Using NBAR Classification
Problem
You wish to use the Network Based Application Recognition (NBAR) feature to identify and classify traffic at the application layer.
Solution
The NBAR feature is used to identify traffic within a class-map. You can then use the class-map in a policy-map to define how the router should handle each application data stream:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip cef
Router1(config)#class-map INTERACTIVE
Router1(config-cmap)#match protocol citrix
Router1(config-cmap)#match protocol telnet
Router1(config-cmap)#exit
Router1(config)#policy-map QoSPolicy
Router1(config-pmap)#class INTERACTIVE
Router1(config-pmap-c)#bandwidth percent 50
Router1(config-pmap-c)#set dscp ef
Router1(config-pmap-c)#exit
Router1(config-pmap)#class class-default
Router1(config-pmap-c)#bandwidth percent 20
Router1(config-pmap-c)#random-detect dscp-based
Router1(config-pmap-c)#exit
Router1(config-pmap)#exit
Router1(config)#interface FastEthernet0/0
Router1(config-fi)#service-policy inbound QoSPolicy
Router1(config-if)#exit
Router1(config)#end
Router1#
Cisco also offers the ability to download specialized Packet Description Language Module (PDLM) files onto the router's flash device, and then activate them for use with NBAR classification:
Router1#show flash
System flash directory:
File Length Name/status
1 23169076 c2600-ipvoice-mz.124-10.bin
2 3100 bittorrent.pdlm
[23172304 bytes used, 9857836 available, 33030140 total]
32768K bytes of processor board System flash (Read/Write)
Router1#Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip nbar pdlm flash://bittorrent.pdlm
Router1(config)#class-map BITTORRENT
Router1(config-cmap)#match protocol bittorrent
Router1(config-cmap)#exit
Router1(config)#end
Router1#
And you can also use NBAR to automatically profile the protocols on a particular interface:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip nbar protocol-discovery
Router1(config-if)#exit
Router1(config)#end
Router1#
Discussion
Network Based Application Recognition (NBAR) is an extremely useful feature that first became available in IOS Version 12.0(5)XE2, and more generally in 12.1(5)T. Cisco continues to add new protocols to NBAR, allowing you to categorize more and more different traffic streams on your network. The one caveat to using NBAR is that it can introduce a heavy additional load on your router's CPU. We recommend monitoring the CPU utilization after implementing any NBAR-based filtering, at least until you are confident that the router is not straining under the additional load.
The basic syntax is to set up a class-map, and then use the match protocol command with the appropriate keyword:
Router1(config)#class-map INTERACTIVE
Router1(config-cmap)#match protocol citrix
Router1(config-cmap)#match protocol telnet
We used Citrix as an example protocol in this recipe because it is a classic example of the need for the NBAR feature. This is a proprietary protocol that is used in thin-client architectures. The end user's workstation is just a terminal that displays graphical information from the screen of a centrally located computer running a virtual desktop for the user. The protocol transmits graphical information and keystrokes. Because it is an interactive application, it needs to be given high priority through the network. However, it is notoriously difficult to reliably identify from Layer 3 and 4 information:
As the example shows, you can then use this class in a policy-map:
Router1(config)#policy-map QoSPolicy
Router1(config-pmap)#class INTERACTIVE
Router1(config-pmap-c)#bandwidth percent 50
Router1(config-pmap-c)#set dscp ef
Router1(config-pmap-c)#exit
NBAR classifies applications at the application layer, allowing you to differentiate between different streams of traffic that may actually use the same UDP or TCP port numbers, as well as streams of traffic that may use a variety of ports or even arbitrary port numbers.
Here is a list of supported protocols as of IOS Version 12.4(10):
Router1(config-cmap)#match protocol ?
arp IP ARP
bgp Border Gateway Protocol
bridge Bridging
cdp Cisco Discovery Protocol
citrix Citrix Systems ICA protocol
clns ISO CLNS
clns_es ISO CLNS End System
clns_is ISO CLNS Intermediate System
cmns ISO CMNS
compressedtcp Compressed TCP (VJ)
cuseeme CU-SeeMe desktop video conference
dhcp Dynamic Host Configuration
dns Domain Name Server lookup
edonkey eDonkey
egp Exterior Gateway Protocol
eigrp Enhanced Interior Gateway Routing Protocol
exchange MS-RPC for Exchange
fasttrack FastTrack Traffic - KaZaA, Morpheus, Grokster...
finger Finger
ftp File Transfer Protocol
gnutella Gnutella Version2 Traffic - BearShare, Shareeza, Morpheus ...
gopher Gopher
gre Generic Routing Encapsulation
h323 H323 Protocol
http World Wide Web traffic
icmp Internet Control Message
imap Internet Message Access Protocol
ip IP
ipinip IP in IP (encapsulation)
ipsec IP Security Protocol (ESP/AH)
irc Internet Relay Chat
kazaa2 Kazaa Version 2
kerberos Kerberos
l2tp L2F/L2TP tunnel
ldap Lightweight Directory Access Protocol
llc2 llc2
mgcp Media Gateway Control Protocol
napster Napster Traffic
netbios NetBIOS
netshow Microsoft Netshow
nfs Network File System
nntp Network News Transfer Protocol
notes Lotus Notes(R)
novadigm Novadigm EDM
ntp Network Time Protocol
ospf Open Shortest Path First
pad PAD links
pcanywhere Symantec pcANYWHERE
pop3 Post Office Protocol
pppoe PPP over Ethernet
pptp Point-to-Point Tunneling Protocol
printer print spooler/lpd
rcmd BSD r-commands (rsh, rlogin, rexec)
rip Routing Information Protocol
rsrb Remote Source-Route Bridging
rsvp Resource Reservation Protocol
rtcp Real Time Control Protocol
rtp Real Time Protocol
rtsp Real Time Streaming Protocol
secure-ftp FTP over TLS/SSL
secure-http Secured HTTP
secure-imap Internet Message Access Protocol over TLS/SSL
secure-irc Internet Relay Chat over TLS/SSL
secure-ldap Lightweight Directory Access Protocol over TLS/SSL
secure-nntp Network News Transfer Protocol over TLS/SSL
secure-pop3 Post Office Protocol over TLS/SSL
secure-telnet Telnet over TLS/SSL
sip Session Initiation Protocol
skinny Skinny Protocol
smtp Simple Mail Transfer Protocol
snapshot Snapshot routing support
snmp Simple Network Management Protocol
socks SOCKS
sqlnet SQL*NET for Oracle
sqlserver MS SQL Server
ssh Secured Shell
streamwork Xing Technology StreamWorks player
sunrpc Sun RPC
syslog System Logging Utility
telnet Telnet
tftp Trivial File Transfer Protocol
vdolive VDOLive streaming video
vofr voice over Frame Relay packets
winmx WinMx file-sharing application
xwindows X-Windows remote access
Router1(config-cmap)#
You can obtain and install new PDLM files from Cisco. In the example, we have downloaded a new PDLM file that can identify the BitTorrent protocol. Once we put this file on the router's Flash device, we need to tell NBAR to load the file to make it available:
Router1(config)#ip nbar pdlm flash://bittorrent.pdlm
In the past, Cisco has also made PDLM files available to help network administrators to use NBAR to help to identify hostile applications such as viruses and worms.
We are not aware of PDLM files originating from sources other than Cisco, but we strongly recommend that you use only files that you obtain directly from Cisco. Otherwise, you could potentially open your network to serious security vulnerabilities.
We note in passing that Cisco has also added the option to manually create your own NBAR rules using the ip nbar custom command. This feature should allow you to, for example, define a new protocol by specifying TCP or UDP port numbers, as well as any special rules that look for identifiable content at a particular bit offset in the packet payload. However, the syntax for this feature is confusing, and the parser is apparently unstable in some IOS versions, so we don't currently recommend using it.
The last feature discussed in the Solution section of this recipe is the NBAR Protocol-Discovery feature. This is a useful tool for figuring out what is going through your network, particularly if you are trying to define a QoS strategy. You can use the show ip nbar protocol-discovery command to get detailed statistics on the utilization for every type of protocol that NBAR understands. However, NBAR now supports so many protocols that this complete list is often not very useful for spotting trends. Instead, we suggest using the top-n keyword with a relatively small argument number, such as 5, or at most 10. This will allow you to immediately see statistics for the top protocols for each interface on which you enabled the feature:
Router1#show ip nbar protocol-discovery top-n 5
FastEthernet0/0
Input Output
----- ------
Protocol Packet Count Packet Count
Byte Count Byte Count
5min Bit Rate (bps) 5min Bit Rate (bps)
5min Max Bit Rate (bps) 5min Max Bit Rate (bps)
------------------------ ------------------------ ------------------------
icmp 220 110
25080 12540
0 0
4000 3000
http 55 104
3763 60019
0 0
1000 4000
telnet 130 71
19212 4269
0 0
3000 1000
eigrp 90 45
6660 3330
0 0
0 0
secure-http 4 4
248 216
0 0
0 0
unknown 2 2
122 112
0 0
0 0
Total 501 336
55085 80486
0 0
8000 8000
Router1#