NBAR Categorization and Attributes

NBAR Categorization and Attributes feature provides the mechanism to match protocols or applications based on statically assigned attributes such as application-group, category, sub-category, encrypted and tunnel. Categorizing the protocols and applications into different groups helps with reporting and applying Quality of Service (QoS) policies.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Information About NBAR2 Custom Protocol

NBAR Categorization and Attributes

The NBAR Categorization and Attributes feature provides the mechanism to match protocols or applications based on certain attributes. Categorizing the protocols and applications into different groups will help with reporting and performing group actions, such as applying QoS policies, on them. Attributes are statically assigned to each protocol or application, and they are not dependent on the traffic. The following attributes are available to configure the match criteria using the match protocol attribute command:

  • application-group: The application-group keyword allows the configuration of applications grouped together based on the same networking application as the match criteria. For example, Yahoo-Messenger, Yahoo-VoIP-messenger, and Yahoo-VoIP-over-SIP are grouped together under the yahoo-messenger-group.

  • category: The category keyword allows you to configure applications that are grouped together based on the first level of categorization for each protocol as the match criteria. Similar applications are grouped together under one category. For example, the email category contains all email applications such as, Internet Mail Access Protocol (IMAP), Simple Mail Transfer Protocol (SMTP), Lotus Notes, and so forth.

  • sub-category: The sub-category keyword provides the option to configure applications grouped together based on the second level of categorization for each protocol as the match criteria. For example, clearcase, dbase, rda, mysql and other database applications are grouped under the database group.

  • encrypted: The encrypted keyword provides the option to configure applications grouped together based on whether the protocol is an encrypted protocol or not as the match criteria. Applications are grouped together based on the encrypted and nonencrypted status of the applications. Protocols for which the NBAR does not provide any value are categorized under the unassigned encrypted group.

  • tunnel: The tunnel keyword provides the option to configure protocols based on whether or not a protocol tunnels the traffic of other protocols. Protocols for which the NBAR does not provide any value are categorized under the unassigned tunnel group. For example, Layer 2 Tunneling Protocols (L2TP).

  • p2p-technology: The p2p(Peer-to-Peer)-technology attribute provides the option to indicate whether or not a protocol uses p2p technology.


Note

Attribute-based protocol match configurations do not impact the granularity of classification either in reporting or in the Protocol Discovery information.

You can create custom values for the attributes application-group, category, and sub-category. The custom values enable you to name the attributes based on grouping of protocols. Use the ip nbar attribute application-group custom application-group-name, ip nbar attribute category custom category-name, and ip nbar attribute sub-category custom sub-category-name commands to add custom values for the attributes application-group, category, and sub-category, respectively.

The dynamically created custom attribute values can be used for attribute-map creation when using the ip nbar attribute-map command, and for configuring the match criterion for a class-map when using the match protocol attribute command.

The output from the show ip nbar attribute-custom command displays the number of custom values that can be defined for attributes, and the custom values that are currently defined. The show ip nbar attribute command displays all the attributes including the custom attributes used by NBAR.

To remove the custom values, use the no ip nbar attribute command.

Overview of NBAR2 Custom Protocol

Network-Based Application Recognition (NBAR) supports the use of custom protocols to identify custom applications. Custom protocols support static port-based protocols and applications that NBAR does not support.

For more information about custom protocols, refer to "Creating a Custom Protocol" module.

How to Configure NBAR2 Custom Protocol

Customizing NBAR Attributes

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    ip nbar attribute-map profile-name

    4.    attribute category category-name

    5.    attribute sub-category sub-category-name

    6.    attribute application-group application-group-name

    7.    attribute tunnel tunnel-info

    8.    attribute encrypted encrypted-info

    9.    attribute p2p-technology p2p-technology-info

    10.    ip nbar attribute-set protocol-name profile-name

    11.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 ip nbar attribute-map profile-name


    Example:
    Device(config)# ip nbar attribute-map actdir-attrib
     

    Creates an attribute profile with the name that you specify, and enters the attribute-map configuration mode.

     
    Step 4 attribute category category-name


    Example:
    Device(config-attribute-map)# attribute category net-admin
     

    Adds attribute values from the application-group attribute, on to your profile.

     
    Step 5 attribute sub-category sub-category-name


    Example:
    Device(config-attribute-map)# attribute sub-category network-management
     

    Adds attribute values from the sub-category attribute, on to your profile.

     
    Step 6 attribute application-group application-group-name


    Example:
    Device(config-attribute-map)# attribute application-group other
     

    Adds attribute values from the application-group attribute, on to your profile.

     
    Step 7 attribute tunnel tunnel-info


    Example:
    Device(config-attribute-map)# attribute tunnel no
     

    Adds attribute values from the tunnel attribute, on to your profile.

     
    Step 8 attribute encrypted encrypted-info


    Example:
    Device(config-attribute-map)# attribute encrypted no
     

    Adds attribute values from the encrypted attribute, on to your profile.

     
    Step 9 attribute p2p-technology p2p-technology-info


    Example:
    Device(config-attribute-map)# attribute p2p-technology no
     

    Adds attribute values from the p2p-technology attribute, on to your profile.

     
    Step 10 ip nbar attribute-set protocol-name profile-name


    Example:
    Device(config-attribute-map)# ip nbar attribute-set active-directory actdir-attrib
     

    Adds attribute values from the specified profile to the specified protocol.

     
    Step 11 end


    Example:
    Device(config-attribute-map)# end
     

    Returns to privileged EXEC mode.

     

    Configuration Examples for NBAR2 Custom Protocol

    Example: Adding Custom Values for Attributes

    The following example shows how to add custom values for the attributes application-group, category, and sub-category: 

    Device> enable
Device# configure terminal
Device(config)# ip nbar attribute application-group custom Home_grown_finance_group "our finance tools network traffic"
Device(config)# ip nbar attribute category custom dc_backup_category "Data center backup traffic"
Device(config)# ip nbar attribute sub-category custom hr_sub_category "HR custom applications traffic"
Device(config)# exit

    Examples: Viewing the Information About Custom Values for Attributes

    The following sample output from the show ip nbar attribute-custom command displays the number of custom values that can be defined, and the custom values that are currently defined for the attributes: 

    Device# show ip nbar attribute-custom

																		Name :  category
                  Help :  category attribute
   Custom Groups Limit :  1
 Custom Groups Created :  dc_backup_category

                  Name :  sub-category
                  Help :  sub-category attribute
   Custom Groups Limit :  1
 Custom Groups Created :  hr_sub_category

                  Name :  application-group
                  Help :  application-group attribute
   Custom Groups Limit :  1
 Custom Groups Created :  Home_grown_finance_group

    The following sample output from the show ip nbar attribute category command displays the details about the Category attribute: 

    Device# show ip nbar attribute category

						Name :  category
      Help :  category attribute
      Type :  group
    Groups :  newsgroup
           :  instant-messaging
           :  net-admin
           :  trojan
           :  email
           :  file-sharing
           :  industrial-protocols
           :  business-and-productivity-tools
           :  internet-privacy
           :  social-networking
           :  layer3-over-ip
           :  obsolete
           :  streaming
           :  location-based-services
           :  voice-and-video
           :  other
           :  gaming
           :  browsing
           :  dc_backup_category
   Need :  Mandatory
   Default :  other

    Example: Creating a Profile and Configuring Attributes for the Profile

    The following example shows how to create an attribute profile with attributes configured for the Network News Transfer Protocol (NNTP) protocol: 

    Device> enable
Device# configure terminal
Device(config)# ip nbar attribute-map nntp-attrib
Device(config-attribute-map)# attribute category newsgroup
Device(config-attribute-map)# attribute application-group nntp-group
Device(config-attribute-map)# attribute tunnel tunnel-no
Device(config-attribute-map)# attribute encrypted encrypted-yes
Device(config-attribute-map)# attribute p2p-technology p2p-tech-no
Device(config-attribute-map)# end

    The following example shows how to verify the above configuration: 

    Device> enable
Device# show ip nbar attribute-map nntp-attrib
Device# Profile Name :  nntp-attrib
            category :  newsgroup
   application-group :  nntp-group
           encrypted :  encrypted-yes
Device# end

    Example: Attaching an Attribute Profile to a Protocol

    The following example shows how to set an attribute profile to the Application Communication Protocol (ACP) protocol: 

    Device> enable
Device# configure terminal
Device(config)# ip nbar attribute-set acp test-profile
Device(config)# exit

    Additional References for NBAR2 Custom Protocol

    Related Documents

    Related Topic

    Document Title

    Cisco IOS commands

    Cisco IOS Master Command List, All Releases

    Cisco IOS LAN switching commands

    Cisco IOS LAN Switching Command Reference

    Cisco IOS QoS configuration information

    QoS Configuration Guide

    Technical Assistance

    Description

    Link

    The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

    http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

    Feature Information for NBAR Categorization and Attributes

    The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

    Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.
    Table 1 Feature Information for NBAR2 Custom Protocol

    Feature Name

    Releases

    Feature Information

    NBAR Categorization and Attributes

    Cisco IOS XE Release 3.4S

    This feature was introduced on Cisco ASR 1000 series Aggregation Services Routers.

    The following command was introduced or modified: ip nbar custom

    NBAR2 Custom Protocol

    Cisco IOS XE Release 3.8S

    The NBAR2 Custom Protocol feature configures attributes profiles for protocols, and maps profiles to protocols.

    The following command was introduced or modified: ip nbar attribute-map, ip nbar attribute-set.