- Auto Traffic Analysis and Protocol Generation
- Classifying Network Traffic Using NBAR
- Enabling Protocol Discovery
- Configuring NBAR Using the MQC
- DSCP-Based Layer 3 Custom Applications
- MQC Based on Transport Hierarchy
- NBAR Categorization and Attributes
- Reporting Extracted Fields Through Flexible NetFlow
- NBAR Protocol Pack
- NBAR Protocol Pack Auto Update
- NBAR2 Custom Protocol
- NBAR2 Protocol Pack Hitless Upgrade
- NBAR Web-based Custom Protocols
- NBAR2 HTTP-Based Visibility Dashboard
- NBAR Coarse-Grain Classification
- SSL Custom Application
- Fine-Grain NBAR for Selective Applications
- NBAR Custom Applications Based on DNS Name
- NBAR Customized Assistance Based on SSL or HTTP
- Prerequisites for auto-custom
- Limitations of auto-custom
- Background: Auto Traffic Analysis Using NBAR2 Auto-learn
- Auto Generation of Custom Protocols Using auto-custom
- Enabling and Disabling auto-custom
- Configuring the Maximum Number of Auto-generated NBAR Protocols to Create
- Configuring the Time Interval for Re-generating the auto-custom Protocols
- Clearing auto-custom Data
- Disabling DNS-based auto-learn
- Displaying Auto-generated NBAR Protocols Created by auto-custom
- Displaying NBAR Protocol Discovery Information for auto-custom Protocols
Auto Traffic
Analysis and Protocol Generation
NBAR includes an auto-learn feature that analyzes generic and unknown network traffic to determine the most frequently used hosts and ports. Using this data, the auto-custom feature can automatically generate NBAR protocols provisionally to improve identification of traffic
- Prerequisites for auto-custom
- Limitations of auto-custom
- Background: Auto Traffic Analysis Using NBAR2 Auto-learn
- Auto Generation of Custom Protocols Using auto-custom
- Enabling and Disabling auto-custom
- Configuring the Maximum Number of Auto-generated NBAR Protocols to Create
- Configuring the Time Interval for Re-generating the auto-custom Protocols
- Clearing auto-custom Data
- Disabling DNS-based auto-learn
- Displaying Auto-generated NBAR Protocols Created by auto-custom
- Displaying NBAR Protocol Discovery Information for auto-custom Protocols
Prerequisites for auto-custom
The auto-custom feature requires auto-learn to be active.
See NBAR2 auto-learn.
Limitations of auto-custom
Default
The auto-custom feature is disabled by default.
Environments Supported
Background: Auto Traffic Analysis Using NBAR2 Auto-learn
The NBAR2 auto-learn (see NBAR2 Auto-learn) and auto-custom features work together. NBAR2 Auto-learn analyzes traffic classified as generic HTTP/SSL or unknown. For generic HTTP/SSL traffic, it derives hostnames from packet header fields in the traffic and tracks the "top hosts" that occur in generic traffic. For unknown traffic, it identifies server-side ports and tracks the "top ports" and "top sockets" that occur in unknown traffic.
The results produced by auto-learn can be used by the auto-custom feature to automatically create custom NBAR protocols that improve classification of the traffic to improve application visibility for this difficult-to-classify traffic. For example, top hosts provide "candidate" hosts to use in creating custom protocols.
Auto Generation of Custom Protocols Using auto-custom
The auto-custom feature uses the results of auto-learn to improve NBAR classification of generic and unknown network traffic, automatically generating custom NBAR protocols.
Format for Reporting of Traffic Classified by Auto-generated NBAR Protocols
Auto-generated NBAR protocols report traffic according to hostname or port number:
-
For generic traffic, protocols are generated for the most frequently occurring hosts, and are named according to the hostname. For traffic that contains only a host address and not a hostname, where possible, NBAR uses DNS lookup to provide the corresponding hostname.
Examples: abcd.com, efgh.net
-
For unknown traffic, protocols are generated for the most frequently occurring ports, and are named according to the port number or socket (server-side IP + port), and the traffic type: TCP or UDP.
Examples for port: Port_80_TCP, Port_443_UDP
Example for socket: 72.163.4.162:256_TCP
Auto-generation Is Based on Sampling of Traffic Flows
The auto-learn mechanism collects data about generic and unknown traffic by sampling traffic flows for analysis. Not every flow is analyzed. Using sampling rather than analyzing each flow is necessary due to the constraints of hardware resources. The availability of hardware resources for auto-learn analysis depends mostly on the network traffic volume that a device is handling.
For generic traffic, the sampling rate is dynamic, adjusting automatically according to system load. For unknown traffic, the default sampling rate is 128, meaning that the mechanism samples 1 flow for every 128 of unknown traffic. This value can be configured manually.
Because the auto-custom feature relies on data collected by auto-learn, the flow sampling performed by auto-learn can influence the automatic generation of protocols by auto-custom. In most use cases, however, sampling accurately reflects the makeup of network traffic.
Use of Auto-generated NBAR Protocols By Other Features
The NBAR application protocols auto-generated by auto-custom improve network traffic reporting, improving application visibility. However, the auto-generated protocols present at any given time are determined by the makeup of recent network traffic, making them inherently dynamic and impermanent.
Because of this dynamic nature, auto-custom protocols are applicable to some features, but not to others. In general, auto-custom protocols improve application visibility, but do not affect security (firewall) or QoS policies.
Features affected by auto-custom protocols:
Features not affected by auto-custom protocols:
Enabling and Disabling auto-custom
Enables or disables one or both of the auto-custom modes:
1.
configure
terminal
2. [no] ip nbar auto-custom {top-ports | top-hosts}
3.
exit
DETAILED STEPS
Configuring the Maximum Number of Auto-generated NBAR Protocols to Create
Configures the maximum number of protocols automatically generated by auto-custom. The auto-generated protocols present at any given time are determined by the makeup of recent network traffic, making them inherently dynamic and impermanent.
1.
configure
terminal
2.
ip
nbar
auto-custom
{top-hosts |
top-ports}
max-protocols
number
3.
exit
DETAILED STEPS
Configuring the Time Interval for Re-generating the auto-custom Protocols
Configures the time interval at which auto-custom reloads the lists of "top-hosts" for generic traffic and "top-ports" for unknown data. The lists are provided by the auto-learn mechanism. After reloading the lists, the auto-custom mechanism generates a new set of custom protocols based on the data, which reflects the most recent network traffic. Because of this mechanism, the list of auto-custom protocols is dynamic, changing with the makeup of generic and unknown network traffic.
1.
configure
terminal
2.
ip
nbar
auto-custom
{top-hosts |
top-ports}
time-interval
minutes
3.
exit
DETAILED STEPS
Clearing auto-custom Data
1.
configure
terminal
2.
clear
ip
nbar
auto-custom
{top-hosts |
top-ports}
{stats |
restart}
3.
exit
DETAILED STEPS
Disabling DNS-based auto-learn
The NBAR auto-learn feature uses numerous mechanisms to analyze network traffic. One method is DNS-based learning. NBAR learns the network addresses of applications by analyzing DNS query/response traffic. The DNS-based learning mechanism enables NBAR to classify application traffic from the first packet of a flow.
You can enable or disable the DNS-based auto-learn mechanism for application protocols provided in the NBAR Protocol Pack. Disabling the mechanism may be useful if DNS-based learning causes mis-classification of traffic.
1.
configure
terminal
2. [no] ip nbar classification dns learning
DETAILED STEPS
Displaying Auto-generated NBAR Protocols Created by auto-custom
1.
show
ip
nbar
auto-custom
[top-hosts |
top-ports]
DETAILED STEPS
| Command or Action | Purpose |
|---|
# show ip nbar auto-custom Top-hosts: Max number of protocols :10 Interval (min) :30 ---------------------------------------------------------------------------------------------------- | Id | Protocol name | Underlying | Auto-learn value | Age (min) | Status | | | | protocol | | | | ---------------------------------------------------------------------------------------------------- | 1|m.abc-demo.com |http |m.abc-demo.com | 80|Dynamic | | 2|hwcdn.def-demo.com |http |hwcdn.def-demo.com | 80|Dynamic | | 3|ec.def-demo.com |http |ec.def-demo.com | 80|Dynamic | | 4|payroll.demo.com |ssl |payroll.demo.com | 80|Dynamic | | 5|ec-media.demo.com |http |ec-media.demo.com | 50|Dynamic | | 6|TrustedSourceServer_IMQ |ssl |TrustedSourceServer_IMQA01 | 20|Dynamic | | 7|go.microsoft.com |http |go.microsoft.com | 20|Dynamic | | 8|ping.chartbeat.net |http |ping.chartbeat.net | 20|Dynamic | ---------------------------------------------------------------------------------------------------- Top-ports: Max number of protocols :40 Interval (min) :1 -------------------------------------------------------------------------------------------------------- | Id | Protocol name | Auto-learn value | Age (min) | Status | -------------------------------------------------------------------------------------------------------- | 1|Port_256_TCP |Port_256_TCP | 0|Dynamic | | 2|72.163.4.162:256_TCP |72.163.4.162:256_TCP | 0|Dynamic | --------------------------------------------------------------------------------------------------------
Displaying NBAR Protocol Discovery Information for auto-custom Protocols
1.
show
ip
nbar
protocol-discovery
stat
auto-custom
DETAILED STEPS
| Command or Action | Purpose |
|---|
# show ip nbar protocol-discovery stats auto-custom
Ethernet0/0
Last clearing of "show ip nbar protocol-discovery" counters 1d05h
Input Output
----- ------
------------------------ ------------------------ ------------------------
www.abcdef-demo.com 152 0
Total 152 0
Feedback