10-2 Network-Based Application Recognition (NBAR)
-
NBAR can be used to recognize applications within network traffic and classify them into classes.
-
NBAR classes can be used by the Modular QoS CLI to assign QoS policies to the applications.
-
Applications with both dynamic and static TCP/UDP port assignments can be recognized.
-
HTTP traffic can be classified by host name , URL, or MIME type.
-
NBAR uses an extensible Packet Description Language (PDL) to describe application traffic. PDL Modules (PDLMs) can be loaded into Flash memory at run time to add additional protocol discovery capabilities.
-
NBAR requires the use of Cisco Express Forwarding (CEF) on the router. NBAR must have access to the UDP and TCP port numbers in the packets of application data. Therefore, NBAR cannot be used on interfaces in which encryption or tunnels are in use.
NOTE
NBAR allocates 1 MB of DRAM memory to handle up to 5000 concurrent traffic flows. If more memory is needed later, it is allocated in increments of 200 to 400 KB. Each flow uses about 150 bytes of memory.
Configuration
-
Define a traffic class name for identified traffic:
(global) class-map [ match-all match-any ] class-name
NBAR matches all or any of a given set of protocols as part of a traffic class named class-name (an arbitrary text string).
-
Identify one or more protocols to include in the class:
(class-map) match protocol protocol-name
The protocol-name is the name of a recognizable protocol. These are listed in Table 10-3.
For the http keyword, an additional url url-string, host host-string, or mime mime-string must be added. The url-string is the URL without the http://hostname.domain portion. The host-string is just the host name portion (www.cisco.com, for example). You can use special characters as wildcards within the strings: * (matches zero or more characters), ? (matches a character), (matches one of a choice of characters), ( ) (matches one of a choice of characters in a range, as in www.name.(comorg)), and [ ] (matches any of the characters in a range, as in [09] for any digit).
The mime-string specifies a MIME type using an arbitrary text string. Valid MIME types are listed in the document http://www.isi.edu/in-notes/iana/assignments/media-types/media-types.
For the citrix protocol, an additional [ app application ] can be added to specify the name of an application (a text string).
Table 10-3. Possible protocol-name Values
| Protocol | protocol-name Value | Type | Well-Known Port Number | Description |
|---|---|---|---|---|
| EGP | egp | IP | 8 | Exterior Gateway Protocol |
| GRE | gre | IP | 47 | Generic Routing Encapsulation |
| ICMP | icmp | IP | 1 | Internet Control Message Protocol |
| IPINIP | ipinip | IP | 4 | IP-in-IP |
| IPSec | ipsec | IP | 50, 51 | IP Encapsulating Security Payload/Authentication Header |
| EIGRP | eigrp | IP | 88 | Enhanced Interior Gateway Routing Protocol |
| BGP | bgp | TCP/UDP | 179 | Border Gateway Protocol |
| CU-SeeMe | cuseeme | TCP/UDP | 7648, 7649 | Desktop videoconfer-encing |
| UDP | 24032 | Desktop videoconfer-encing | ||
| DHCP/Bootp | dhcp | UDP | 67, 68 | Dynamic Host Configuration Protocol/Bootstrap Protocol |
| DNS | dns | TCP/UDP | 53 | Domain Name System |
| Exchange | exchange | TCP | stateful | MS-RPC for Exchange |
| Finger | finger | TCP | 79 | Finger user information protocol |
| FTP | ftp | TCP | stateful | File Transfer Protocol |
| Gopher | gopher | TCP/UDP | 70 | Internet Gopher Protocol |
| HTTP | http | TCP | 80 | Hypertext Transfer Protocol |
| TCP | stateful | HTTP with URL, MIME, or Host classification | ||
| HTTPS | secure-http | TCP | 443 | Secured HTTP |
| IMAP | imap | TCP/UDP | 143, 220 | Internet Message Access Protocol |
| IRC | Irc | TCP/UDP | 194 | Internet Relay Chat |
| Kerberos | kerberos | TCP/UDP | 88, 749 | Kerberos Network Authentication Service |
| L2TP | l2tp | UDP | 1701 | L2F/L2TP tunnel |
| LDAP | ldap | TCP/UDP | 389 | Lightweight Directory Access Protocol |
| MS-PPTP | pptp | TCP | 1723 | Microsoft Point-to-Point Tunneling Protocol for VPN |
| MS-SQLserver | sqlserver | TCP | 1433 | Microsoft SQL Server Desktop Videoconfer-encing |
| NetBIOS | Netbios | TCP | 137, 139 | NetBIOS over IP (Microsoft Windows ) |
| UDP | 137, 138 | NetBIOS over IP (Microsoft Windows) | ||
| Netshow | Netshow | TCP/UDP | stateful | Microsoft Netshow |
| NFS | Nfs | TCP/UDP | 2049 | Network File System |
| NNTP | nntp | TCP/UDP | 119 | Network News Transfer Protocol |
| Notes | notes | TCP/UDP | 1352 | Lotus Notes |
| Novadigm | novadigm | TCP/UDP | 3460-3465 | Novadigm Enterprise Desktop Manager (EDM) |
| NTP | ntp | TCP/UDP | 123 | Network Time Protocol |
| PCAnywhere | pcanywhere | TCP | 5631, 65301 | Symantec PCAnywhere |
| UDP | 22, 5632 | Symantec PCAnywhere | ||
| POP3 | pop3 | TCP/UDP | 110 | Post Office Protocol |
| Printer | printer | TCP/UDP | 515 | Printer |
| r-commands | rcmd | TCP | stateful | rsh, rlogin, rexec |
| Realaudio | realaudio | TCP/UDP | stateful | RealAudio Streaming Protocol |
| RIP | rip | UDP | 520 | Routing Information Protocol |
| RSVP | rsvp | UDP | 1698, 1699 | Resource Reservation Protocol |
| SFTP | secure-ftp | TCP | 990 | Secure FTP |
| SHTTP | secure-http | TCP | 443 | Secure HTTP |
| SIMAP | secure-imap | TCP/UDP | 585, 993 | Secure IMAP |
| SIRC | secure-irc | TCP/UDP | 994 | Secure IRC |
| SLDAP | secure-ldap | TCP/UDP | 636 | Secure LDAP |
| SNNTP | secure-nntp | TCP/UDP | 563 | Secure NNTP |
| SMTP | smtp | TCP | 25 | Simple Mail Transfer Protocol |
| SNMP | snmp | TCP/UDP | 161, 162 | Simple Network Management Protocol |
| SOCKS | socks | TCP | 1080 | Firewall security protocol |
| SPOP3 | secure-pop3 | TCP/UDP | 995 | Secure POP3 |
| SQL*NET | sqlnet | TCP/UDP | stateful | SQL*NET for Oracle |
| SSH | ssh | TCP | 22 | Secured Shell |
| STELNET | secure-telnet | TCP | 992 | Secure Telnet |
| StreamWorks | streamwork | UDP | stateful | Xing Technology StreamWorks audio and video |
| SunRPC | sunrpc | TCP/UDP | stateful | Sun Remote Procedure Call |
| Syslog | syslog | UDP | 514 | System Logging Utility |
| Telnet | telnet | TCP | 23 | Telnet Protocol |
| TFTP | tftp | UDP | stateful | Trivial File Transfer Protocol |
| VDOLive | vdolive | TCP/UDP | stateful | VDOLive Streaming Video |
| X Windows | xwindows | TCP | 6000-6003 | X11, X Windows |
-
(Optional) Enable protocol statistics gathering on an interface:
(interface) ip nbar protocol-discoveryNBAR gathers statistics about the protocols being used on an interface, based on its PDLM database of protocols. To see the results of protocol discovery, you can use the show ip nbar protocol-discovery command.
-
Use the class map to assign QoS policies.
The Modular QoS CLI is used to group class maps into policy maps ( policy- map ) and assign policies to an interface ( service-policy ). See Section 10-1 for further information.
To add additional protocol recognition to NBAR, use the following commands:
-
Reference a PDLM file in Flash memory:
(global) ip nbar pdlm pdlm-file
The PDLM file is obtained from Cisco and downloaded into the router's Flash memory.
-
Change an application's port number:
(global) ip nbar port-map protocol-name { tcp udp } port
If you know that an application is using a port number other than the well-known port known by NBAR, you can change NBAR's behavior. For the protocol named protocol-name, specify TCP or UDP and the new port number. If the application uses more than one static port number, you can give up to 16 different port numbers in a string. To view NBAR's current protocol-to-port mappings, use the show ip nbar port-map command.
-
NBAR Example
NBAR is used to classify traffic into two classesone for SMTP, POP3, and Lotus Notes traffic, and another for IRC Chat and PCAnywhere traffic. These classes can then be used by other QoS functions.
class-map match-all class1 match protocol smtp match protocol pop3 match protocol notes class-map match-all class2 match protocol irc match protocol pcanywhere
NBAR can also be used to classify traffic that is associated with recent Internet worms. In the following example, NBAR is configured to identify specific text strings in the URLs of HTTP GET commands. The Code Red worm uses HTTP GET requests for filenames ending with an .ida extension. These requests are identified by class map code-red (using NBAR). Policy map quench-code-red is applied to inbound traffic on interface ethernet 1/0. The policy map uses class map code-red to identify the suspect traffic and a traffic policer to govern the rate of Code Red traffic. Notice that the policer is configured to drop both conforming and exceeding traffic such that all matching traffic is dropped. (The bandwidth and burst values are then meaningless.)
You could also mark the matching packets with a DSCP value that is rarely used, such as DSCP 1. The goal here is to mark the packets with some method so that they can be matched later by an access list, a route map, or a policy map.
class-map match-all code-red match protocol http url "*.ida" policy-map quench-code-red class code-red police 256000 64000 64000 conform-action drop exceed-action drop interface ethernet 1/0 service-policy input quench-code-red
![Cisco Field Manual[c] Router Configuration](/icons/blank_book.jpg "Cisco Field Manual[c] Router Configuration"){kind=icon}
EAN: N/A
Pages: 185