Network Based Application Recognition or NBAR is an
intelligent detective of Cisco IOS. When
it comes to recognizing the application, NBAR deeply inspects the packet not just
based on port number, but also inspects packet for payload and header
information. Based on deep inspection NBAR identify traffic more accurately and
place them into correct application categories.
We used to inspect traffic based on well known port numbers
on routers. This is fine in a traditional flow, but sometime we may need to
inspect traffic at application layer especially when we are giving some
priority or restriction to certain types of application for certain reason. While
some clever geek may be manipulating their applications to some other ports instead
of default well known port of that application. By doing so, they may either
bypass some ACL rules or may get some priority over ordinary traffic.
What is an Application
Layer Inspection?
All applications have some standards defined for their
header or payload structure. Though routers are generally capable of inspecting
traffic up to layer-4 headers ie. based on standard ports used by respective applications.
Still, there are possibilities that some traffic may be using a standard port, but not carrying respective application.
For example, you may access some website using a browser
which will ultimately generate traffic on port 80. The same can be achieved by a Ttelnet prompt by doing a Telnet to same website on port 80. Now an ACL will find
both packets identical because ACL will inspect packet based on port
information and see both packets destined to port 80. However packet format and
payload information will be different of both the packets which can be
recognized by inspecting application layer.
Why We Need An Application Layer Inspection?
Sometime when we need to prioritize our time-sensitive (Like
Voice, Video, RTP) packets in network over traditional traffic. Or maybe we
need to assign a certain percentage of total bandwidth to a particular class
against some bandwidth greedy traffic (Like FTP, P2P, Torrents) which might be
consuming all of the bandwidth. Also, we may need to identify and block certain type
of application in our network for security or performance issues.
So it is quite important to identify the correct application to
take an appropriate action.
How NBAR Inspects Traffic
at Application layer?
Routers, by default, are able to inspect packets up to
layer-4 and that is why we apply ACL filters based on port values. However Cisco
introduced a special feature in its IOS as NBAR and empowered them to inspect the
traffic up to layer-7.
NBAR uses PDLMs (Protocol Description Language Module) which
are equipped with rule or signatures definition of a particular application
type. NBAR uses PDLMs of vast range applications and analyze the traffic. Based
on the best match of traffic with the rule set of a PDLM, NBAR identifies the
traffic to a very appropriate application class.
How to Configure
Cisco Routers with NBAR?
Enabling application layer inspection on a Cisco router is
very easy and can be done at interface level.
Router (config-if)# ip nbar protocol-discovery
That's it. This command will activate NBAR engine and start
application level inspection on that specific interface.
Now classified information about individual applications can
be monitored by following command.
Router# show ip nbar protocol-discovery stats bit-rate
top-n 5
Last clearing of "show ip
nbar protocol-discovery" counters 00:00:31
Input Output
----- ------
Protocol 30sec Bit Rate (bps)
30sec Bit Rate (bps)
------------------------
------------------------ ------------------------
http 43000
592000
secure-http 51000 105000
dns 1000 4000
snmp 0 0
icmp 0
0
unknown 37000
532000
Total 132000 1233000
You can change top-n as per your need. In this example
output will show top 5 application flows out of the entire traffic through applied interfaces.
Similarly, you can also check following command also,
Router # show ip nbar protocol-discovery top-n 7
How to Update NBAR
Definition (Manual and PDLM)..?
Based on the PDLMs installed in router you will see the default
definitions of different application. Using the following command you can see which
particular application is using which set of default ports for inspection.
Router# show ip
nbar port-map
port-map bgp udp 179
port-map bgp tcp 179
port-map bittorrent cp
6969 6881 6882 6883 6884 6885 6886 6887 6888 6889
port-map citrix udp 1604
port-map citrix tcp 2598 2512 2513 1494
port-map cuseeme udp 7648 7649 24032
port-map cuseeme tcp 7648 7649
port-map dhcp udp 67 68
port-map directconnect tcp
411 412 413
port-map dns udp 53
port-map dns tcp 53
port-map edonkey tcp 4662
port-map exchange tcp 135
port-map fasttrack tcp 1214
port-map finger tcp 79
port-map ftp tcp 21
port-map gnutella udp 6346 6347 6348
port-map gnutella tcp 6346 6347 6348 6349 6355 5634
port-map http tcp 80
You can also create a special application definition for a
specific set of ports involved in the flow.
Router(config)# ip nbar custom
MY-SCRIPT ?
<0-255> BYTE offset of field to search for in
payload (optional)
destination Destination
Flow
source Source
Flow
tcp TCP
ports
udp UDP
ports
So this way
you can create your own application definition and get more classified matches.
Predefined applications
can also be modified for eg., if you already know that, ports 8080 and 8888 are
being used for some web application on your network, so you may manually
specify these port in http protocol definition along with traditional port 80.
(config)# ip
nbar port-map http tcp 80 8080 8888
You can
specify up to 16 ports for a class of predefined application category.
Apart from
this manual tuning, a PDLM can be downloaded from the Cisco’s website. So you
need to browse and download a PDLM of a specific application you are looking
for. Cisco's updates these PDLMs on a regular basis and add new PDLMs applications
also for new application definition.
So let’s
assume you have downloaded PDLM for bittorrent from Cisco’s website and stored
in flash of the router. Now you can install
Router# ip nbar pdlm
flash://bittorrent.pdlm
Doing so bittorrent will be added to the protocol definition
list of your router.
How to Get Benefit of NBAR Inspection
We have classified the Applications so far, but how to
get benefit out of this information remains unanswered. So, You can use the NBAR
application reorganization in QoS for marking a traffic type. Interested
traffic can be matched in a class-map and a rule set can be applied in a policy
map, like Prioritization, bandwidth reservation, Queuing.
Apart from QoS, Zone Based Firewalls (ZBF) are used on a
router for inspection and restriction of unwanted traffic to travel from one
zone to another zone. So in ZBF also NBAR helps in accurate inspection of
application while matching a desired traffic.
Also Cisco has come with Next Generation NBAR or NBARv2.
Which has its advantages over traditional NBAR. However operation and
functionality remain same. You can browse on Cisco’s website for more details
about NBARv2.
Well, I found this feature very interesting and useful so
shared with you all… Hope you also learnt something addition from this blog.
Please write your feedback about this blog and corrections, if any.
