Using NBAR Classification

Problem

You wish to use the Network Based Application Recognition (NBAR) feature to identify and classify traffic at the application layer.

Solution

The NBAR feature is used to identify traffic within a class-map. You can then use the class-map in a policy-map to define how the router should handle each application data stream:

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip cef
Router1(config)#class-map INTERACTIVE
Router1(config-cmap)#match protocol citrix
Router1(config-cmap)#match protocol telnet
Router1(config-cmap)#exit
Router1(config)#policy-map QoSPolicy
Router1(config-pmap)#class INTERACTIVE
Router1(config-pmap-c)#bandwidth percent 50
Router1(config-pmap-c)#set dscp ef
Router1(config-pmap-c)#exit
Router1(config-pmap)#class class-default
Router1(config-pmap-c)#bandwidth percent 20
Router1(config-pmap-c)#random-detect dscp-based
Router1(config-pmap-c)#exit
Router1(config-pmap)#exit
Router1(config)#interface FastEthernet0/0
Router1(config-fi)#service-policy inbound QoSPolicy
Router1(config-if)#exit
Router1(config)#end
Router1#

Cisco also offers the ability to download specialized Packet Description Language Module (PDLM) files onto the router's flash device, and then activate them for use with NBAR classification:

Router1#show flash

System flash directory:
File Length Name/status
 1 23169076 c2600-ipvoice-mz.124-10.bin
 2 3100 bittorrent.pdlm
[23172304 bytes used, 9857836 available, 33030140 total]
32768K bytes of processor board System flash (Read/Write)

Router1#Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip nbar pdlm flash://bittorrent.pdlm
Router1(config)#class-map BITTORRENT
Router1(config-cmap)#match protocol bittorrent
Router1(config-cmap)#exit
Router1(config)#end
Router1#

And you can also use NBAR to automatically profile the protocols on a particular interface:

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip nbar protocol-discovery
Router1(config-if)#exit
Router1(config)#end
Router1#

 

Discussion

Network Based Application Recognition (NBAR) is an extremely useful feature that first became available in IOS Version 12.0(5)XE2, and more generally in 12.1(5)T. Cisco continues to add new protocols to NBAR, allowing you to categorize more and more different traffic streams on your network. The one caveat to using NBAR is that it can introduce a heavy additional load on your router's CPU. We recommend monitoring the CPU utilization after implementing any NBAR-based filtering, at least until you are confident that the router is not straining under the additional load.

The basic syntax is to set up a class-map, and then use the match protocol command with the appropriate keyword:

Router1(config)#class-map INTERACTIVE
Router1(config-cmap)#match protocol citrix
Router1(config-cmap)#match protocol telnet

We used Citrix as an example protocol in this recipe because it is a classic example of the need for the NBAR feature. This is a proprietary protocol that is used in thin-client architectures. The end user's workstation is just a terminal that displays graphical information from the screen of a centrally located computer running a virtual desktop for the user. The protocol transmits graphical information and keystrokes. Because it is an interactive application, it needs to be given high priority through the network. However, it is notoriously difficult to reliably identify from Layer 3 and 4 information:

As the example shows, you can then use this class in a policy-map:

Router1(config)#policy-map QoSPolicy
Router1(config-pmap)#class INTERACTIVE
Router1(config-pmap-c)#bandwidth percent 50
Router1(config-pmap-c)#set dscp ef
Router1(config-pmap-c)#exit

NBAR classifies applications at the application layer, allowing you to differentiate between different streams of traffic that may actually use the same UDP or TCP port numbers, as well as streams of traffic that may use a variety of ports or even arbitrary port numbers.

Here is a list of supported protocols as of IOS Version 12.4(10):

Router1(config-cmap)#match protocol ?
 arp IP ARP
 bgp Border Gateway Protocol
 bridge Bridging
 cdp Cisco Discovery Protocol
 citrix Citrix Systems ICA protocol
 clns ISO CLNS
 clns_es ISO CLNS End System
 clns_is ISO CLNS Intermediate System
 cmns ISO CMNS
 compressedtcp Compressed TCP (VJ)
 cuseeme CU-SeeMe desktop video conference
 dhcp Dynamic Host Configuration
 dns Domain Name Server lookup
 edonkey eDonkey
 egp Exterior Gateway Protocol
 eigrp Enhanced Interior Gateway Routing Protocol
 exchange MS-RPC for Exchange
 fasttrack FastTrack Traffic - KaZaA, Morpheus, Grokster...
 finger Finger
 ftp File Transfer Protocol
 gnutella Gnutella Version2 Traffic - BearShare, Shareeza, Morpheus ...
 gopher Gopher
 gre Generic Routing Encapsulation
 h323 H323 Protocol
 http World Wide Web traffic
 icmp Internet Control Message
 imap Internet Message Access Protocol
 ip IP
 ipinip IP in IP (encapsulation)
 ipsec IP Security Protocol (ESP/AH)
 irc Internet Relay Chat
 kazaa2 Kazaa Version 2
 kerberos Kerberos
 l2tp L2F/L2TP tunnel
 ldap Lightweight Directory Access Protocol
 llc2 llc2
 mgcp Media Gateway Control Protocol
 napster Napster Traffic
 netbios NetBIOS
 netshow Microsoft Netshow
 nfs Network File System
 nntp Network News Transfer Protocol
 notes Lotus Notes(R)
 novadigm Novadigm EDM
 ntp Network Time Protocol
 ospf Open Shortest Path First
 pad PAD links
 pcanywhere Symantec pcANYWHERE
 pop3 Post Office Protocol
 pppoe PPP over Ethernet
 pptp Point-to-Point Tunneling Protocol
 printer print spooler/lpd
 rcmd BSD r-commands (rsh, rlogin, rexec)
 rip Routing Information Protocol
 rsrb Remote Source-Route Bridging
 rsvp Resource Reservation Protocol
 rtcp Real Time Control Protocol
 rtp Real Time Protocol
 rtsp Real Time Streaming Protocol
 secure-ftp FTP over TLS/SSL
 secure-http Secured HTTP
 secure-imap Internet Message Access Protocol over TLS/SSL
 secure-irc Internet Relay Chat over TLS/SSL
 secure-ldap Lightweight Directory Access Protocol over TLS/SSL
 secure-nntp Network News Transfer Protocol over TLS/SSL
 secure-pop3 Post Office Protocol over TLS/SSL
 secure-telnet Telnet over TLS/SSL
 sip Session Initiation Protocol
 skinny Skinny Protocol
 smtp Simple Mail Transfer Protocol
 snapshot Snapshot routing support
 snmp Simple Network Management Protocol
 socks SOCKS
 sqlnet SQL*NET for Oracle
 sqlserver MS SQL Server
 ssh Secured Shell
 streamwork Xing Technology StreamWorks player
 sunrpc Sun RPC
 syslog System Logging Utility
 telnet Telnet
 tftp Trivial File Transfer Protocol
 vdolive VDOLive streaming video
 vofr voice over Frame Relay packets
 winmx WinMx file-sharing application
 xwindows X-Windows remote access

Router1(config-cmap)#

You can obtain and install new PDLM files from Cisco. In the example, we have downloaded a new PDLM file that can identify the BitTorrent protocol. Once we put this file on the router's Flash device, we need to tell NBAR to load the file to make it available:

Router1(config)#ip nbar pdlm flash://bittorrent.pdlm

In the past, Cisco has also made PDLM files available to help network administrators to use NBAR to help to identify hostile applications such as viruses and worms.

We are not aware of PDLM files originating from sources other than Cisco, but we strongly recommend that you use only files that you obtain directly from Cisco. Otherwise, you could potentially open your network to serious security vulnerabilities.

We note in passing that Cisco has also added the option to manually create your own NBAR rules using the ip nbar custom command. This feature should allow you to, for example, define a new protocol by specifying TCP or UDP port numbers, as well as any special rules that look for identifiable content at a particular bit offset in the packet payload. However, the syntax for this feature is confusing, and the parser is apparently unstable in some IOS versions, so we don't currently recommend using it.

The last feature discussed in the Solution section of this recipe is the NBAR Protocol-Discovery feature. This is a useful tool for figuring out what is going through your network, particularly if you are trying to define a QoS strategy. You can use the show ip nbar protocol-discovery command to get detailed statistics on the utilization for every type of protocol that NBAR understands. However, NBAR now supports so many protocols that this complete list is often not very useful for spotting trends. Instead, we suggest using the top-n keyword with a relatively small argument number, such as 5, or at most 10. This will allow you to immediately see statistics for the top protocols for each interface on which you enabled the feature:

Router1#show ip nbar protocol-discovery top-n 5

 FastEthernet0/0 
 Input Output 
 ----- ------ 
 Protocol Packet Count Packet Count 
 Byte Count Byte Count 
 5min Bit Rate (bps) 5min Bit Rate (bps) 
 5min Max Bit Rate (bps) 5min Max Bit Rate (bps) 
 ------------------------ ------------------------ ------------------------
 icmp 220 110 
 25080 12540 
 0 0 
 4000 3000 
 http 55 104 
 3763 60019 
 0 0 
 1000 4000 
 telnet 130 71 
 19212 4269 
 0 0 
 3000 1000 
 eigrp 90 45 
 6660 3330 
 0 0 
 0 0 
 secure-http 4 4 
 248 216 
 0 0 
 0 0 
 unknown 2 2 
 122 112 
 0 0 
 0 0 
 Total 501 336 
 55085 80486 
 0 0 
 8000 8000 
Router1#


Router Configuration and File Management

Router Management

User Access and Privilege Levels

TACACS+

IP Routing

RIP

EIGRP

OSPF

BGP

Frame Relay

Handling Queuing and Congestion

Tunnels and VPNs

Dial Backup

NTP and Time

DLSw

Router Interfaces and Media

Simple Network Management Protocol

Logging

Access-Lists

DHCP

NAT

First Hop Redundancy Protocols

IP Multicast

IP Mobility

IPv6

MPLS

Security

Appendix 1. External Software Packages

Appendix 2. IP Precedence, TOS, and DSCP Classifications

Index



Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net