- Auto Traffic Analysis and Protocol Generation
- Classifying Network Traffic Using NBAR
- Enabling Protocol Discovery
- Configuring NBAR Using the MQC
- DSCP-Based Layer 3 Custom Applications
- MQC Based on Transport Hierarchy
- NBAR Categorization and Attributes
- Reporting Extracted Fields Through Flexible NetFlow
- NBAR Protocol Pack
- NBAR Protocol Pack Auto Update
- NBAR2 Custom Protocol
- NBAR2 Protocol Pack Hitless Upgrade
- NBAR Web-based Custom Protocols
- NBAR2 HTTP-Based Visibility Dashboard
- NBAR Coarse-Grain Classification
- SSL Custom Application
- Fine-Grain NBAR for Selective Applications
- NBAR Custom Applications Based on DNS Name
- NBAR Customized Assistance Based on SSL or HTTP
- Finding Feature Information
- Prerequisites for the NBAR Protocol Pack
- Restrictions for the NBAR Protocol Pack
- Information About the NBAR Protocol Pack
NBAR Protocol Pack
The NBAR protocol pack provides an easy way to update protocols supported by NBAR without replacing the base IOS image that is already present in the device. A protocol pack is a set of protocols developed and packed together. For more information about loading an NBAR Protocol Pack, see QoS: NBAR Configuration Guide. To view the list of protocols supported in a protocol pack, see NBAR Protocol Library.
- Finding Feature Information
- Prerequisites for the NBAR Protocol Pack
- Restrictions for the NBAR Protocol Pack
- Information About the NBAR Protocol Pack
- How to Load the NBAR Protocol Pack
- Configuration Examples for the NBAR Protocol Pack
- Additional References for NBAR Protocol Pack
- Feature Information for NBAR Protocol Pack
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for the NBAR Protocol Pack
The protocol pack must be copied to your local disk to avoid any errors after rebooting.
Note | It is strongly recommended to load the NBAR protocol pack that is the exact match for the NBAR engine, and also load the latest rebuild of Cisco software. |
Restrictions for the NBAR Protocol Pack
Only one protocol pack is supported per device.
Information About the NBAR Protocol Pack
- Protocol Pack Overview
- SSL Unique-name Sub-classification
- RTP Dynamic Payload Type Sub-classification
- New Categories and Sub-categories for QoS and Reporting in NBAR2 Protocol Pack 9.0.0
Protocol Pack Overview
NBAR protocol packs are software packages that update the NBAR protocol support on a device without replacing the Cisco software on the device. An NBAR protocol pack contains a set of signatures that is supported by NBAR.
Protocol packs provide the following features:
They are easy to load.
They are easy to upgrade to a higher version protocol pack or revert to a lower version protocol pack.
They provide only the required set of protocols.
Cisco provides users with two different protocol packs—the Standard Protocol Pack and the Advanced Protocol Pack—depending on whether they are using an unlicensed or licensed Cisco image.
Cisco provides a specific identity number for the organization (also known as the “publisher”) that creates the protocol packs and uses Cisco tools and processes to create new protocol packs. The organization that creates the protocol pack owns the pack.
Cisco provides the Advanced Protocol Pack as the base protocol pack with a licensed Cisco image on a device. The Advanced Protocol Pack has the complete set of Protocol Description Language (PDL) files available for a release. On the Advanced Protocol Pack, only a PDLM with the NAME field as Advanced Protocol Pack can be loaded.
Cisco provides the Standard Protocol Pack as the base protocol pack with an unlicensed Cisco image on a device. The Standard Protocol Pack has limited features and functionality. Some of the features, such as Category and Attributes, Field Extraction, and Tunneled Classification, are not supported. On the Standard Protocol Pack, only a PDLM with the NAME field as Standard Protocol Pack can be loaded.
To view the list of protocols supported in a protocol pack, see NBAR Protocol Library.
The NBAR taxonomy file contains the information such as common name, description, underlying protocol, for every protocol that is available in the protocol pack. Use the show ip nbar protocol-pack active taxonomy, show ip nbar protocol-pack inactive taxonomy , and show ip nbar protocol-pack loaded taxonomy commands to view the taxonomy file for an active, inactive, and all loaded protocol-packs respectively.
The nbar taxonomy file generally contains the information for more than 1000 protocols, and the taxonomy file size is ~2 MB. It is recommended to redirect the output from the show ip nbar protocol-pack [active | inactive | loaded] taxonomy command to a file by using the redirect output modifier, for example, show ip nbar protocol-pack active taxonomy | redirect harddisk:nbar_taxonomy.xml.
SSL Unique-name Sub-classification
With NBAR2 Protocol Pack 7.0.0, a new sub-classification parameter called 'unique-name' is introduced for Secure Socket Layer (SSL). The unique-name parameter can be used to match SSL sessions of servers that are not known globally, or are not yet supported by NBAR. The unique-name will match the server name indication (SNI) field in the client request if the SNI field exists, or it will match the common name (CN) field in the first certificate of the server's response.
NBAR2 Protocol Pack 7.0.0 also supports cases of SSL sessions that use session-id than the SSL sessions that use handshake.
Note | The SSL sub-classification parameters have priority over the built in signatures. Therefore, when a unique-name defined by a user matches a known application such as Facebook, it will not match the built-in protocol but will match SSL with the configured sub-classification. |
Note | Similar to the other sub-classification features, the classification result (for example, as seen in protocol-discovery), does not change and will remain as SSL. However, the flows matching the class maps will receive the services such as QoS and Performance monitor configured for them. To view the detailed matching statistics, refer to the policy map counters. |
For more information on SSL, see http://tools.ietf.org/html/rfc6101.
RTP Dynamic Payload Type Sub-classification
With NBAR2 Protocol Pack 7.0.0, the existing sub-classification parameters for Real-time Transport Protocol (RTP) audio and RTP video are enhanced to detect RTP flows that use dynamic payload types (PT). Dynamic PTs are PTs in the dynamic range from 96 to 127 as defined in RTP RFC, and are selected online through the signaling protocols such as SIP and RTSP, for each session. In this protocol pack, only RTP sessions initiated using SIP will match by dynamic payload type.
Note | The RTP audio/video sub-classification parameters are generic in nature and will match only on generic RTP traffic. More specific classification such as ms-lync-audio, cisco-jabber-audio, facetime, and cisco-phone will not match as RTP, and therefore will not match the audio/video sub-classification. |
New Categories and Sub-categories for QoS and Reporting in NBAR2 Protocol Pack 9.0.0
In NBAR2 Protocol Pack 9.0.0, there are new categories and sub-categories which make QOS configuration easier and AVC reports more meaningful. Therefore, the category and sub-category assignments of many protocols have been updated to better reflect their categorization in enterprise networks.
The new categories allow more granularity in reports that are based on Category.
The new sub-categories can be used for generating even more granular reports, and are very useful for implementing QOS policies, following the Cisco SRND QOS model. The new sub-categories divide applications into business and consumer, as well as the different media types so that it is easy to build an MQC class map to map a specific sub-category to the desired SRND class of service and apply QOS. For more information about SRND, see http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND_40/QoSIntro_40.html#wp61104.
It is also easier to customize the QOS definitions, without changing the MQC class map but rather using attribute-maps and reassigning a specific application to a different sub-category than it is assigned by default.
For a complete list of protocols and their mappings, refer to the specific protocols in the protocol book, or use the show ip nbar attribute category or the show ip nbar attribute sub-category command.
Categories and Sub-categories Supported in NBAR2 Protocol Pack 9.0.0
The following is the list of Categories supported in NBAR2 Protocol Pack 9.0.0:
- anonymizers
- backup-and-storage
- browsing
- business-and-productivity-tools
- database
- epayment
- file-sharing
- gaming
- industrial-protocols
- instant-messaging
- internet-security
- inter-process-rpc
- layer3-over-ip
- location-based-services
- net-admin
- newsgroup
- other
- social-networking
- software-updates
- trojan
- voice-and-video
The following is the list of Sub-categories supported in NBAR2 Protocol Pack 9.0.0:
- authentication-services
- backup-systems
- consumer-audio-streaming
- consumer-cloud-storage
- consumer-multimedia-messaging
- consumer-video-streaming
- consumer-web-browsing
- control-and-signaling
- desktop-virtualization
- enterprise-cloud-data-storage
- enterprise-data-center-storage
- enterprise-data-center-storage
- enterprise-multimedia-conferencing
- enterprise-realtime-applications
- enterprise-rich-media-content
- enterprise-software-deployment-tools
- enterprise-transactional-applications
- enterprise-video-broadcast
- enterprise-voice-collaboration
- file-transfer
- naming-services
- network-management
- os-updates
- other
- p2p-file-transfer
- p2p-networking
- remote-access-terminal
- routing-protocol
- tunneling-protocols
Note | In this update, some categories and sub-categories that are not in common use have been removed, or renamed. Some values have moved from sub-category to category to provide better granularity at the category level. Therefore existing class-maps that contain matches based on removed or renamed values would be automatically removed when the protocol is installed, but the command would not be replaced. Refer to the list of removed/renamed values below to verify that none of the existing policies is affected by the change. |
The following categories are removed in NBAR2 Protocol Pack 9.0.0:
The following sub-categories are removed in NBAR2 Protocol Pack 9.0.0:
How to Load the NBAR Protocol Pack
Loading the NBAR Protocol Pack
1.
enable
2.
configure
terminal
3.
ip
nbar
protocol-pack
protocol-pack
[force]
4.
exit
5.
show
ip
nbar
protocol-pack
{protocol-pack |
active} [detail]
DETAILED STEPS
Configuration Examples for the NBAR Protocol Pack
- Example: Loading the NBAR Protocol Pack
- Example: Verifying the Loaded NBAR Protocol Pack
- Example: Viewing the NBAR Taxonomy Information
- Example: Classifying SSL Sessions
- Example: Classifying RTP Dynamic Payload Type
Example: Loading the NBAR Protocol Pack
The following example shows how to load an NBAR protocol pack named defProtoPack from the harddisk:
Device> enable Device# configure terminal Device(config)# ip nbar protocol-pack harddisk:defProtoPack Device(config)# exit
The following example shows how to revert to the base image version of NBAR protocol pack:
Device> enable Device# configure terminal Device(config)# default ip nbar protocol-pack Device(config)# exit
The following example shows how to load a protocol pack of a lower version using the force keyword:
Device> enable Device# configure terminal Device(config)# ip nbar protocol-pack harddisk:olddefProtoPack force Device(config)# exit
Example: Verifying the Loaded NBAR Protocol Pack
The following sample output from the show ip nbar protocol-pack active command shows information about the protocol pack that is provided by default with a licensed Cisco image on a device:
Device# show ip nbar protocol-pack active ACTIVE protocol pack: Name: Advanced Protocol Pack Version: 1.0 Publisher: Cisco Systems Inc. NBAR Engine Version: 14
The following sample output from the show ip nbar protocol-pack active detail command shows detailed information about the active protocol pack that is provided by default with a licensed Cisco image on a device:
Device# show ip nbar protocol-pack active detail ACTIVE protocol pack: Name: Advanced Protocol Pack Version: 1.0 Publisher: Cisco Systems Inc. NBAR Engine Version: 14 Protocols: base Mv: 4 ftp Mv: 5 http Mv: 18 static Mv: 6 socks Mv: 2 nntp Mv: 2 tftp Mv: 2 exchange Mv: 3 vdolive Mv: 1 sqlnet Mv: 2 netshow Mv: 3 sunrpc Mv: 3 streamwork Mv: 2 citrix Mv: 11 fasttrack Mv: 3 gnutella Mv: 7 kazaa2 Mv: 11
The following sample output from the show ip nbar protocol-pack command shows the protocol pack information of an advanced protocol pack that is present in the specified device location:
Device# show ip nbar protocol-pack disk:0ppsmall_higherversion Name: Advanced Protocol Pack Version: 2.0 Publisher: Cisco Systems Inc. NBAR Engine Version: 14 Creation time: Mon Jul 16 09:29:34 UTC 2012
The following sample output from the show ip nbar protocol-pack command shows detailed protocol pack information present in the specified disk location:
Device# show ip nbar protocol-pack disk:0ppsmall_higherversion detail Name: Advanced Protocol Pack Version: 2.0 Publisher: Cisco Systems Inc. NBAR Engine Version: 14 Creation time: Mon Jul 16 09:29:34 UTC 2012 Protocol Pack contents: iana Mv: 1 base Mv: 4 tftp Mv: 2
The following sample output from the show ip nbar protocol-pack command shows information about the active protocol pack with an unlicensed Cisco image on a device:
Device# show ip nbar protocol-pack active ACTIVE protocol pack: Name: Standard Protocol Pack Version: 1.0 Publisher: Cisco Systems Inc.
Example: Viewing the NBAR Taxonomy Information
The following sample output from the show ip nbar protocol-pack active taxonomy command shows the information about the protocols in the active protocol pack:
Device# show ip nbar protocol-pack active taxonomy Protocol Pack Taxonomy for Advanced Protocol Pack: <?xml version="1.0"?> <NBAR2-Taxonomy> <protocol> <name>active-directory</name> <engine-id>7</engine-id> <enabled>true</enabled> <selector-id>473</selector-id> <help-string>Active Directory Traffic</help-string> <global-id>L7:473</global-id> <common-name>Active Directory</common-name> <static>false</static> <attributes> <category>net-admin</category> <application-group>other</application-group> <p2p-technology>false</p2p-technology> <tunnel>false</tunnel> <encrypted>false</encrypted> <sub-category>network-management</sub-category> </attributes> <ip-version> <ipv4>true</ipv4> <ipv6>true</ipv6> </ip-version> <references>http://www.microsoft.com/en-us/server-cloud/windows-server/active-directory.aspx</references> <id>1194</id> <underlying-protocols>cifs,ldap,ssl,ms-rpc</underlying-protocols> <long-description-is-final>true</long-description-is-final> <long-description>a directory service created by Microsoft for Windows domain networks, responsible for authenticating and authorizing all users and computers within a network of Windows domain type, assigning and enforcing security policies for all computers in a network and installing or updating software on network computers</long-description> <pdl-version>1</pdl-version> <uses-bundling>false</uses-bundling> </protocol> <protocol> <name>activesync</name> <engine-id>7</engine-id> <enabled>true</enabled> <selector-id>490</selector-id> <help-string>Microsoft Activesync protocol </help-string> <global-id>L7:490</global-id> <common-name>ActiveSync</common-name> <static>false</static> <attributes> <category>business-and-productivity-tools</category> <application-group>other</application-group> <p2p-technology>false</p2p-technology> <tunnel>false</tunnel> <encrypted>true</encrypted> <sub-category>client-server</sub-category> </attributes> <ip-version> <ipv4>true</ipv4> <ipv6>true</ipv6> </ip-version> <references>http://msdn.microsoft.com/en-us/library/dd299446(v=exchg.80).aspx</references> <id>1419</id> <underlying-protocols>http</underlying-protocols> <long-description-is-final>true</long-description-is-final> <long-description>ActiveSync is a mobile data synchronization technology and protocol based on HTTP, developed by Microsoft. There are two implementations of the technology: one which synchronizes data and information with handheld devices with a specific desktop computer, and another technology, commonly known as Exchange ActiveSync (or EAS), which provides push synchronization of contacts, calendars, tasks, and email between ActiveSync-enabled servers and devices.</long-description> <pdl-version>1</pdl-version> <uses-bundling>false</uses-bundling> </protocol> . . . .
Example: Classifying SSL Sessions
The following example shows how an SSL-based service with the server name as 'finance.cisco.com' is matched using unique-name:
Device> enable Device# configure terminal Device(config)# class-map match-any cisco-finance Device(config-cmap)# match protocol ssl unique-name finance.cisco.com
Example: Classifying RTP Dynamic Payload Type
The following example shows how to detect RTP audio flows that include both static and dynamic PT:
Device> enable Device# configure terminal Device(config)# class-map match-any generic-rtp-audio Device(config)# match protocol rtp audio
Additional References for NBAR Protocol Pack
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Cisco IOS LAN Switching commands |
|
Cisco IOS QoS configuration information |
QoS Configuration Guide |
Standards and RFCs
Standards/RFCs |
Document Title |
---|---|
RFC 3551 |
RTP Profile for Audio and Video Conferences with Minimal Control |
RFC 6101 |
The Secure Sockets Layer (SSL) Protocol Version 3.0 |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for NBAR Protocol Pack
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
NBAR Protocol Pack |
Cisco IOS XE Release 3.3S |
This feature was introduced on Cisco ASR 1000 Series Aggregation Services Routers. The NBAR Protocol Pack feature provides an easy way to configure the protocol pack, which is a set of protocols developed and packed together. The following commands were introduced or modified: default ip nbar protocol-pack, ip nbar protocol-pack, show ip nbar protocol pack. |
NBAR2 Protocol Pack 7.0.0 |
Cisco IOS XE Release 3.9S |
This feature was introduced on Cisco ASR 1000 Series Aggregation Services Routers. The following section provides information about this feature: SSL Unique-name Sub-classification and RTP Dynamic Payload Type Sub-classification. |
NBAR2: Integrate NBAR Taxonomy into the Router |
Cisco IOS XE Release 3.11S |
The NBAR taxonomy contains the information such as common name, description, underlying protocol, for every protocol that is available in the protocol pack. The following commands were introduced or modified: show ip nbar protocol-pack. |
NBAR2 Protocol Pack 9.0.0 |
Cisco IOS XE Release 3.13S |
This feature was introduced on Cisco ASR 1000 Series Aggregation Services Routers. The following section provides information about this feature: New Categories and Sub-categories for QoS and Reporting in NBAR2 Protocol Pack 9.0.0. |