Discovery is
disabled. The service policy
is removed from the
interface. The service policy
can be reattached.
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
7/54
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
8/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
Information About NBAR
8
Cisco IOS Release 12.4(4) T
Packet Description Language Module
An external Packet Description Language Module (PDLM) can be loaded at run time to extend the
NBAR list of recognized protocols. PDLMs can also be used to enhance an existing protocol recognition
capability. PDLMs allow NBAR to recognize new protocols without requiring a new Cisco IOS image
or a router reload.
New PDLMs will only be released by Cisco and can be loaded from Flash memory. Contact your local
Cisco representative to request additions or changes to the set of protocols classified by NBAR.
To view a list of currently available PDLMs or to download a PDLM, go to the following URL:
http://www.cisco.com/cgi-bin/tablebuild.pl/pdlm
Classification of HTTP Traffic
This section covers the following topics:
Classification of HTTP Traffic by URL, Host, or MIME, page 8
Classification of HTTP Traffic Using the HTTP Header Fields, page 9
Combining Classification of HTTP Headers and URL, Host, or MIME Type to Identify HTTP
Traffic, page 10
Classification of HTTP Traffic by URL, Host, or MIME
NBAR can classify application traffic by looking beyond the TCP/UDP port numbers of a packet. This
is subport classification. NBAR looks into the TCP/UDP payload itself and classifies packets on content
within the payload such as transaction identifier, message type, or other similar data.
Classification of HTTP by URL, host, or Multipurpose Internet Mail Extension (MIME) type is an
example of subport classification. NBAR classifies HTTP traffic by text within the URL or host fields
of a request by using regular expression matching. HTTP URL matching in NBAR supports most HTTP
request methods such as GET, PUT, HEAD, POST, DELETE, and TRACE. NBAR uses the UNIX
filename specification as the basis for the URL or host specification format. The NBAR engine then
converts the specified match string into a regular expression.
NBAR recognizes HTTP packets containing the URL and classifies all packets that are sent to the source
of the HTTP request. Figure 1 illustrates a network topology with NBAR in which Router Y is the
NBAR-enabled router.
Figure 1 Network Topology with NBAR
When specifying a URL for classification, include only the portion of the URL following the
www.hostname.domain in the match statement. For example, for the URL
www.cisco.com/latest/whatsnew.html, include only /latest /whatsnew.html.
Router X Router YHTTP server
HTTP clients
HTTP get request
HTTP get response
(classified)
2
9056
http://www.cisco.com/cgi-bin/tablebuild.pl/pdlmhttp://www.cisco.com/cgi-bin/tablebuild.pl/pdlm -
8/2/2019 Dtnbarad(Network-Based Application Recognition)
9/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
Information About NBAR
9
Cisco IOS Release 12.4(4) T
Host specification is identical to URL specification. NBAR performs a regular expression match on the
host field contents inside an HTTP packet and classifies all packets from that host. For example, for the
URL www.cisco.com/latest/whatsnew.html, include only www.cisco.com.
For MIME type matching, the MIME type can contain any user-specified text string. A list of the Internet
Assigned Numbers Authority (IANA)-supported MIME types can be found at:
ftp://ftp.isi.edu/in-notes/iana/assignments/media-types/media-types
In MIME type matching, NBAR classifies the packet containing the MIME type and all subsequent
packets, which are sent to the source of the HTTP request.
NBAR supports URL and host classification in the presence of persistent HTTP. NBAR does not classify
packets that are part of a pipelined request. With pipelined requests, multiple requests are pipelined to
the server before previous requests are serviced. Pipelined requests are a less commonly used type of
persistent HTTP request.
In Cisco IOS Release 12.3(4)T, the NBAR Extended Inspection for HTTP Traffic feature was introduced.
This feature allows NBAR to scan TCP ports that are not well-known and identify HTTP traffic
traversing these ports. HTTP traffic classifications are no longer restrained to the well-known and
defined TCP ports.
Classification of HTTP Traffic Using the HTTP Header Fields
In Cisco IOS Release 12.3(11)T, NBAR introduced expanded ability for users to classify HTTP traffic
using information in the HTTP header fields.
HTTP works using a client-server model: HTTP clients open connections by sending a request message
to an HTTP server. The HTTP server then returns a response message back to the HTTP client (this
response message is typically the resource requested in the request message from the HTTP client). After
delivering the response, the HTTP server closes the connection and the transaction is complete.
HTTP header fields are used to provide information about HTTP request and response messages. HTTP
has numerous header fields. For additional information on HTTP headers, see section 14 of RFC 2616.
This document can be read at the following URL:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
NBAR is able to classify the following HTTP header fields:
For request messages (client to server), the following HTTP header fields can be identified using
NBAR:
User-Agent
Referer
From
For response messages (server to client), the following header fields can be identified using NBAR
Server
Location Content-Base
Content-Encoding
Within NBAR, the match protocol http c-header-field command is used to specify that NBAR identify
request messages (the c in the c-header-field portion of the command is for client). The match
protocol http s-header-field command is used to specify response messages (the s in the
s-header-field portion of the command is for server).
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.htmlhttp://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html -
8/2/2019 Dtnbarad(Network-Based Application Recognition)
10/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
Information About NBAR
10
Cisco IOS Release 12.4(4) T
Examples
In the following example, any request message that contains [email protected] in the User-Agent,
Referer, or From fields will be classified by NBAR. Typically, a term with a format similar to
[email protected] would be found in the From header field of the HTTP request message:
match protocol http c-header-field *[email protected]*
In the following example, any request message that contains http://www.cisco.com/routers in theUser-Agent, Referer, or From fields will be classified by NBAR. Typically, a term with a format s imilar
to http://www.cisco.com/routers would be found in the Referer header field of the HTTP request
message:
match protocol http c-header-field *http://www.cisco.com/routers*
In the following example, any request message that contains CERN-LineMode/2.15 in the
User-Agent, Referer, or From header fields will be classified by NBAR. Typically, a term with a format
similar to CERN-LineMode/2.15 would be found in the User-Agent header field of the HTTP request
message:
match protocol http c-header-field *CERN-LineMode/2.15*
In the following example, any response message that contains CERN/3.0 in the Content-Base,
Content-Encoding, Location, or Server header fields will be classified by NBAR. Typically, a term with
a format similar to CERN/3.0 would be found in the Server header field of the response message:
match protocol http s-header-field *CERN/3.0*
In the following example, any response message that contains http://www.cisco.com/routers in the
Content-Base, Content-Encoding, Location, or Server header fields will be classified by NBAR.
Typically, a term with a format similar to http://www.cisco.com/routers would be found in the
Content-Base or Location header field of the response message:
match protocol http s-header-field *http://www.cisco.com/routers*
In the following example, any response message that contains gzip in the Content-Base,
Content-Encoding, Location, or Server header fields will be classified by NBAR. Typically, the term
gzip would be found in the Content-Encoding header field of the response message:
match protocol http s-header-field *gzip*
Combining Classification of HTTP Headers and URL, Host, or MIME Type to Identify HTTP Traffic
It is important to note that combinations of URL, Host, MIME type, and HTTP headers can be combined
during NBAR configuration. These combinations provide customers with more flexibility to classify
specific HTTP traffic based on their network requirements.
Examples
In the following example, HTTP header fields are combined with a URL to classify traffic. In this
example, traffic with a Server field of CERN-LineMode/3.0 and a User-Agent field of CERN/3.0,
along with URL www.cisco.com, will be classified using NBAR:
class-map match-all c-http
match protocol http c-header-field *CERN-LineMode/3.0*
match protocol http s-header-field *CERN/3.0*
match protocol http url *www.cisco.com*
Classification of Citrix ICA Traffic
NBAR can classify Citrix Independent Computing Architecture (ICA) traffic and perform subport
classification of Citrix traffic based on the published application name or ICA tag number.
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
11/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
Information About NBAR
11
Cisco IOS Release 12.4(4) T
Classification of Citrix ICA Traffic by Published Application Name
NBAR can monitor Citrix ICA client requests for a published application destined to a Citrix ICA Master
browser. After the client requests the published application, the Citrix ICA Master browser directs the
client to the server with the most available memory. The Citrix ICA client then connects to this Citrix
ICA server for the application.
Note For Citrix to monitor and classify traffic by the published application name, Server Browser
Mode on the Master browser must be used.
In Server Browser Mode, NBAR statefully tracks and monitors traffic, and performs a regular expression
search on the packet contents for the published application name specified by the match protocol citrix
command. The published application name is specified by using the app keyword and the
application-name-string argument of the match protocol citrix command. (For more information, see
the match protocol citrix command in the Command Reference section of this document.)
The Citrix ICA session triggered to carry the specified application is cached and traffic is classified
appropriately for the published application name.
Citrix ICA Client Modes
Citrix ICA clients can be configured in various modes. NBAR cannot distinguish among Citrix
applications in all modes of operation. Therefore, network administrators might need to collaborate with
Citrix administrators to ensure that NBAR properly classifies Citrix traffic.
A Citrix administrator can configure Citrix to publish Citrix applications individually or as the entire
desktop. In the Published Desktop mode of operation, all applications within the published desktop of a
client use the same TCP session. Therefore, differentiation among applications is impossible, and NBAR
can only be used to classify Citrix applications as aggregates (by looking at port 1494).
The Published Application mode for Citrix ICA clients is recommended when you use NBAR. In
Published Application mode, a Citrix administrator can configure a Citrix client in either seamless or
nonseamless (windows) modes of operation. In nonseamless mode, each Citrix application uses a
separate TCP connection, and NBAR can be used to provide interapplication differentiation based on thename of the published application.
Seamless mode clients can operate in one of two submodes: session sharing or nonsession sharing. In
seamless session sharing mode, all clients share the same TCP connection, and NBAR cannot
differentiate among applications. Seamless sharing mode is enabled by default on some software
releases.
In seamless nonsession sharing mode, each application for each particular client uses a separate TCP
connection. NBAR can provide interapplication differentiation in seamless nonsession sharing mode.
Session sharing can be turned off using the following steps:
Step 1 At the command prompt of the Citrix server, open the registry editor by entering the regedit command
Step 2 Create the following registry entry (which overrides session sharing):
[HKLM]\SYSTEM\CurrentControlSet\Control\Citrix\WFSHELL\TWI
Value name: "SeamlessFlags", type DWORD, possible value0 or 1
Setting this registry value to 1 overrides session sharing. Note that this flag is SERVER GLOBAL.
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
12/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
Information About NBAR
12
Cisco IOS Release 12.4(4) T
Note NBAR operates properly in Citrix ICA secure mode. Pipelined Citrix ICA client requests are not
supported.
Classification of Citrix ICA Traffic by ICA Tag Number
Citrix uses one TCP session each time an application is opened. In the TCP session, a variety of Citrix
traffic may be intermingled in the same session. For example, print traffic may be intermingled with
interactive traffic, causing interruption and delay for a particular application. Most people would prefer
that printing be handled as a background process and not have printing interfere with the processing of
higher-priority traffic.
To accommodate this preference, the Citrix ICA protocol includes the ability to identify Citrix ICA
traffic based on the ICA tag number of the packet. The ability to identify, tag, and prioritize Citrix ICA
traffic is referred to as ICA Priority Packet Tagging. With ICA Priority Packet Tagging, Citrix ICA traffic
is categorized as high, medium, low, and background, depending on the ICA tag of the packet.
When ICA traffic priority tag numbers are used, and the priority of the traffic is determined, QoS features
can then be implemented to determine how the t raffic will be handled. For example, QoS traffic policing
can be configured to transmit or drop packets with a specific priority.
Citrix ICA Packet Tagging
The Citrix ICA tag is included in the first two bytes of the Citrix ICA packet, after the initial negotiations
are completed between Citrix client and server. These bytes are not compressed or encrypted.
The first two bytes of the packet (byte 1 and byte 2) contain the byte count and the ICA priority tag
number. Byte1 contains the low-order byte count, and the first two bits of byte 2 contain the priority tags.
The other six bits contain the high-order byte count.
The ICA priority tag value can be a number from 0 to 3. The number indicates the packet priority, with 0
being the highest priority and 3 being the lowest priority.
To prioritize Citrix traffic by the ICA tag number of the packet, you specify the tag number using the
ica-tag keyword and the ica-tag-value argument of the match protocol citrix command. For moreinformation about the match protocol citrix command, see the Command Reference section of this
document.
RTP Payload Type Classification
RTP is a packet format for multimedia data streams. It can be used for media-on-demand as well as
interactive services such as Internet telephony. RTP consists of a data and a control part. The control part
is called Real-time Transport Control Protocol (RTCP). RTCP is a separate protocol that is supported by
NBAR. It is important to note that the NBAR RTP Payload Type Classification feature does not identify
RTCP packets, and that RTCP packets run on odd numbered ports while RTP packets run on
even-numbered ports.
The data part of RTP is a thin protocol providing support for applications with real-time properties suchas continuous media (such as audio and video), which includes timing reconstruction, loss detection, and
security and content identification. RTP is discussed in RFC 1889 and RFC 1890.
The RTP payload type is the data transported by RTP in a packet, for example audio samples or
compressed video data.
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
13/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
Information About NBAR
13
Cisco IOS Release 12.4(4) T
NBAR RTP Payload Type Classification not only allows one to statefully identify real-time audio and
video traffic, but it also can differentiate on the basis of audio and video CODECs to provide more
granular Quality of Service. The RTP Payload Type Classification feature, therefore, looks deep into the
RTP header to classify RTP packets.
NBAR RTP Payload Type Classification was first introduced in Cisco IOS Release 12.2(8)T and is also
available in Cisco IOS Release 12.1(11b)E.
Classification of Custom Applications
The custom protocol supports static port-based protocols and applications that are not currently
supported in NBAR. This functionality allows mapping of static TCP and UDP port numbers to custom
protocol within NBAR.
The initial custom NBAR application had the following features that were later enhanced in Cisco IOS
Release 12.3(4)T:
The custom protocol had to be named custom-xx, with xx being a number.
10 custom applications can be assigned using NBAR, and each customer application can have up to
16 TCP and 16 UDP ports each mapped to the individual custom protocol. The real-time statisticsof each custom protocol can be monitored using Protocol Discovery.
In Cisco IOS Release 12.3(4)T, the User-Defined Custom Application Classification feature was
introduced and the following enhancements to custom protocols were introduced:
The ability to inspect the payload for certain matching string patterns at a specific offset.
The ability to allow users to define the names of their custom protocol applications. The user-named
protocol can then be used by Protocol Discovery, the Protocol Discovery MIB, match protocol, or
ip nbar port-map as an NBAR-supported protocol.
The ability to allow NBAR inspection for custom protocols to be specified by direction of traffic
(traffic heading toward a source or destination rather than defaulting to traffic in both directions) if
desired by user.
Provides CLI support that allows a user configuring a custom application to specify a range of portsrather than have to enter each port individually.
For additional information on the enhancements to custom protocols introduced in Cisco IOS
Release 12.3(4)T, see the ip nbar custom command in the Command Reference section of this
document.
Beginning in Cisco IOS Release 12.4(1), the variable keyword, thefield-name argument, and the
field-length argument were added to the ip nbar custom command. This additional keyword and two
additional arguments allow for NBAR classification and identification on a specific value within a
custom payload. After creating a variable when creating a custom protocol, you can use the match
protocol commandto classify traffic based on a specific value in the custom protocol. For more
information about the ip nbar custom command, see the Command Reference section of this
document. For more information about the match protocol command, see the Cisco IOS Quality of
Service Solutions Command Reference.
Pre-12.3(4)T Custom Application Example
In the following example, a gaming application that runs on TCP port 8877 needs to be classified using
NBAR. You can use custom-01 to map TCP port 8877 by entering the following command:
Router(config)# ip nbar port-map custom-01 tcp 8877
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hqos_r/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hqos_r/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hqos_r/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hqos_r/index.htm -
8/2/2019 Dtnbarad(Network-Based Application Recognition)
14/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
Information About NBAR
14
Cisco IOS Release 12.4(4) T
It is important to note that this configuration is also supported on Cisco IOS releases later than Release
12.3(4)T but is required on all prior releases.
12.3(4)T and Later Custom Application Examples
In the following example, the custom protocol app_sales1 will identify TCP packets with a source port
of 4567 and contain the term SALES in the fifth byte of the payload:
ip nbar custom app_sales1 5 ascii SALES source tcp 4567
In the following example, the custom protocol virus_home will identify UDP packets with a destination
port of 3000 and contain 0x56 in the seventh byte of the payload:
ip nbar custom virus_home 7 hex 0x56 dest udp 3000
In the following example, custom protocol media_new will identify TCP packets with a destination or
source port of 4500 and that have a value of 90 at the sixth byte of the payload:
ip nbar custom media_new 6 decimal 90 tcp 4500
In the following example, custom protocol msn1 will look for TCP packets with a destination or source
port of 6700:ip nbar custom msn1 tcp 6700
In the following example, custom protocol mail_x will look for UDP packets with a destination port of
8202:
ip nbar custom mail_x destination udp 8202
In the following example, custom protocol mail_y will look for UDP packets with destination ports
between 3000 and 4000 including 3000 and 4000 as well as port 5500:
ip nbar custom mail_y destination udp range 3000 4000 5500
In the following example, the variable keyword is used while creating a custom protocol, and class maps
are configured to classify different values within the variable field into different traffic classes.
Specifically, in the example below, variable scid values 0x15, 0x21, and 0x27 will be classified into class
map active-craft while scid values 0x11, 0x22, and 0x25 will be classified into class map passive-craft.
ip nbar custom ftdd field scid 125 variable 1 tcp range 5001 5005
class-map active-craft
match protocol ftdd scid 0x15
match protocol ftdd scid 0x21match protocol ftdd scid 0x27
class-map passive-craftmatch protocol ftdd scid 0x11
match protocol ftdd scid 0x22
match protocol ftdd scid 0x25
Classification of Peer-to-Peer File-Sharing Applications
Gnutella and FastTrack are examples of peer-to-peer file-sharing protocols that became classifiable
using NBAR in Cisco IOS Release 12.1(12c)E. The following is a complete list of peer-to-peer
file-sharing applications that use these protocols and are supported by NBAR.
Applications that use the Gnutella protocol:
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
15/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
Information About NBAR
15
Cisco IOS Release 12.4(4) T
Bearshare
Gnewtellium
Gnucleus
Gtk-Gnutella
Limewire
Mutella
Phex
Qtella
Swapper
Xolo
Applications that use RTSP:
Real Player
Quicktime
Kazaa, eDonkey, eMule, FastTrack, Grokster, JTella, Morpheus, WinMX, XCache, and Direct Connect
are other peer-to-peer file-sharing applications supported by NBAR.
The match protocol gnutella file-transferregular-expression and match protocol fasttrack
file-transferregular-expression commands are used to enable Gnutella and FastTrack classification in
a traffic class. The regular-expression variable can be expressed as * to indicate that all FastTrack or
Gnutella traffic be classified by a traffic class.
In the following example, all FastTrack traffic is classified into class map nbar:
class-map match-all nbar
match protocol fasttrack file-transfer "*"
Similarly, all Gnutella traffic is classified into class map nbar in this example:
class-map match-all nbar
match protocol gnutella file-transfer "*"
Wildcard characters in a regular expression can also be used to identify specified Gnutella and FastTrack
traffic. These regular expression matches can be used to match based on a filename extension or on a
particular string in a filename.
In the following example, all Gnutella files that have the .mpeg extension will be classified into class
map nbar.
class-map match-all nbar
match protocol gnutella file-transfer "*.mpeg"
In the following example, only Gnutella traffic that contains the characters cisco is classified:
class-map match-all nbar
match protocol gnutella file-transfer *cisco*
The same examples can be used for FastTrack traffic:
class-map match-all nbar
match protocol fasttrack file-transfer "*.mpeg"
or
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
16/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
Information About NBAR
16
Cisco IOS Release 12.4(4) T
class-map match-all nbarmatch protocol fasttrack file-transfer *cisco*
Classification of Streaming Protocols
In Cisco IOS Release 12.3(7)T, NBAR introduced support for RTSP, which is the protocol used for the
following applications that use streaming audio:
RealAudio (RealSystems G2)
Apple QuickTime
Windows Media Services
IP NBAR PDLM Module Versioning
A Packet Description Language Module (PDLM) is used to add a new protocol to the list of supported
NBAR protocols. Before downloading PDLMs, users should understand some of the interdependencies
between the versioning of NBAR in the Cisco IOS code and the PDLM file itself. The following
definitions help define some of the aspects of NBAR and PDLM versioning and the interdependenciesrequired between the two before a new protocol can be supported in NBAR via a PDLM download.
The following version numbers are kept by the Cisco IOS software:
NBAR Software VersionThe version of NBAR software running on the current version of
Cisco IOS.
Resident Module VersionThe version of the NBAR-supported PDLM protocol. The Resident
Module Version must be less than the NBAR PDLM Interdependency Version of the PDLM for a
PDLM file to be downloaded from cisco.com and accepted within NBAR in the Cisco IOS software.
The following version number is kept by the PDLM:
NBAR Software VersionThe minimum version of the NBAR software required to load this
PDLM.
For additional information on IP NBAR PDLM Module Versioning, see the show ip nbar version
command in the Command Reference of this document.
Supported Protocols
The easiest method of seeing which protocols can be classified using NBAR on your Cisco IOS release
is to enter the match protocol ? and to view the options that appear. Not all protocols listed in this
section are supported for NBAR on all Cisco IOS releases.
Before reviewing the list of protocols that are supported in your Cisco IOS release, it is also important
to note that support for some protocols can be added to NBAR using PDLMs. For information on PDLMs
and seeing which protocols can be added using PDLMs, see the Downloading PDLMs section on
page 28. Note that protocols introduced via PDLM are eventually added to the Cisco IOS at some pointand may already be available in your Cisco IOS release.
Table 2 lists all of the NBAR-supported protocols available in Cisco IOS. The table also provides
information about the protocol type, well-known port numbers, the syntax for entering the protocol in
NBAR, and the Cisco IOS release where the protocol was initially supported.
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
17/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
Information About NBAR
17
Cisco IOS Release 12.4(4) T
Note Many peer-to-peer file sharing applications arent listed in this table but can be classified using
FastTrack or Gnutella. See the Classification of Peer-to-Peer File-Sharing Applications section on
page 14 for additional information.
Note RTSP can be used to classify various types of applications that use streaming audio. See the
Classification of Streaming Protocols section on page 16 for additional information.
Table 2 NBAR-Supported Protocols
Protocol Category TypeWell-KnownPort Number Description Syntax
Cisco IOSRelease1
Citrix ICA Enterprise
Application
TCP/
UDP
Stateful
Protocol
Citrix ICA traffic
by application
name
citrix
citrix app
12.1(2)E
12.1(5)T
PCAnywhere Enterprise
Application
TCP 5631, 65301 Symantic
pcAnywhere
pcanywhere 12.0(5)XE2
12.1(1)E
12.1(5)T
PCAnywhere Enterprise
Application
UDP 22, 5632 Symantic
pcAnywhere
pcanywhere 12.0(5)XE2
12.1(1)E
12.1(5)T
Novadigm Enterprise
Application
TCP/
UDP
3460- 3465 Novadigm
Enterprise
Desktop Manager
(EDM)
novadigm 12.1(2)E
12.1(5)T
SAP Enterprise
Application
TCP 3300-3315
(sap-pgm.
pdlm)
3200-3215
(sap-app.
pdlm)
3600-3615
(sap-msg.
pdlm)
Application server
to application
server traffic
(sap-pgm.pdlm)
Client to
application server
traffic
(sap-app.pdlm)
Client to message
server traffic
(sap-msg.pdlm)
sap 12.3
12.3 T
12.2 T
12.1 E
BGP RoutingProtocol
TCP/UDP
179 Border GatewayProtocol
bgp 12.0(5)XE212.1(1)E
12.1(5)T
EGP Routing
Protocol
IP 8 Exterior Gateway
Protocol
egp 12.0(5)XE2
12.1(1)E
12.1(5)T
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
18/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
Information About NBAR
18
Cisco IOS Release 12.4(4) T
EIGRP Routing
Protocol
IP 88 Enhanced Interior
Gateway RoutingProtocol
eigrp 12.0(5)XE2
12.1(1)E12.1(5)T
OSPF Routing
Protocol
TCP Stateful
Protocol
Open Shortest
Path First
ospf 12.3(8)T
RIP Routing
Protocol
UDP 520 Routing
Information
Protocol
rip 12.0(5)XE2
12.1(1)E
12.1(5)T
SQL*NET Database TCP/
UDP
Stateful
Protocol
SQL*NET for
Oracle
sqlnet 12.0(5)XE2
12.1(1)E
12.1(5)T
MS-
SQLServer
Database TCP 1433 Microsoft SQL
Server Desktop
Videoconferenc-
ing
sqlserver 12.0(5)XE2
12.1(1)E
12.1(5)T
GRE Security and
Tunneling
IP 47 Generic Routing
Encapsulation
gre 12.0(5)XE2
12.1(1)E
12.1(5)T
IPINIP Security and
Tunneling
IP 4 IP in IP ipinip 12.0(5)XE2
12.1(1)E
12.1(5)T
IPSec Security and
Tunneling
IP 50, 51 IP Encapsulating
Security
Payload/Authentic
ation Header
ipsec 12.0(5)XE2
12.1(1)E
12.1(5)T
L2TP Security and
Tunneling
UDP 1701 L2F/L2TP tunnel l2tp 12.0(5)XE2
12.1(1)E
12.1(5)T
MS-PPTP Security and
Tunneling
TCP 1723 Microsoft
Point-to-Point
Tunneling
Protocol for VPN
pptp 12.0(5)XE2
12.1(1)E
12.1(5)T
SFTP Security and
Tunneling
TCP 990 Secure FTP secure-ftp 12.0(5)XE2
12.1(1)E
12.1(5)T
SHTTP Security and
Tunneling
TCP 443 Secure HTTP secure-http 12.0(5)XE2
12.1(1)E
12.1(5)T
SIMAP Security and
Tunneling
TCP/
UDP
585, 993 Secure IMAP secure-imap 12.0(5)XE2
12.1(1)E
12.1(5)T
Table 2 NBAR-Supported Protocols (continued)
Protocol Category TypeWell-KnownPort Number Description Syntax
Cisco IOSRelease1
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
19/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
Information About NBAR
19
Cisco IOS Release 12.4(4) T
SIRC Security and
Tunneling
TCP/
UDP
994 Secure IRC secure-irc 12.0(5)XE2
12.1(1)E12.1(5)T
SLDAP Security and
Tunneling
TCP/
UDP
636 Secure LDAP secure-ldap 12.0(5)XE2
12.1(1)E
12.1(5)T
SNNTP Security and
Tunneling
TCP/
UDP
563 Secure NNTP secure-nntp 12.0(5)XE2
12.1(1)E
12.1(5)T
SPOP3 Security and
Tunneling
TCP/
UDP
995 Secure POP3 secure-pop3 12.0(5)XE2
12.1(1)E
12.1(5)T
STELNET Security and
Tunneling
TCP 992 Secure Telnet secure-telnet 12.0(5)XE2
12.1(1)E
12.1(5)T
SOCKS Security and
Tunneling
TCP 1080 Firewall security
protocol
socks 12.0(5)XE2
12.1(1)E
12.1(5)T
SSH Security and
Tunneling
TCP 22 Secured Shell ssh 12.0(5)XE2
12.1(1)E
12.1(5)T
ICMP Network
Manage-
ment
IP 1 Internet Control
Message Protocol
icmp 12.0(5)XE2
12.1(1)E
12.1(5)T
SNMP Network
Manage-
ment
TCP/
UDP
161, 162 Simple Network
Management
Protocol
snmp 12.0(5)XE2
12.1(1)E
12.1(5)T
Syslog Network
Manage-
ment
UDP 514 System Logging
Utility
syslog 12.0(5)XE2
12.1(1)E
12.1(5)T
IMAP Network
Mail
Services
TCP/
UDP
143, 220 Internet Message
Access Protocol
imap 12.0(5)XE2
12.1(1)E
12.1(5)T
POP3 Network Mail
Services
TCP/UDP
110 Post OfficeProtocol
pop3 12.0(5)XE212.1(1)E
12.1(5)T
Exchange Network
Mail
Services
TCP MS-RPC for
Exchange
exchange TCP 12.0(5)XE2
12.1(1)E
12.1(5)T
Table 2 NBAR-Supported Protocols (continued)
Protocol Category TypeWell-KnownPort Number Description Syntax
Cisco IOSRelease1
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
20/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
Information About NBAR
20
Cisco IOS Release 12.4(4) T
Notes Network
MailServices
TCP/
UDP
1352 Lotus Notes notes 12.0(5)XE2
12.1(1)E12.1(5)T
SMTP Network
Mail
Services
TCP 25 Simple Mail
Transfer Protocol
smtp 12.0(5)XE2
12.1(1)E
12.1(5)T
DHCP/
BOOTP
Directory UDP 67, 68 Dynamic Host
Configuration
Protocol/
Bootstrap
Protocol
dhcp 12.0(5)XE2
12.1(1)E
12.1(5)T
Finger Directory TCP 79 Finger user
informationprotocol
finger 12.0(5)XE2
12.1(1)E12.1(5)T
DNS Directory TCP/
UDP
53 Domain Name
System
dns 12.0(5)XE2
12.1(1)E
12.1(5)T
Kerberos Directory TCP/
UDP
88, 749 Kerberos Network
Authentication
Service
kerberos 12.0(5)XE2
12.1(1)E
12.1(5)T
LDAP Directory TCP/
UDP
389 Lightweight
Directory Access
Protocol
ldap 12.0(5)XE2
12.1(1)E
12.1(5)T
CU-SeeMe Streaming
Media
TCP/
UDP
7648, 7649 Desktop video
conferencing
cuseeme 12.0(5)XE2
12.1(1)E
12.1(5)T
CU-SeeMe Streaming
Media
UDP 24032 Desktop video
conferencing
cuseeme 12.0(5)XE2
12.1(1)E
12.1(5)T
Netshow Streaming
Media
TCP/
UDP
Stateful
Protocol
Microsoft
Netshow
netshow 12.0(5)XE2
12.1(1)E
12.1(5)T
RealAudio Streaming
Media
TCP/
UDP
Stateful
Protocol
RealAudio
Streaming
Protocol
realaudio 12.0(5)XE2
12.1(1)E
12.1(5)T
StreamWorks Streaming
Media
UDP Stateful
Protocol
Xing Technology
Stream Works
audio and video
streamwork 12.0(5)XE2
12.1(1)E
12.1(5)T
VDOLive Streaming
Media
TCP/
UDP
Stateful
Protocol
VDOLive
Streaming Video
vdolive 12.0(5)XE2
12.1(1)E
12.1(5)T
Table 2 NBAR-Supported Protocols (continued)
Protocol Category TypeWell-KnownPort Number Description Syntax
Cisco IOSRelease1
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
21/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
Information About NBAR
21
Cisco IOS Release 12.4(4) T
RTSP Streaming
Media/Multimedia
TCP/
UDP
Stateful
Protocol
Real-time
StreamingProtocol
rtsp 12.3(11)T
MGCP Streaming
Media/
Multimedia
TCP/
UDP
2427, 2428,
2727
Media Gateway
Control Protocol
mgcp 12.3(7)T
FTP Internet TCP Stateful
Protocol
File Transfer
Protocol
ftp 12.0(5)XE2
12.1(1)E
12.1(5)T
Gopher Internet TCP/
UDP
70 Internet Gopher
Protocol
gopher 12.0(5)XE2
12.1(1)E
12.1(5)T
HTTP Internet TCP 802 Hypertext
Transfer Protocol
http 12.0(5)XE2
12.1(1)E
12.1(5)T
IRC Internet TCP/
UDP
194 Internet Relay
Chat
irc 12.0(5)XE2
12.1(1)E
12.1(5)T
Telnet Internet TCP 23 Telnet Protocol telnet 12.0(5)XE2
12.1(1)E
12.1(5)T
TFTP Internet UDP Stateful
Protocol
Trivial File
Transfer Protocol
tftp 12.0(5)XE2
12.1(1)E
12.1(5)T
NNTP Internet TCP/
UDP
119 Network News
Transfer Protocol
nntp 12.0(5)XE2
12.1(1)E
12.1(5)T
RSVP Signaling UDP 1698, 1699 Resource
Reservation
Protocol
rsvp 12.0(5)XE2
12.1(1)E
12.1(5)T
NFS RPC TCP/
UDP
2049 Network File
System
nfs 12.0(5)XE2
12.1(1)E
12.1(5)T
Sunrpc RPC TCP/ UDP
StatefulProtocol
Sun RemoteProcedure Call
sunrpc 12.0(5)XE212.1(1)E
12.1(5)T
NetBIOS nonIP and
LAN/
Legacy
TCP/
UDP
137, 138,
139
NetBIOS over IP
(MS Windows)
netbios 12.0(5)XE2
12.1(1)E
12.1(5)T
Table 2 NBAR-Supported Protocols (continued)
Protocol Category TypeWell-KnownPort Number Description Syntax
Cisco IOSRelease1
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
22/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
Information About NBAR
22
Cisco IOS Release 12.4(4) T
NTP Misc. TCP/
UDP
123 Network Time
Protocol
ntp 12.0(5)XE2
12.1(1)E12.1(5)T
Printer Misc. TCP/
UDP
515 Printer printer 12.1(2)E
12.1(5)T
X Windows Misc. TCP 60006003 X11, X Windows xwindows 12.0(5)XE2
12.1(1)E
12.1(5)T
r-commands Misc. TCP Stateful
Protocol
rsh, rlogin, rexec rcmd 12.0(5)XE2
12.1(1)E
12.1(5)T
H.323 Voice TCP Stateful
Protocol
H.323
Teleconferencing
protocol
h323 12.3.(7)T
RTCP Voice TCP/
UDP
Stateful
Protocol
Real-time Control
Protocol
rtcp 12.1E
12.2T
12.3
12.3T
12.3(7)T
RTP Voice TCP/
UDP
Stateful
Protocol
Real-Time
Transport Protocol
Payload
Classification
rtp 12.2(8)T
SIP Voice TCP/
UPD
5060 Session Initiation
Protocol
sip 12.3(7)T
SCCP/
Skinny
Voice TCP 2000, 2001,
2002
Skinny Client
Control Protocol
skinny 12.3(7)T
Skype Voice TCP/
UPD
Stateful
Protocol
peer-to-peer VoIP
client software
Note Cisco
currently
supports
Skype
version 1
only.
skype 12.4(4)T
BitTorrent Peer-to-Peer
file sharing
applications
TCP Stateful
Protocol, or
68816889
BitTorrent file
transfer traffic
bittorrent 12.4(2)T
Direct
Connect
Peer-to-Peer
file sharing
applications
TCP/
UDP
411 Direct Connect
file transfer traffic
directconnect 12.4(4)T
Table 2 NBAR-Supported Protocols (continued)
Protocol Category TypeWell-KnownPort Number Description Syntax
Cisco IOSRelease1
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
23/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
How to Configure NBAR
23
Cisco IOS Release 12.4(4) T
Memory Management
NBAR uses approximately 150 bytes of DRAM for each flow that requires stateful inspection. (See
Table 2 for a list of stateful protocols supported by NBAR that require stateful inspection.) When NBAR
is configured, it allocates 1 MB of DRAM to support up to 5000 concurrent flows. NBAR checks to see
if it needs more memory to handle addi tional concurrent stateful flows. If such a need is detected, NBAR
expands its memory usage in increments of 200 Kb to 400 Kb.
How to Configure NBARThe NBAR feature has two components: one component monitors applications traversing a network, and
the other classifies traffic by protocol.
In order to monitor applications traversing a network, Protocol Discovery needs to be enabled.
eDonkey/
eMule
Peer-to-Peer
file sharingapplications
TCP 4662 eDonkey file
sharingapplication
eMule traffic is
also classified as
eDonkey traffic in
NBAR
edonkey 12.3(11)T
FastTrack Peer-to-Peer
file sharing
applications
N/A Stateful
Protocol
FastTrack fasttrack 12.1(12c)E
Gnutella Peer-to-Peer
file sharing
applications
TCP Stateful
Protocol
Gnutella gnutella 12.1(12c)E
KaZaA Peer-to-Peer
file sharing
applications
TCP/
UPD
Stateful
Protocol
KaZaA
Note that earlier
KaZaA version 1
traffic can be
classified using
FastTrack.
kazaa2 12.2(8)T
WinMX Peer-to-Peer
file sharing
applications
TCP 6699 WinMX traffic winmx 12.3(7)T
1. Indicates the Cisco IOS maintenance release that first supported the protocol. This table is updated when a protocol is added
to a new Cisco IOS release train.
2. In Release 12.3(4)T, the NBAR Extended Inspection for Hypertext Transfer Protocol (HTTP) Traffic feature was introduced
This feature allows NBAR to scan TCP ports that are not well-known and that identify HTTP traffic traversing these ports.
Table 2 NBAR-Supported Protocols (continued)
Protocol Category TypeWell-KnownPort Number Description Syntax
Cisco IOSRelease1
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
24/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
How to Configure NBAR
24
Cisco IOS Release 12.4(4) T
The ability to classify traffic by protocol using NBAR and then applying QoS to the classified traffic is
configured by using the Modular QoS CLI.
The Modular QoS CLI structure allows users to create traffic policies and attach these policies to
interfaces. A traffic policy contains a traffic class and one or more QoS features. A traffic class is used
to classify traffic, while the QoS features in the traffic policy determine how to treat the classified traffic.
Modular QoS CLI configuration includes the following three steps:
Step 1 Define a traffic class with the class-map command.
Step 2 Create a traffic policy by associating the traffic class with one or more QoS features (using the
policy-map command).
Step 3 Attach the traffic policy to the interface with the service-policy command.
NBAR traffic classification occurs as part of the traffic class configuration.
For additional information on the Modular Quality of Service Command-Line Interface, see the
Configuring the Modular Quality of Service Command-Line Interface section of the Cisco IOSQuality of Service Solution Guide on Cisco.com.
This section contains the following procedures:
Enabling Protocol Discovery, page 24 (optional)
Configuring a Traffic Class, page 25 (required)
Configuring a Traffic Policy, page 26 (required)
Attaching a Traffic Policy to an Interface, page 27 (required)
Downloading PDLMs, page 28 (optional)
Enabling Protocol DiscoveryEnable protocol discovery to monitor selected protocols on an interface. Use the ip nbar
protocol-discovery command in order to enable monitoring of applications on a particular interface
SUMMARY STEPS
1. enable
2. configure terminal
3. interface
4. ip nbar protocol-discovery
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
25/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
How to Configure NBAR
25
Cisco IOS Release 12.4(4) T
DETAILED STEPS
Configuring a Traffic Class
Configure the interface to define a traffic class and the match criteria that will be used to classify network
traffic when attached to an interface. When using NBAR to classify traffic, the match protocol
command will be entered in class map configuration mode. Use the class-map configuration command
to configure the interface.
SUMMARY STEPS
1. enable
2. configure terminal
3. class-map[match-all | match-any] class-name
4. match protocolprotocol-name
Command or Action Purpose
Step 1 Router> enable
Example:Router> enable
Enables privileged EXEC mode.
Enter your password if prompted
Step 2 Router# configure terminal
Example:Router> enable
Enters global configuration mode.
Step 3 Router(config)# interfaceinterface-name
Example:Router# configure terminal
Specifies the interface to configure and enters interface
configuration mode.
Step 4 Router(config-if)# ip nbar protocol-discovery
Example:Router# ip nbar protocol-discovery
Enables monitoring by application on a particular
interface.
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
26/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
How to Configure NBAR
26
Cisco IOS Release 12.4(4) T
DETAILED STEPSS
Configuring a Traffic Policy
Use the policy-map configurationcommand to specify the QoS policies, such as Traffic Policing, TrafficShaping, Low Latency Queueing, Class-Based Marking, Class-Based Weighted Fair Queueing or others,
to apply to traffic classes defined by a traffic class. A traffic policy does not classify and forward traffic
until being attached to an interface.
SUMMARY STEPS
SUMMARY STEPS
1. enable
2. configure terminal
3. policy-map policy-map-name
4. class {class-name | class-default}
5. bandwidth {bandwidth-kbps | remaining percentpercentage | percentpercentage}
6. end
Note Note The bandwidth command configures the QoS feature class-based weighted fair queuin (CBWFQ).
CBWFQ is just an example of a QoS feature that can be configured. Use the appropriate command for
the QoS feature you want to use.
Command or Action Purpose
Step 1 Router> enable
Example:Router> enable
Enables privileged EXEC mode.
Enter your password if prompted
Step 2 Router# configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3 Router(config)# class-map[match-all | match-any]class-name
Example:Router(config)# class-map[match-all | match-any]
ex-name
Specifies the user-defined name of the traffic class.
The match-all option specifies that all match
criteria in the class map must be matched.
The match-any option specifies that one or more
match criteria must match.
Step 4 Router(config-cmap)#match protocolprotocol-name
Example:Router(config-cmap)# match protocol ip
Specifies a protocol supported by NBAR as a matching
criteria.
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
27/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
How to Configure NBAR
27
Cisco IOS Release 12.4(4) T
DETAILED STEPS
For additional information on policy map options in the Modular Quality of Service Command-Line
Interface, see theModular Quality of Service Command-Line Interfacedocument on Cisco.com.
Attaching a Traffic Policy to an Interface
A traffic policy is not active until it has been attached to an interface. Perform this task to attach a traffic
policy to an interface and to specify the direction in which the policy should be applied (on either packetscoming into the interface or packets leaving the interface).
SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-name
Command or Action Purpose
Step 1 Router> enable
Example:Router> enable
Enables privileged EXEC mode.
Enter your password if prompted
Step 2 Router# configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3 Router(config)#policy-map policy-name
Example:Router(config)# policy-map ex-name
User-specified policy map name.
Step 4 Router(config-pmap)# class class-name
Example:Router(config-pmap)# class ex-name
Specifies the name of a previously defined class map.
Step 5 bandwidth {bandwidth-kbps | remaining percentpercentage |percent percentage}
Example:Router(config-pmap-c)# bandwidth percent 50
(Optional) Specifies or modifies the bandwidth
allocated for a class belonging to a policy map.
Enter the amount of bandwidth as a number of kbps,
a relative percentage of bandwidth, or an absolute
amount of bandwidth.
Note The bandwidth command configures the QoS
feature class-based weighted fair queuing
(CBWFQ). CBWFQ is just an example of a QoSfeature that can be configured. Use the
appropriate command for the QoS feature you
want to use.
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
28/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
How to Configure NBAR
28
Cisco IOS Release 12.4(4) T
4. service-policy outputpolicy-map-name
5. service policy inputpolicy-map-name
DETAILED STEPS
.
Use the no service-policy [input| output]policy-map-name command to detach a policy map from an
interface.
Downloading PDLMs
PDLMs are separate files that are used to add support for a protocol in NBAR that is currently notavailable as part of the Cisco IOS software. PDLMs do have minimum IOS release and other restrictions
that should be considered before being downloaded. The PDLM readmes provide information regarding
restrictions for the specific PDLM and other information helpful for installing that particular PDLM.
Before loading PDLMs, note that protocols introduced via PDLM are added to a future Cisco IOS
release. Therefore, support for the protocol you would like to add via PDLM may already be in your
Cisco IOS release. To check the protocols supported by NBAR in your Cisco IOS release, enter the
match protocol ? command and view the options that appear.
Command or Action Purpose
Step 1 Router> enable
Example:Router> enable
Enables privileged EXEC mode.
Enter your password if prompted
Step 2 Router# configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3 Router(config)# interfaceinterface-name
Example:Router(config)# interface ex-name
Specifies the interface to configure and enter theinterface configuration mode.
Step 4 Router(config-if)# service-policy outputpolicy-map-name
Example:Router(config-if)# service-policy output
ex-map-name
Attaches the previously configured traffic policy in the
outbound direction of the interface. When this
command is entered, all traffic leaving the interface
will be classified and forwarded based on the traffic
policy configuration.
Step 5 Router(config-if)# service-policy input
policy-map-name
Example:Router(config-if)# service-policy input
ex-map-name
Attaches the previously configured traffic policy in the
input direction of the interface. When this command isentered, all traffic entering the interface will be
classified and forwarded based on the traffic policy
configuration.
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
29/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
How to Configure NBAR
29
Cisco IOS Release 12.4(4) T
To download a PDLM, view a list of currently available PDLMs, or to view the readme files for each
PDLM, go to the following URL (Cisco login required):
http://www.cisco.com/cgi-bin/tablebuild.pl/pdlm
The PDLM readmes at this site explain how to download the PDLM onto your Cisco IOS release. For
all PDLM downloads, the ip nbar pdlm command needs to be entered to complete the addition of the
protocol to your Cisco IOS release. To complete the PDLM download process, enter the followingcommand:
Verifying the Configuration
Use the show policy-mapinterface-spec [input | output]class class-name command to display the
configuration of a policy map and its associated class maps. Forms of this command are listed below.
SUMMARY STEPS
1. enable
2. show class-map [class-map-name]
3. show policy-map [policy-map]
4. show policy-map interface interface-name [vc [vpi/] vci] [dlci dlci] [input | output]
5. show ip nbar port-map [protocol-name]
DETAILED STEPS
Command or Action Purpose
Router(config)# ip nbar pdlmpdlm-name Specifies the PDLM used to extend or enhance the
NBAR list of protocols.
Command or Action Purpose
Step 1 enable
Example:
Router> enable
Enables privileged EXEC mode.
Enter your password if prompted.Router# show
class-map
Step 2 Router# show class-map class-name
Example:
Router> show class-mapex-name
(Optional) Displays all class maps and their matching
criteria.
(Optional) Enter the name of a specific class map.
Step 3 Router# show policy-map
Example:
Router> show policy-map
(Optional) Displays the configuration of all classes for a
specified service policy map or all classes for all existing
policy maps;
(Optional) Enter the name of specific policy map.
http://www.cisco.com/cgi-bin/tablebuild.pl/pdlm -
8/2/2019 Dtnbarad(Network-Based Application Recognition)
30/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
Monitoring and Maintaining NBAR
30
Cisco IOS Release 12.4(4) T
Troubleshooting Tips
In order for the NBAR feature to function, you must enable Cisco Express Forwarding (CEF) on the
router prior to configuring the NBAR feature.
Some error messages use the term heuristic to refer to a set of NBAR-supported protocols, and
some error message documentation recommends actions to these heuristic protocols.
RTP is the only currently available heuristic protocol. If the error message or the error message
documentation recommends an action to a heuristic protocol, take the recommended action on RTP.
Monitoring and Maintaining NBARNBAR can determine which protocols and applications are currently running on a network. NBAR
includes the Protocol Discovery feature that provides an easy way of discovering application protocols
operating on an interface so that appropriate QoS policies can be developed and applied. With Protocol
Discovery, you can discover any protocol traffic supported by NBAR and obtain statistics associated
with that protocol. Perform this task to monitor and maintain the NBAR feature.
Configuration ExamplesThis section provides the following configuration examples:
Configuring a Traffic Policy with NBAR, page 31
Adding a PDLM, page 31
Step 4 show policy-map interface interface-name
Example:Router> show policy-map interfaceex-interface
(Optional) Displays the packet and class statistics for all
policy maps on the specified interface.
Enter the interface name.
Step 5 show ip nbar port-map [protocol-name]
Example:Router# show ip nbar port-map ip
(Optional) Displays the current protocol-to-port
mappings in use by NBAR.
(Optional) Enter a specific protocol name.
Command or Action Purpose
Command or Action Purpose
Step 1 Router# show ip nbar port-map [protocol-name] Displays the TCP/UDP port numbers used by NBAR to
classify a given protocol.
Step 2 Router# show ip nbar protocol-discovery Displays the statistics for all interfaces on which
Protocol Discovery is enabled.
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
31/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
Additional References
31
Cisco IOS Release 12.4(4) T
Configuring a Traffic Policy with NBAR
In the following example, all SQL*Net traffic leaving fastethernet interface 0/1 is marked with the IP
precedence value of 4. In the example, NBAR is used to identify SQL*Net traffic, while the treatment
of SQL*Net traffic (in this case, it is forwarded with the IP precedence bit set as 4) is determined by the
traffic policy configuration (the set ip precedence 4 command in policy-map class configuration mode)Router(config)# class-mapsqlnettrafficRouter(config-cmap)#match protocol sqlnet
Router(config)#policy-map sqlsetipprec1
Router(config-pmap)# class sqlnettrafficRouter(config-pmap-c)# set ip precedence 4
Router(config)# interface fastethernet 0/1
Router(config-if)# service-policy output sqlsetipprec1
Adding a PDLM
In the following example, the FastTrack PDLM, which has already been downloaded to the Flash drive,is added as an NBAR-supported protocol:
Router(config)# ip nbar pdlm flash://fasttrack.pdlm
Additional ReferencesThe following sections provide references related to NBAR.
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
32/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
Additional References
32
Cisco IOS Release 12.4(4) T
Related Documents
Standards
MIBs
Related Topic Document Title
Access control lists (ACLs) Access Control Lists: Overview and Guidelines
Traffic Policing (the police command) Cisco IOS Quality of Service Solutions Command Reference,Release 12.4
Traffic Shaping (the shape command) Cisco IOS Quality of Service Solutions Command Reference,
Release 12.4
Class-Based Weighted Fair Queueing (the bandwidth and
queue-limit commands)
Cisco IOS Quality of Service Solutions Command Reference,
Release 12.4
Class-Based Marking (the set commands) Cisco IOS Quality of Service Solutions Command Reference,
Release 12.4
Low Latency Queueing (the priority command) Cisco IOS Quality of Service Solutions Command Reference,
Release 12.4
Modular Quality of Service Command-Line Interface (CLI)
(MQC)
Cisco IOS Quality of Service Solutions Configuration Guide,
Release 12.4
Standard Title
ISO 0009 File Transfer Protocol (FTP)
ISO 0013 Domain Names - Concepts and Facilities
ISO 0033 The TFTP Protocol (Revision 2)
ISO 0034 Routing Information Protocol
ISO 0053 Post Office Protocol - Version 3
ISO 0056 RIP Version 2
MIB MIBs Link
CISCO-NBAR-PROTOCOL-DISCOVERY MIB For information on the
CISCO-NBAR-PROTOCOL-DISCOVERY MIB, see the
Network-Based Application Recognition Management
Information Base document.
To locate and download MIBs for selected platforms, CiscoIOS releases, and feature sets, use Cisco MIB Locator found
at the following URL:
http://www.cisco.com/go/mibs
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfacls.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hqos_r/qos_s1h.htm#wp1085303http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hqos_r/qos_s1h.htm#wp1085303http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hqos_r/qos_s1h.htm#wp1079641http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hqos_r/qos_s1h.htm#wp1079641http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hqos_r/qos_o1h.htm#wp1076758http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hqos_r/qos_o1h.htm#wp1076758http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hqos_r/qos_o1h.htm#wp1076758http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hqos_r/qos_s1h.htm#wp1079641http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hqos_r/qos_s1h.htm#wp1085303http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfacls.htm -
8/2/2019 Dtnbarad(Network-Based Application Recognition)
33/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
Additional References
33
Cisco IOS Release 12.4(4) T
RFCs
RFC Title
RFC 742 NAME/FINGER Protocol
RFC 759 Internet Message ProtocolRFC 792 Internet Control Message Protocol
RFC 793 Transmission Control Protocol
RFC 821 Simple Mail Transfer Protocol
RFC 827 Exterior Gateway Protocol
RFC 854 Telnet Protocol Specification
RFC 888 STUB Exterior Gateway Protocol
RFC 904 Exterior Gateway Protocol formal specification
RFC 951 Bootstrap Protocol
RFC 959 File Transfer Protocol
RFC 977 Network News Transfer Protocol
RFC 1001 Protocol Standard for a NetBIOS Service on a TCP/UDP
Transport: Concepts and Methods
RFC 1002 Protocol Standard for a NetBIOS Service on a TCP/UDP
Transport: Detailed Specifications
RFC 1057 RPC: Remote Procedure Call
RFC 1094 NFS: Network File System Protocol Specification
RFC 1112 Host Extensions for IP Multicasting
RFC 1157 Simple Network Management Protocol
RFC 1282 BSD Rlogin
RFC 1288 The Finger User Information Protocol
RFC 1305 Network Time Protocol
RFC 1350 The TFTP Protocol (Revision 2)
RFC 1436 The Internet Gopher Protocol
RFC 1459 Internet Relay Chat Protocol
RFC 1510 The Kerberos Network Authentication Service
RFC 1542 Clarifications and Extensions for the Bootstrap Protocol
RFC 1579 Firewall-Friendly FTP
RFC 1583 OSPF Version 2
RFC 1657 Definitions of Managed Objects for the Fourth Version of the
Border Gateway Protocol
RFC 1701 Generic Routing Encapsulation
RFC 1730 Internet Message Access Protocol - Version 4
RFC 1771 A Border Gateway Protocol 4 (BGP-4)
RFC 1777 Lightweight Directory Access Protocol
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
34/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
Command Reference
34
Cisco IOS Release 12.4(4) T
Technical Assistance
Command ReferenceThis section documents modified commands only.
ip nbar custom
match protocol (NBAR)
RFC 1831 RPC: Remote Procedure Call Protocol Specification Version
2
RFC 1889 A Transport Protocol for Real-Time Applications
RFC 1890 RTP Profile for Audio and Video Conferences with MinimalControl
RFC 1928 SOCKS Protocol Version 5
RFC 1939 Post Office Protocol - Version 3
RFC 1945 Hypertext Transfer Protocol -- HTTP/1.0
RFC 1964 The Kerberos Version 5 GSS-API Mechanism
RFC 2060 Internet Message Access Protocol - Version 4rev1
RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1
RFC 2131 Dynamic Host Configuration Protocol
RFC 2205 Resource ReSerVation Protocol (RSVP) -- Version 1
Functional Specification
RFC 2236 Internet Group Management Protocol, Version 2
RFC 2251 Lightweight Directory Access Protocol (v3)
RFC 2252 Lightweight Directory Access Protocol (v3): Attribute Syntax
Definitions
RFC 2253 Lightweight Directory Access Protocol (v3): UTF-8 String
Representation of Distinguished Names
RFC 2326 Real Time Streaming Protocol (RTSP)
RFC 2401 Security Architecture for the Internet Protocol
RFC 2406 IP Encapsulating Security Payload
RFC 2453 RIP Version 2
RFC 2616 Hypertext Transfer Protocol -- HTTP/1.1
Description Link
The Cisco Technical Support website contains thousands of
pages of searchable technical content, including links to
products, technologies, solutions, technical tips, and tools.
Registered Cisco.com users can log in from this page to
access even more content.
http://www.cisco.com/techsupport
RFC Title
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
35/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
Command Reference
35
Cisco IOS Release 12.4(4) T
match protocol citrix
match protocol http
-
8/2/2019 Dtnbarad(Network-Based Application Recognition)
36/54
Network-Based Application Recognition and Distributed Network-Based Application Recognition
ip nbar custom
36
Cisco IOS Release 12.4(4) T
ip nbar customTo extend the capability of network-based application recognition (NBAR) Protocol Discovery to
classify and monitor additional static port applications or to allow NBAR to classify nonsupported static
port traffic, use the ip nbar custom command in global configuration mode. To disable NBAR from
classifying and monitoring addtional static port application or classifying nonsupported static porttraffic, use the no form of this command.
ip nbar custom name [offset[format value]][variable field-name field-length]
[source|destination] [tcp|udp] [range start end| port-number]
no ip nbar custom name [offset[format value]][variable field-name field-length]
[source|destination] [tcp|udp] [range start end| port-number]
Syntax Description name The name given to the custom protocol. This name is reflected whereverthe name is used, including NBAR Protocol Discovery, the match
protocol command, the ip nbar port-map command, and the NBAR
Protocol Discovery MIB.
The name must be no longer than 24 characters and can only contain
uppercase and lowercase letters, digits, and the underscore (_) character.
offset (Optional) A digit representing the byte location for payload inspection.
The offset function is based on the beginning of the payload directly
after the TCP or User Datagram Protocol (UDP) header.
format value (Optional) Defines the format of the value and the length of the value
that is being inspected in the packet payload. Current format options are
ascii, hex, and decimal. The length of the value is dependent on the
chosenformat. The length restrictions for each format are listed below:
asciiUp to 16 characters can be searched. Regular expressions are
not supported.
hexUp to 4 bytes.
decimalUp to 4 bytes.
variablefield-name
field-length
(Optional) When the variable keyword is entered, a specific portion of
the custom protocol can be treated as an NBAR-supported protocol (for
example, a specific portion of the custom protocol can be tracked using
class-map statistics and can be matched using the class-map command).