Configuring and using NBAR

      2 Comments on Configuring and using NBAR

As I begin preparing for my QOS exam I’ve started playing around with different QOS configurations.  One of them that I found particularly interesting was network based application recognition (NBAR).  NBAR is a function on Cisco routers that allows you to determine what type of traffic is passing through a particular interface on a router.  The router opens the packet and inspects layers 4 and up to make this determination.  Take a look at what the router can detect…

Cisco1841(config-cmap)#match protocol ?
  arp            IP ARP
  bgp            Border Gateway Protocol
  bittorrent     bittorrent
  bridge         Bridging
  cdp            Cisco Discovery Protocol
  citrix         Citrix Systems Metaframe 3.0
  clns           ISO CLNS
  clns_es        ISO CLNS End System
  clns_is        ISO CLNS Intermediate System
  cmns           ISO CMNS
  compressedtcp  Compressed TCP (VJ)
  cuseeme        CU-SeeMe desktop video conference
  dhcp           Dynamic Host Configuration
  directconnect  Direct Connect Version 2.0
  dns            Domain Name Server lookup
  edonkey        eDonkey
  egp            Exterior Gateway Protocol
  eigrp          Enhanced Interior Gateway Routing Protocol
  exchange       MS-RPC for Exchange
  fasttrack      FastTrack Traffic – KaZaA, Morpheus, Grokster…
  finger         Finger
  ftp            File Transfer Protocol
  gnutella       Gnutella Version2 Traffic – BearShare, Shareeza, Morpheus …
  gopher         Gopher
  gre            Generic Routing Encapsulation
  h323           H323 Protocol
  http           World Wide Web traffic
  icmp           Internet Control Message
  imap           Internet Message Access Protocol
  ip             IP
  ipinip         IP in IP (encapsulation)
  ipsec          IP Security Protocol (ESP/AH)
  ipv6           IPV6
  irc            Internet Relay Chat
  kazaa2         Kazaa Version 2
  kerberos       Kerberos
  l2tp           L2F/L2TP tunnel
  ldap           Lightweight Directory Access Protocol
  llc2           llc2
  mgcp           Media Gateway Control Protocol
  netbios        NetBIOS
  netshow        Microsoft Netshow
  nfs            Network File System
  nntp           Network News Transfer Protocol
  notes          Lotus Notes(R)
  novadigm       Novadigm EDM
  ntp            Network Time Protocol
  ospf           Open Shortest Path First
  pad            PAD links
  pcanywhere     Symantec pcANYWHERE
  pop3           Post Office Protocol
  pppoe          PPP over Ethernet
  pptp           Point-to-Point Tunneling Protocol
  printer        print spooler/lpd
  rcmd           BSD r-commands (rsh, rlogin, rexec)
  rip            Routing Information Protocol
  rsrb           Remote Source-Route Bridging
  rsvp           Resource Reservation Protocol
  rtcp           Real Time Control Protocol
  rtp            Real Time Protocol
  rtsp           Real Time Streaming Protocol
  secure-ftp     FTP over TLS/SSL
  secure-http    Secured HTTP
  secure-imap    Internet Message Access Protocol over TLS/SSL
  secure-irc     Internet Relay Chat over TLS/SSL
  secure-ldap    Lightweight Directory Access Protocol over TLS/SSL
  secure-nntp    Network News Transfer Protocol over TLS/SSL
  secure-pop3    Post Office Protocol over TLS/SSL
  secure-telnet  Telnet over TLS/SSL
  sip            Session Initiation Protocol
  skinny         Skinny Protocol
  skype          Skype Peer-to-Peer Internet Telephony Protocol
  smtp           Simple Mail Transfer Protocol
  snapshot       Snapshot routing support
  snmp           Simple Network Management Protocol
  socks          SOCKS
  sqlnet         SQL*NET for Oracle
  sqlserver      MS SQL Server
  ssh            Secured Shell
  streamwork     Xing Technology StreamWorks player
  sunrpc         Sun RPC
  syslog         System Logging Utility
  telnet         Telnet
  tftp           Trivial File Transfer Protocol
  vdolive        VDOLive streaming video
  vofr           voice over Frame Relay packets
  winmx          WinMx file-sharing application
  xwindows       X-Windows remote access

As you can see, there are quite a few different types of traffic that a router can detect.  If traffic does not match one of the predefined types it falls into the unknown type.  If this happens, a custom type can be created to match the specific traffic.  I’ll run through a quick example of how to use NBAR in conjunction with QOS policies on a standard router.

Using NBAR to classify Voice Traffic
One of the most popular types of traffic to apply QOS policy to is voice traffic.  Most voice traffic uses the RTP (Real Time Transport Protocol).  Luckily, that’s one of the traffic types that NBAR can detect.  Lets take a look at how to classify traffic using NBAR and how to apply a specific policy to the RTP traffic using Cisco MQC.

Verify that NBAR is detecting your traffic
The first thing we should do is to make sure that NBAR is working as we expect.  To enable NBAR, you simply enable in on the interface you’d like it to inspect.

Cisco1841(config)#int vlan 1
Cisco1841(config-if)#ip nbar protocol-discovery

Once this is done, we can check NBAR to see if its detecting our traffic.

Cisco1841#show ip nbar protocol-discovery stats bit-rate top-n 10


Last clearing of "show ip nbar protocol-discovery" counters 01:55:36

                                    Input                            Output
                                     —–                             ——
   Protocol                   5min Bit Rate (bps)      5min Bit Rate (bps)
   ———————— ———————— ————————
   dns                          1000                     3000
   http                         1000                     0
   netbios                    1000                     0
   rtp                           1000                     0
   secure-http             0                           0
   ldap                         0                           0
   custom-01               0                           0
   sip                           0                           0
   bgp                          0                           0
   bittorrent                 0                           0
   unknown                1000                       0
   Total                      4000                        3000

As you can see from the output it looks NBAR is detecting some RTP traffic as well as some traffic associated with a standard host browsing the web.

Configure a Class Map to match the RTP traffic
Now that we know we can detect RTP, lets create a class map in order to classify the traffic.

Cisco1841#config t
Enter configuration commands, one per line.  End with CNTL/Z.
class-map RTP_TRAFFIC
Cisco1841(config-cmap)#match protocol rtp

Then we can verify the class map creation…

Cisco1841#show class-map

Class Map match-all test (id 1)
   Match none

Class Map match-any class-default (id 0)
   Match any

Class Map match-all RTP_TRAFFIC (id 2)
   Match protocol rtp


Configure a Policy Map for RTP traffic
The class map allows us to classify the RTP traffic, now we need a policy map to tell the router what to do with the traffic.  As an example, lets say that the VOIP phone in this instance isn’t tagging the DSCP value the way we want it to.    A quick packet capture shows that the DSCP value on the IP header is coming through as ‘cs1’ when we want it to be ‘ef’.


So first step is to create the policy-map.

Cisco1841#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Cisco1841(config)#policy-map RTP_Policy
Cisco1841(config-pmap)#class RTP_TRAFFIC
Cisco1841(config-pmap-c)#set dscp ef

So what we have done here is set a policy named ‘RTP_Policy’ that looks for traffic that matches the ‘RTP_TRAFFIC’ class and sets the DSCP value to ‘ef’  The last step is to apply this to an interface.  Since the phone is hung off of HWIC-4ESW we’ll apply it to the VLAN interface.

Cisco1841#config t
Enter configuration commands, one per line.  End with CNTL/Z.
int vlan 1
Cisco1841(config-if)#service-policy input RTP_Policy

Thats it!  Now lets do another packet capture and see what the DSCP value looks like for the RTP traffic.


Brilliant!  As you can see the voice traffic now has the ‘ef’ DSCP value.  We can also check the router to see the policy matches that were made on the interface itself.

Cisco1841#show policy-map interface vlan1

  Service-policy input: RTP_Policy

    Class-map: RTP_TRAFFIC (match-all)
      224 packets, 48832 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol rtp
      QoS Set
        dscp ef
          Packets marked 224

    Class-map: class-default (match-any)
      15552 packets, 17294321 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

As you can see, the router has ‘marked’ 224 packets with the DSCP value we specified.  This is just a small example of what can be done with NBAR and QOS as a whole.  More to come soon!

2 thoughts on “Configuring and using NBAR

  1. Topu

    It’s not working.

    Configuration below.

    class-map match-any BLOCKED_SITES
    match protocol http host “**”
    match protocol http host “**”
    policy-map DROP_WEB
    interface FastEthernet0/0
    description Connected to the LAN
    service-policy input DROP_WEB

    OALAN#show running-config interface fa0/1
    Building configuration…

    Current configuration : 221 bytes
    interface FastEthernet0/1
    description OA-LAN
    ip address
    ip nbar protocol-discovery
    ip nat inside
    load-interval 30
    duplex auto
    speed auto
    service-policy input DROP_WEB


    After configuring the above, still user is able to open the blocked sites. Need support to close the issue.


Leave a Reply

Your email address will not be published. Required fields are marked *