Network-Based Application Recognition

NBAR on tunnels and encrypted Interfaces

NBAR is not supported on the following logical interfaces:

•Fast EtherChannel

•Interfaces where tunneling or encryption is used

Note NBAR cannot be used to classify output traffic on a WAN link where tunneling or encryption is used. Therefore, NBAR should be configured on other interfaces on the router (such as a LAN link) to perform input classification before the traffic is switched to the WAN link for output.

However, NBAR Protocol Discovery is supported on interfaces where tunneling or encryption is used. You can enable Protocol Discovery directly on the tunnel or on the interface where encryption is performed to gather key statistics on the various applications that are traversing the interface. The input statistics also show the total number of encrypted/tunneled packets received in addition to the per-protocol breakdowns.

See IPsec example below.

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
 lifetime 3600
!
!
crypto ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map MYMAP 10 ipsec-isakmp
 set peer 80.1.2.3
 set security-association lifetime seconds 900
 set transform-set 50
 match address 101
!
interface FastEthernet0/0
 ip address 90.2.3.4 255.255.255.0
 ip access-group 110 in
 <notice>ip nbar protocol-discovery</notice>
 crypto map MYMAP
!
access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
access-list 110 permit ahp host 80.1.2.3 host 90.2.3.4
access-list 110 permit esp host 80.1.2.3 host 90.2.3.4
access-list 110 permit udp host 80.1.2.3 host 90.2.3.4 eq isakmp

From the config above, you can see protocol-discovery statistics. No traffic in my test though.

R1#<input>show ip nbar protocol-discovery interface fastEthernet 0/0</input>

 FastEthernet0/0
                            Input                    Output
   Protocol                 Packet Count             Packet Count
                            Byte Count               Byte Count
                            5 minute bit rate (bps)  5 minute bit rate (bps)
   ------------------------ ------------------------ ------------------------
   bgp                      0                        0
                            0                        0
                            0                        0
   citrix                   0                        0
                            0                        0
                            0                        0
   cuseeme                  0                        0
                            0                        0
                            0                        0
   dhcp                     0                        0
                            0                        0
                            0                        0
   dns                      0                        0
                            0                        0
                            0                        0
   egp                      0                        0
                            0                        0
                            0                        0
   eigrp                    0                        0
                            0                        0
                            0                        0
   exchange                 0                        0
                            0                        0
                            0                        0
   fasttrack                0                        0
                            0                        0
                            0                        0
   finger                   0                        0
                            0                        0
                            0                        0
   ftp                      0                        0
                            0                        0
                            0                        0
<notice>Output omitted....</notice>