Using NBAR for Classifying Traffic
There are several ways to identify traffic so that it can be classified. Access
lists are commonly used to identify application data, but Cisco has an IOSbased
tool that provides more granularity and goes beyond static port
numbers. Network-Based Application Recognition (NBAR) is an IOS protocol
discovery and classification mechanism. It monitors the traffic going in
and out of an interface, identifies it by protocol, port number, or payload
contents (up to 400 bytes), and provides traffic statistics. NBAR recognizes
common applications, even those that use dynamic ports. For instance, Real-
Time Protocol (RTP) carries voice and video traffic and uses dynamic port
numbers within a large range. An access list can match traffic within that
range of port numbers, but NBAR can match on the following RTP characteristics:
■ Audio traffic (using payload types 0–23)
■ Video traffic (using payload types 24–33)
■ Payload type for a specific payload type value
Note
NBAR does not identify RTP control traffic, just RTP bearer traffic.
You can additionally configure NBAR to recognize custom applications.
Cisco provides downloadable Packet Description Language Modules
(PDLM) that also add additional applications.
CEF must be enabled on each interface where NBAR is used. To enable
NBAR at an interface, and then view the traffic that it discovers, use the
commands:
Router(config-if)#ip nbar protocol-discovery
Router#show ip nbar protocol-discovery
You can download new PDLMs from the Cisco web site:
http://www.cisco.com/cgi-bin/tablebuild.pl/pdlm. You must be a registered
user. After the file is downloaded, you should either save it in the router’s
flash or place it on a TFTP server reachable by the router. Instruct the router
to load the PDLM with the following command:
Router(config)#ip nbar pdlm pdlm_name
The name is in URL format, and points the router either to the file in flash
or to the TFTP server. For example, you might use ip nbar pdlm
flash://bittorent.pdlm to load the PDLM for Bit Torrent from flash
memory.
Sometimes users map protocols to different ports than NBAR expects. To
tell NBAR to look for a protocol on additional ports and to then verify your
configuration, use the commands:
Router(config)#ip nbar port-map protocol [tcp | udp] port
Router#show ip nbar port-map
To use NBAR for classifying traffic with the MQC, follow these steps:
Step 1. Enable NBAR on all appropriate interfaces.
Step 2. Create a class map that matches against one or more of the
NBAR protocols, using the match protocol option. Repeat this
step for each class desired.
Step 3. Create a policy that links to those class maps, and assigns desired
service to it.
Step 4. Apply the policy to an interface.
Example 4-1 shows NBAR enabled on a GigEthernet interface, and class maps
created to match three types of traffic discovered by NBAR: RTP, any web
traffic that has the word “ccnp” in its URL, and eDonkey. A policy map is
created that marks this traffic, and it is applied inbound to the LAN interface.
Example 4-1 Using NBAR with the MQC
Router(config)#int gi 0/0
Router(config-if)#ip nbar protocol-discovery
!
Router(config)#class-map VOIP
Router(config-cmap)#match protocol rtp audio
Router(config-cmap)#!
Router(config-cmap)#class-map Exams
Router(config-cmap)#match protocol http url ccnp*
Router(config-cmap)#!
Router(config-cmap)#class-map eDonkey
Router(config-cmap)#match protocol edonkey
!
Router(config)#policy-map NBAR
Router(config-pmap)#class VOIP
Router(config-pmap-c)#set ip dscp ef
Router(config-pmap-c)#class Exams
Router(config-pmap-c)#set ip dscp 31
Router(config-pmap-c)#class eDonkey
Router(config-pmap-c)#set ip dscp 13
!
Router(config-pmap-c)#int gi 0/0
Router(config-if)#service-policy input NBAR
CCNP ONT
This classifies and marks the traffic and uses NBAR to identify it.
Classification and marking needs to happen only once—all other devices in
the network can just look for the DSCP markings and set policies based on
those. Thus, the next part must be to configure some way to treat this classified
and marked traffic. An example of this configuration is the section on
LLQ and CBWFQ.
For more detailed information on NBAR, including a list of applications it
currently is able to recognize, see http://www.cisco.com/en/US/products/
ps6616/products_qanda_item09186a00800a3ded.shtml