As I begin preparing for my QOS exam I’ve started playing around with different QOS configurations. One of them that I found particularly interesting was network based application recognition (NBAR). NBAR is a function on Cisco routers that allows you to determine what type of traffic is passing through a particular interface on a router. The router opens the packet and inspects layers 4 and up to make this determination. Take a look at what the router can detect…
Cisco1841(config-cmap)#match protocol ?
arp IP ARP
bgp Border Gateway Protocol
bittorrent bittorrent
bridge Bridging
cdp Cisco Discovery Protocol
citrix Citrix Systems Metaframe 3.0
clns ISO CLNS
clns_es ISO CLNS End System
clns_is ISO CLNS Intermediate System
cmns ISO CMNS
compressedtcp Compressed TCP (VJ)
cuseeme CU-SeeMe desktop video conference
dhcp Dynamic Host Configuration
directconnect Direct Connect Version 2.0
dns Domain Name Server lookup
edonkey eDonkey
egp Exterior Gateway Protocol
eigrp Enhanced Interior Gateway Routing Protocol
exchange MS-RPC for Exchange
fasttrack FastTrack Traffic – KaZaA, Morpheus, Grokster…
finger Finger
ftp File Transfer Protocol
gnutella Gnutella Version2 Traffic – BearShare, Shareeza, Morpheus …
gopher Gopher
gre Generic Routing Encapsulation
h323 H323 Protocol
http World Wide Web traffic
icmp Internet Control Message
imap Internet Message Access Protocol
ip IP
ipinip IP in IP (encapsulation)
ipsec IP Security Protocol (ESP/AH)
ipv6 IPV6
irc Internet Relay Chat
kazaa2 Kazaa Version 2
kerberos Kerberos
l2tp L2F/L2TP tunnel
ldap Lightweight Directory Access Protocol
llc2 llc2
mgcp Media Gateway Control Protocol
netbios NetBIOS
netshow Microsoft Netshow
nfs Network File System
nntp Network News Transfer Protocol
notes Lotus Notes(R)
novadigm Novadigm EDM
ntp Network Time Protocol
ospf Open Shortest Path First
pad PAD links
pcanywhere Symantec pcANYWHERE
pop3 Post Office Protocol
pppoe PPP over Ethernet
pptp Point-to-Point Tunneling Protocol
printer print spooler/lpd
rcmd BSD r-commands (rsh, rlogin, rexec)
rip Routing Information Protocol
rsrb Remote Source-Route Bridging
rsvp Resource Reservation Protocol
rtcp Real Time Control Protocol
rtp Real Time Protocol
rtsp Real Time Streaming Protocol
secure-ftp FTP over TLS/SSL
secure-http Secured HTTP
secure-imap Internet Message Access Protocol over TLS/SSL
secure-irc Internet Relay Chat over TLS/SSL
secure-ldap Lightweight Directory Access Protocol over TLS/SSL
secure-nntp Network News Transfer Protocol over TLS/SSL
secure-pop3 Post Office Protocol over TLS/SSL
secure-telnet Telnet over TLS/SSL
sip Session Initiation Protocol
skinny Skinny Protocol
skype Skype Peer-to-Peer Internet Telephony Protocol
smtp Simple Mail Transfer Protocol
snapshot Snapshot routing support
snmp Simple Network Management Protocol
socks SOCKS
sqlnet SQL*NET for Oracle
sqlserver MS SQL Server
ssh Secured Shell
streamwork Xing Technology StreamWorks player
sunrpc Sun RPC
syslog System Logging Utility
telnet Telnet
tftp Trivial File Transfer Protocol
vdolive VDOLive streaming video
vofr voice over Frame Relay packets
winmx WinMx file-sharing application
xwindows X-Windows remote access
As you can see, there are quite a few different types of traffic that a router can detect. If traffic does not match one of the predefined types it falls into the unknown type. If this happens, a custom type can be created to match the specific traffic. I’ll run through a quick example of how to use NBAR in conjunction with QOS policies on a standard router.
Using NBAR to classify Voice Traffic
One of the most popular types of traffic to apply QOS policy to is voice traffic. Most voice traffic uses the RTP (Real Time Transport Protocol). Luckily, that’s one of the traffic types that NBAR can detect. Lets take a look at how to classify traffic using NBAR and how to apply a specific policy to the RTP traffic using Cisco MQC.
Verify that NBAR is detecting your traffic
The first thing we should do is to make sure that NBAR is working as we expect. To enable NBAR, you simply enable in on the interface you’d like it to inspect.
Cisco1841(config)#int vlan 1
Cisco1841(config-if)#ip nbar protocol-discovery
Once this is done, we can check NBAR to see if its detecting our traffic.
Cisco1841#show ip nbar protocol-discovery stats bit-rate top-n 10
Vlan1
Last clearing of "show ip nbar protocol-discovery" counters 01:55:36
Input Output
—– ——
Protocol 5min Bit Rate (bps) 5min Bit Rate (bps)
———————— ———————— ————————
dns 1000 3000
http 1000 0
netbios 1000 0
rtp 1000 0
secure-http 0 0
ldap 0 0
custom-01 0 0
sip 0 0
bgp 0 0
bittorrent 0 0
unknown 1000 0
Total 4000 3000
Cisco1841#
As you can see from the output it looks NBAR is detecting some RTP traffic as well as some traffic associated with a standard host browsing the web.
Configure a Class Map to match the RTP traffic
Now that we know we can detect RTP, lets create a class map in order to classify the traffic.
Cisco1841#config t
Enter configuration commands, one per line. End with CNTL/Z.
Cisco1841(config)#class-map RTP_TRAFFIC
Cisco1841(config-cmap)#match protocol rtp
Cisco1841(config-cmap)#end
Then we can verify the class map creation…
Cisco1841#show class-map
Class Map match-all test (id 1)
Match none
Class Map match-any class-default (id 0)
Match any
Class Map match-all RTP_TRAFFIC (id 2)
Match protocol rtp
Cisco1841#
Configure a Policy Map for RTP traffic
The class map allows us to classify the RTP traffic, now we need a policy map to tell the router what to do with the traffic. As an example, lets say that the VOIP phone in this instance isn’t tagging the DSCP value the way we want it to. A quick packet capture shows that the DSCP value on the IP header is coming through as ‘cs1’ when we want it to be ‘ef’.
So first step is to create the policy-map.
Cisco1841#config t
Enter configuration commands, one per line. End with CNTL/Z.
Cisco1841(config)#policy-map RTP_Policy
Cisco1841(config-pmap)#class RTP_TRAFFIC
Cisco1841(config-pmap-c)#set dscp ef
Cisco1841(config-pmap-c)#end
So what we have done here is set a policy named ‘RTP_Policy’ that looks for traffic that matches the ‘RTP_TRAFFIC’ class and sets the DSCP value to ‘ef’ The last step is to apply this to an interface. Since the phone is hung off of HWIC-4ESW we’ll apply it to the VLAN interface.
Cisco1841#config t
Enter configuration commands, one per line. End with CNTL/Z.
Cisco1841(config)#int vlan 1
Cisco1841(config-if)#service-policy input RTP_Policy
Cisco1841(config-if)#end
Thats it! Now lets do another packet capture and see what the DSCP value looks like for the RTP traffic.
Brilliant! As you can see the voice traffic now has the ‘ef’ DSCP value. We can also check the router to see the policy matches that were made on the interface itself.
Cisco1841#show policy-map interface vlan1
Vlan1
Service-policy input: RTP_Policy
Class-map: RTP_TRAFFIC (match-all)
224 packets, 48832 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol rtp
QoS Set
dscp ef
Packets marked 224
Class-map: class-default (match-any)
15552 packets, 17294321 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
As you can see, the router has ‘marked’ 224 packets with the DSCP value we specified. This is just a small example of what can be done with NBAR and QOS as a whole. More to come soon!
It’s not working.
Configuration below.
class-map match-any BLOCKED_SITES
match protocol http host “*youtube.com*”
match protocol http host “*facebook.com*”
!
policy-map DROP_WEB
class BLOCKED_SITES
drop
!
interface FastEthernet0/0
description Connected to the LAN
service-policy input DROP_WEB
OALAN#show running-config interface fa0/1
Building configuration…
Current configuration : 221 bytes
!
interface FastEthernet0/1
description OA-LAN
ip address 10.10.10.1 255.255.255.240
ip nbar protocol-discovery
ip nat inside
load-interval 30
duplex auto
speed auto
service-policy input DROP_WEB
end
OALAN#
After configuring the above, still user is able to open the blocked sites. Need support to close the issue.
As an advice, try to capture packet from the router and extract them in pcap file to analyze the inbound traffic. See this URL:
http://www.ciscozine.com/ip-traffic-export-how-to-mirror-traffic-on-a-router/