Using NBAR Classification
Problem
You wish to use the Network Based Application Recognition (NBAR) feature to identify and classify traffic at the application layer.
Solution
The NBAR feature is used to identify traffic within a class-map. You can then use the class-map in a policy-map to define how the router should handle each application data stream:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#ip cef Router1(config)#class-map INTERACTIVE Router1(config-cmap)#match protocol citrix Router1(config-cmap)#match protocol telnet Router1(config-cmap)#exit Router1(config)#policy-map QoSPolicy Router1(config-pmap)#class INTERACTIVE Router1(config-pmap-c)#bandwidth percent 50 Router1(config-pmap-c)#set dscp ef Router1(config-pmap-c)#exit Router1(config-pmap)#class class-default Router1(config-pmap-c)#bandwidth percent 20 Router1(config-pmap-c)#random-detect dscp-based Router1(config-pmap-c)#exit Router1(config-pmap)#exit Router1(config)#interface FastEthernet0/0 Router1(config-fi)#service-policy inbound QoSPolicy Router1(config-if)#exit Router1(config)#end Router1#
Cisco also offers the ability to download specialized Packet Description Language Module (PDLM) files onto the router's flash device, and then activate them for use with NBAR classification:
Router1#show flash System flash directory: File Length Name/status 1 23169076 c2600-ipvoice-mz.124-10.bin 2 3100 bittorrent.pdlm [23172304 bytes used, 9857836 available, 33030140 total] 32768K bytes of processor board System flash (Read/Write) Router1#Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#ip nbar pdlm flash://bittorrent.pdlm Router1(config)#class-map BITTORRENT Router1(config-cmap)#match protocol bittorrent Router1(config-cmap)#exit Router1(config)#end Router1#
And you can also use NBAR to automatically profile the protocols on a particular interface:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#interface FastEthernet0/0 Router1(config-if)#ip nbar protocol-discovery Router1(config-if)#exit Router1(config)#end Router1#
Discussion
Network Based Application Recognition (NBAR) is an extremely useful feature that first became available in IOS Version 12.0(5)XE2, and more generally in 12.1(5)T. Cisco continues to add new protocols to NBAR, allowing you to categorize more and more different traffic streams on your network. The one caveat to using NBAR is that it can introduce a heavy additional load on your router's CPU. We recommend monitoring the CPU utilization after implementing any NBAR-based filtering, at least until you are confident that the router is not straining under the additional load.
The basic syntax is to set up a class-map, and then use the match protocol command with the appropriate keyword:
Router1(config)#class-map INTERACTIVE Router1(config-cmap)#match protocol citrix Router1(config-cmap)#match protocol telnet
We used Citrix as an example protocol in this recipe because it is a classic example of the need for the NBAR feature. This is a proprietary protocol that is used in thin-client architectures. The end user's workstation is just a terminal that displays graphical information from the screen of a centrally located computer running a virtual desktop for the user. The protocol transmits graphical information and keystrokes. Because it is an interactive application, it needs to be given high priority through the network. However, it is notoriously difficult to reliably identify from Layer 3 and 4 information:
As the example shows, you can then use this class in a policy-map:
Router1(config)#policy-map QoSPolicy Router1(config-pmap)#class INTERACTIVE Router1(config-pmap-c)#bandwidth percent 50 Router1(config-pmap-c)#set dscp ef Router1(config-pmap-c)#exit
NBAR classifies applications at the application layer, allowing you to differentiate between different streams of traffic that may actually use the same UDP or TCP port numbers, as well as streams of traffic that may use a variety of ports or even arbitrary port numbers.
Here is a list of supported protocols as of IOS Version 12.4(10):
Router1(config-cmap)#match protocol ? arp IP ARP bgp Border Gateway Protocol bridge Bridging cdp Cisco Discovery Protocol citrix Citrix Systems ICA protocol clns ISO CLNS clns_es ISO CLNS End System clns_is ISO CLNS Intermediate System cmns ISO CMNS compressedtcp Compressed TCP (VJ) cuseeme CU-SeeMe desktop video conference dhcp Dynamic Host Configuration dns Domain Name Server lookup edonkey eDonkey egp Exterior Gateway Protocol eigrp Enhanced Interior Gateway Routing Protocol exchange MS-RPC for Exchange fasttrack FastTrack Traffic - KaZaA, Morpheus, Grokster... finger Finger ftp File Transfer Protocol gnutella Gnutella Version2 Traffic - BearShare, Shareeza, Morpheus ... gopher Gopher gre Generic Routing Encapsulation h323 H323 Protocol http World Wide Web traffic icmp Internet Control Message imap Internet Message Access Protocol ip IP ipinip IP in IP (encapsulation) ipsec IP Security Protocol (ESP/AH) irc Internet Relay Chat kazaa2 Kazaa Version 2 kerberos Kerberos l2tp L2F/L2TP tunnel ldap Lightweight Directory Access Protocol llc2 llc2 mgcp Media Gateway Control Protocol napster Napster Traffic netbios NetBIOS netshow Microsoft Netshow nfs Network File System nntp Network News Transfer Protocol notes Lotus Notes(R) novadigm Novadigm EDM ntp Network Time Protocol ospf Open Shortest Path First pad PAD links pcanywhere Symantec pcANYWHERE pop3 Post Office Protocol pppoe PPP over Ethernet pptp Point-to-Point Tunneling Protocol printer print spooler/lpd rcmd BSD r-commands (rsh, rlogin, rexec) rip Routing Information Protocol rsrb Remote Source-Route Bridging rsvp Resource Reservation Protocol rtcp Real Time Control Protocol rtp Real Time Protocol rtsp Real Time Streaming Protocol secure-ftp FTP over TLS/SSL secure-http Secured HTTP secure-imap Internet Message Access Protocol over TLS/SSL secure-irc Internet Relay Chat over TLS/SSL secure-ldap Lightweight Directory Access Protocol over TLS/SSL secure-nntp Network News Transfer Protocol over TLS/SSL secure-pop3 Post Office Protocol over TLS/SSL secure-telnet Telnet over TLS/SSL sip Session Initiation Protocol skinny Skinny Protocol smtp Simple Mail Transfer Protocol snapshot Snapshot routing support snmp Simple Network Management Protocol socks SOCKS sqlnet SQL*NET for Oracle sqlserver MS SQL Server ssh Secured Shell streamwork Xing Technology StreamWorks player sunrpc Sun RPC syslog System Logging Utility telnet Telnet tftp Trivial File Transfer Protocol vdolive VDOLive streaming video vofr voice over Frame Relay packets winmx WinMx file-sharing application xwindows X-Windows remote access Router1(config-cmap)#
You can obtain and install new PDLM files from Cisco. In the example, we have downloaded a new PDLM file that can identify the BitTorrent protocol. Once we put this file on the router's Flash device, we need to tell NBAR to load the file to make it available:
Router1(config)#ip nbar pdlm flash://bittorrent.pdlm
In the past, Cisco has also made PDLM files available to help network administrators to use NBAR to help to identify hostile applications such as viruses and worms.
We are not aware of PDLM files originating from sources other than Cisco, but we strongly recommend that you use only files that you obtain directly from Cisco. Otherwise, you could potentially open your network to serious security vulnerabilities.
We note in passing that Cisco has also added the option to manually create your own NBAR rules using the ip nbar custom command. This feature should allow you to, for example, define a new protocol by specifying TCP or UDP port numbers, as well as any special rules that look for identifiable content at a particular bit offset in the packet payload. However, the syntax for this feature is confusing, and the parser is apparently unstable in some IOS versions, so we don't currently recommend using it.
The last feature discussed in the Solution section of this recipe is the NBAR Protocol-Discovery feature. This is a useful tool for figuring out what is going through your network, particularly if you are trying to define a QoS strategy. You can use the show ip nbar protocol-discovery command to get detailed statistics on the utilization for every type of protocol that NBAR understands. However, NBAR now supports so many protocols that this complete list is often not very useful for spotting trends. Instead, we suggest using the top-n keyword with a relatively small argument number, such as 5, or at most 10. This will allow you to immediately see statistics for the top protocols for each interface on which you enabled the feature:
Router1#show ip nbar protocol-discovery top-n 5 FastEthernet0/0 Input Output ----- ------ Protocol Packet Count Packet Count Byte Count Byte Count 5min Bit Rate (bps) 5min Bit Rate (bps) 5min Max Bit Rate (bps) 5min Max Bit Rate (bps) ------------------------ ------------------------ ------------------------ icmp 220 110 25080 12540 0 0 4000 3000 http 55 104 3763 60019 0 0 1000 4000 telnet 130 71 19212 4269 0 0 3000 1000 eigrp 90 45 6660 3330 0 0 0 0 secure-http 4 4 248 216 0 0 0 0 unknown 2 2 122 112 0 0 0 0 Total 501 336 55085 80486 0 0 8000 8000 Router1#