Difference between revisions of "NBAR"
From Teknologisk videncenter
m (→Network-Based Application Recognition) |
m (→NBAR on tunnels and encrypted Interfaces) |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 4: | Line 4: | ||
= NBAR on tunnels and encrypted Interfaces = | = NBAR on tunnels and encrypted Interfaces = | ||
| − | NBAR is not | + | NBAR is not supported on the following logical interfaces: |
| − | = | + | •Fast EtherChannel |
| + | |||
| + | •Interfaces where tunneling or encryption is used | ||
| + | |||
| + | Note NBAR cannot be used to classify output traffic on a WAN link where tunneling or encryption is used. Therefore, NBAR should be configured on other interfaces on the router (such as a LAN link) to perform input classification before the traffic is switched to the WAN link for output. | ||
| + | |||
| + | However, NBAR Protocol Discovery is supported on interfaces where tunneling or encryption is used. You can enable Protocol Discovery directly on the tunnel or on the interface where encryption is performed to gather key statistics on the various applications that are traversing the interface. The input statistics also show the total number of encrypted/tunneled packets received in addition to the per-protocol breakdowns. | ||
| + | |||
| + | See [[IPsec Cisco IOS|IPsec]] example below. | ||
| + | <source lang=cli> | ||
| + | crypto isakmp policy 10 | ||
| + | encr aes 256 | ||
| + | authentication pre-share | ||
| + | group 5 | ||
| + | lifetime 3600 | ||
| + | ! | ||
| + | ! | ||
| + | crypto ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac | ||
| + | ! | ||
| + | crypto map MYMAP 10 ipsec-isakmp | ||
| + | set peer 80.1.2.3 | ||
| + | set security-association lifetime seconds 900 | ||
| + | set transform-set 50 | ||
| + | match address 101 | ||
| + | ! | ||
| + | interface FastEthernet0/0 | ||
| + | ip address 90.2.3.4 255.255.255.0 | ||
| + | ip access-group 110 in | ||
| + | <notice>ip nbar protocol-discovery</notice> | ||
| + | crypto map MYMAP | ||
| + | ! | ||
| + | access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255 | ||
| + | access-list 110 permit ahp host 80.1.2.3 host 90.2.3.4 | ||
| + | access-list 110 permit esp host 80.1.2.3 host 90.2.3.4 | ||
| + | access-list 110 permit udp host 80.1.2.3 host 90.2.3.4 eq isakmp | ||
| + | </source> | ||
| + | From the config above, you can see protocol-discovery statistics. No traffic in my test though. | ||
| + | <source lang=cli> | ||
| + | R1#<input>show ip nbar protocol-discovery interface fastEthernet 0/0</input> | ||
| + | |||
| + | FastEthernet0/0 | ||
| + | Input Output | ||
| + | Protocol Packet Count Packet Count | ||
| + | Byte Count Byte Count | ||
| + | 5 minute bit rate (bps) 5 minute bit rate (bps) | ||
| + | ------------------------ ------------------------ ------------------------ | ||
| + | bgp 0 0 | ||
| + | 0 0 | ||
| + | 0 0 | ||
| + | citrix 0 0 | ||
| + | 0 0 | ||
| + | 0 0 | ||
| + | cuseeme 0 0 | ||
| + | 0 0 | ||
| + | 0 0 | ||
| + | dhcp 0 0 | ||
| + | 0 0 | ||
| + | 0 0 | ||
| + | dns 0 0 | ||
| + | 0 0 | ||
| + | 0 0 | ||
| + | egp 0 0 | ||
| + | 0 0 | ||
| + | 0 0 | ||
| + | eigrp 0 0 | ||
| + | 0 0 | ||
| + | 0 0 | ||
| + | exchange 0 0 | ||
| + | 0 0 | ||
| + | 0 0 | ||
| + | fasttrack 0 0 | ||
| + | 0 0 | ||
| + | 0 0 | ||
| + | finger 0 0 | ||
| + | 0 0 | ||
| + | 0 0 | ||
| + | ftp 0 0 | ||
| + | 0 0 | ||
| + | 0 0 | ||
| + | <notice>Output omitted....</notice> | ||
| + | </source> | ||
| + | {{source cli}} | ||
[[Category:Cisco]][[Category:IOS]][[Category:Network]][[Category:CCNP]] | [[Category:Cisco]][[Category:IOS]][[Category:Network]][[Category:CCNP]] | ||
Latest revision as of 07:46, 4 May 2010
Network-Based Application Recognition
See Media:Bittorrent_pdlm_readme.pdf
NBAR on tunnels and encrypted Interfaces
NBAR is not supported on the following logical interfaces:
•Fast EtherChannel
•Interfaces where tunneling or encryption is used
Note NBAR cannot be used to classify output traffic on a WAN link where tunneling or encryption is used. Therefore, NBAR should be configured on other interfaces on the router (such as a LAN link) to perform input classification before the traffic is switched to the WAN link for output.
However, NBAR Protocol Discovery is supported on interfaces where tunneling or encryption is used. You can enable Protocol Discovery directly on the tunnel or on the interface where encryption is performed to gather key statistics on the various applications that are traversing the interface. The input statistics also show the total number of encrypted/tunneled packets received in addition to the per-protocol breakdowns.
See IPsec example below.
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
!
!
crypto ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map MYMAP 10 ipsec-isakmp
set peer 80.1.2.3
set security-association lifetime seconds 900
set transform-set 50
match address 101
!
interface FastEthernet0/0
ip address 90.2.3.4 255.255.255.0
ip access-group 110 in
<notice>ip nbar protocol-discovery</notice>
crypto map MYMAP
!
access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
access-list 110 permit ahp host 80.1.2.3 host 90.2.3.4
access-list 110 permit esp host 80.1.2.3 host 90.2.3.4
access-list 110 permit udp host 80.1.2.3 host 90.2.3.4 eq isakmpFrom the config above, you can see protocol-discovery statistics. No traffic in my test though.
R1#<input>show ip nbar protocol-discovery interface fastEthernet 0/0</input>
FastEthernet0/0
Input Output
Protocol Packet Count Packet Count
Byte Count Byte Count
5 minute bit rate (bps) 5 minute bit rate (bps)
------------------------ ------------------------ ------------------------
bgp 0 0
0 0
0 0
citrix 0 0
0 0
0 0
cuseeme 0 0
0 0
0 0
dhcp 0 0
0 0
0 0
dns 0 0
0 0
0 0
egp 0 0
0 0
0 0
eigrp 0 0
0 0
0 0
exchange 0 0
0 0
0 0
fasttrack 0 0
0 0
0 0
finger 0 0
0 0
0 0
ftp 0 0
0 0
0 0
<notice>Output omitted....</notice>