cc/td/doc/product/software/ios122/122newft/122limit/122z
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

Network-Based Application Recognition

match protocol

match protocol (NBAR)

policy-map


Network-Based Application Recognition

Network-Based Application Recognition (NBAR) is a classification engine that recognizes and classifies a wide variety of protocols and applications. When NBAR recognizes and classifies a protocol or application, the network can be configured to apply the appropriate quality of service (QoS) for that application or traffic with that protocol.

Configuration Information

Configuration information begins with the "Classifying Network Traffic Using NBAR Roadmap" module of the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.4T, at the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124tcg/tqos_c/part_05/qsnbarrm.htm

For a complete list of NBAR-related features included in the Cisco IOS Quality of Service Solutions Configuration Guide, see the Supported NBAR-Related Features table located toward the end of the roadmap.

New or Modified Commands

The following commands are new or modified for this feature:

match protocol

match protocol (NBAR)

policy-map

match protocol

To configure the match criterion for a class map on the basis of the specified protocol, use the match protocol command in class-map configuration mode. To remove the protocol-based match criterion from a class map, use the no form of this command.

match protocol protocol-name

no match protocol protocol-name

Syntax Description

protocol-name

Name of the protocol (for example, bgp) used as a matching criterion. See the "Usage Guidelines" for a list of protocols supported by most routers.


Command Default

No match criterion is configured.

Command Modes

Class-map configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.

12.0(5)XE

This command was integrated into Cisco IOS Release 12.0(5)XE.

12.0(7)S

This command was integrated into Cisco IOS Release 12.0(7)S.

12.1(1)E

This command was integrated into Cisco IOS Release 12.1(1)E.

12.1(13)E

This command was implemented on Catalyst 6000 family switches without FlexWAN modules.

12.2(8)T

This command was integrated into Cisco IOS Release 12.2(8)T.

12.2(13)T

This command was modified to remove apollo, vines, and xns from the list of protocols used as matching criteria. These protocols were removed because Apollo Domain, Banyan VINES, and Xerox Network Systems (XNS) were removed in Release 12.2(13)T. The ipv6 keyword was added to support protocol matching on IPv6 packets.

12.0(28)S

Support for this command in IPv6 was added in Cisco IOS Release 12.0(28)S on the

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(17a)SX1

This command was integrated into Cisco IOS Release 12.2(17a)SX1.

12.2(18)SXE

Support for this command was added on the Supervisor Engine 720.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(31)SB2

This command was integrated into Cisco IOS Release 12.2(31)SB2 and implemented on the Cisco 10000 series router.

12.2(18)ZY

This command was integrated into Cisco IOS Release 12.2(18)ZY. This command was modified to enhance Network-Based Application Recognition (NBAR) functionality on the Catalyst 6500 series switch that is equipped with the Supervisor 32/programmable intelligent services accelerator (PISA) engine.


Usage Guidelines

Supported Platforms Other Than Cisco 7600 Routers and Cisco 10000 Series Routers

For class-based weighted fair queueing (CBWFQ), you define traffic classes based on match criteria protocols, access control lists (ACLs), input interfaces, Quality of Service (QoS) labels, and Experimental (EXP) field values. Packets satisfying the match criteria for a class constitute the traffic for that class.

The match protocol command specifies the name of a protocol to be used as the match criteria against which packets are checked to determine if they belong to the class specified by the class map.

The match protocol ipx command matches packets in the output direction only.

To use the match protocol command, you must first enter the class-map command to specify the name of the class whose match criteria you want to establish. After you identify the class, you can use one of the following commands to configure its match criteria:

match access-group

match input-interface

match mpls experimental

If you specify more than one command in a class map, only the last command entered applies. The last command overrides the previously entered commands.

To configure network-based application recognition (NBAR) to match protocol types that are supported by NBAR traffic, use the match protocol (NBAR) command.

Cisco 7600 Routers

The match protocol command in QoS class-map configuration configures NBAR and sends all traffic on the port, both ingress and egress, to be processed in the software on the MSFC2.

For class-based weighted fair queuing (CBWFQ), you define traffic classes based on match criteria like protocols, ACLs, input interfaces, QoS labels, and Multiprotocol Label Switching (MPLS) EXP field values. Packets satisfying the match criteria for a class constitute the traffic for that class.

The match protocol command specifies the name of a protocol to be used as the match criteria against which packets are checked to determine if they belong to the class specified by the class map.

If you want to use the match protocol command, you must first enter the class-map command to specify the name of the class to which you want to establish the match criteria.

If you specify more than one command in a class map, only the last command entered applies. The last command overrides the previously entered commands.

This command can be used to match protocols that are known to the NBAR feature. For a list of protocols supported by NBAR, see the "Classification" part of the Cisco IOS Quality of Service Solutions Configuration Guide.

Cisco 10000 Series Routers

For CBWFQ, you define traffic classes based on match criteria including protocols, ACLs, input interfaces, QoS labels, and EXP field values. Packets satisfying the match criteria for a class constitute the traffic for that class.

The match protocol command specifies the name of a protocol to be used as the match criteria against which packets are checked to determine if they belong to the class specified by the class map.

The match protocol ipx command matches packets in the output direction only.

To use the match protocol command, you must first enter the class-map command to specify the name of the class whose match criteria you want to establish.

If you are matching NBAR protocols, use the match protocol (NBAR) command.

Supported Protocols

Table 1 lists the protocols supported by most routers. Some routers support a few additional protocols. For example, the Cisco 7600 router supports the aarp and decnet protocols, while the Cisco 7200 router supports the directconnect and pppoe protocols. For a complete list of supported protocols, see the online help for the match protocol command on the router that you are using.

Table 1 Supported Protocols 

Protocol Name
Description

arp*

IP Address Resolution Protocol (ARP)

bgp

Border Gateway Protocol

bridge *

bridging

cdp*

Cisco Discovery Protocol

citrix

Citrix Systems Metaframe

clns*

ISO Connectionless Network Service

clns_es*

ISO CLNS End System

clns_is*

ISO CLNS Intermediate System

cmns*

ISO Connection-Mode Network Service

compressedtcp*

compressed TCP

cuseeme

CU-SeeMe desktop video conference

dhcp

Dynamic Host Configuration

directconnect

Direct Connect

dns

Domain Name Server lookup

edonkey

eDonkey

egp

Exterior Gateway Protocol

eigrp

Enhanced Interior Gateway Routing Protocol

exchange

Microsoft RPC for Exchange

fasttrack

FastTrack Traffic (KaZaA, Morpheus, Grokster, and so on)

finger

Finger

ftp

File Transfer Protocol

gnutella

Gnutella Version 2 Traffic (BearShare, Shareeza, Morpheus, and so on)

gopher

Gopher

gre

Generic Routing Encapsultation

h323

H323 Protocol

http

World Wide Web traffic

cmp

Internet Control Message

imap

Internet Message Access Protocol

ip*

IP (version 4)

ipinip

IP in IP (encapsulation)

ipsec

IP Security Protocol (ESP/AH)

ipv6*

IP (version 6)

irc

Internet Relay Chat

kazaa2

Kazaa Version 2

kerberos

Kerberos

l2tp

Layer 2 Tunnel Protocol

ldap

Lightweight Directory Access Protocol

llc2*

llc2

mgcp

Media Gateway Control Protocol

napster

Napster traffic

netbios

NetBIOS

netshow

Microsoft Netshow

nfs

Network File System

nntp

Network News Transfer Protocol

novadigm

Novadigm Enterprise Desktop Manager (EDM)

ntp

Network Time Protocol

ospf

Open Shortest Path First

pad*

packet assembler/disassembler (PAD) links

pcanywhere

Symantec pcANYWHERE

pop3

Post Office Protocol

printer

print spooler/ldp

rcmd

Berkeley Software Distribution (BSD) r-commands (rsh, rlogin, rexec)

rip

Routing Information Protocol

rsrb*

Remote Source-Route Bridging

rsvp

Resource Reservation Protocol

rtp

Real-Time Protocol

rtsp

Real-Time Streaming Protocol

secure-ftp

FTP over Transport Layer Security/Secure Sockets Layer (TLS/SSL)

secure-http

Secured HTTP

secure-imap

Internet Message Access Protocol over TLS/SSL

secure-irc

Internet Relay Chat over TLS/SSL

secure-ldap

Lightweight Directory Access Protocol over TLS/SSL

secure-nntp

Network News Transfer Protocol over TLS/SSL

secure-pop3

Post Office Protocol over TLS/SSL

secure-telnet

Telnet over TLS/SSL

sip

Session Initiation Protocol

skinny

Skinny Protocol

smtp

Simple Mail Transfer Protocol

snapshot

Snapshot routing support

snmp

Simple Network Protocol

socks

SOCKS

sqlnet

Structured Query Language (SQL)*NET for Oracle

sqlserver

Microsoft SQL Server

ssh

Secured shell

streamwork

Xing Technology StreamWorks player

sunrpc

Sun remote-procedure call (RPC)

syslog

System Logging Utility

telnet

Telnet

tftp

Trivial File Transfer Protocol

vdolive

VDOLive streaming video

vofr*

Voice over Frame Relay packets

xwindows*

X-Windows remote access


* This protocol is not supported on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA engine.

Match Protocol Command Restrictions (Catalyst 6500 Series Switches Only)

Policy maps contain traffic classes. Traffic classes contain one or more match commands that can be used to match packets (and organize them into groups) on the basis of a protocol type or application. You can create as many traffic classes as needed.

Cisco IOS Release 12.2(18)ZY includes software intended for use on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA engine. For this release and platform, note the following restrictions for using policy maps and match protocol commands:

A single traffic class can be configured to match a maximum of 8 protocols or applications.

Multiple traffic classes can be configured to match a cumulative maximum of 95 protocols or applications.

Examples

The following example specifies a class map called ftp and configures the File Transfer Protocol (FTP) protocol as match criteria:

Router(config)# class-map ftp
Router(config-cmap)# match protocol ftp

Related Commands

Command
Description

class-map

Creates a class map to be used for matching packets to a specified class.

match access-group

Configures the match criteria for a class map based on the specified ACL.

match input-interface

Configures a class map to use the specified input interface as a match criterion.

match mpls experimental

Configures a class map to use the specified value of the experimental field as a match criterion.

match precedence

Identifies IP precedence values as match criteria.

match protocol (NBAR)

Configures NBAR to match traffic by a protocol type known to NBAR.

match qos-group

Configures a class map to use the specified EXP field value as a match criterion.


match protocol (NBAR)

To configure Network-Based Application Recognition (NBAR) to match traffic by a protocol type known to NBAR, use the match protocol command in class-map configuration mode. To disable NBAR from matching traffic by a known protocol type, use the no form of this command.

match protocol protocol-name [variable-field-name value]

no match protocol protocol-name [variable-field-name value]

Syntax Description

protocol-name

Particular protocol type known to NBAR. These known protocol types can be used to match traffic. For a list of protocol types known to NBAR, see Table 2 in "Usage Guidelines."

variable-field-name

(Optional and usable only with custom protocols) Predefined variable that was created when you created a custom protocol. The variable-field-name will match the field-name variable entered when you created the custom protocol.

value

(Optional and usable only with custom protocols) Specific value in the custom payload to match. A value can be entered along with a variable-field-name only. The value can be expressed in decimal or hexadecimal format.


Defaults

Traffic is not matched by a protocol type known to NBAR.

Command Modes

Class-map configuration

Command History

Release
Modification

12.0(5)XE2

This command was introduced.

12.1(1)E

This command was integrated into Cisco IOS Release 12.1(1)E and the variable-field-name value option was added.

12.1(5)T

This command was integrated into Cisco IOS Release 12.1(5)T.

12.1(13)T

This command was integrated into Cisco IOS Release 12.1(13)T and became available on Catalyst 6000 family switches without FlexWAN modules.

12.2(8)T

This command was integrated into Cisco IOS Release 12.2(8)T.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(17a)SX1

This command was integrated into Cisco IOS Release 12.2(17a)SX1.

12.4(2)T

This command was integrated into Cisco IOS Release 12.4(2)T and modified to include support for additional protocols, such as the BitTorrent protocol.

12.4(4)T

This command was modified to include support for additional protocols, such as the Skype and DirectConnect protocols.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(18)ZY

This command was integrated into Cisco IOS Release 12.2(18)ZY. This command was modified to enhance NBAR functionality on the Catalyst 6500 series switch that is equipped with the Supervisor 32/programmable intelligent services accelerator (PISA) engine.


Usage Guidelines

Use the match protocol (NBAR) command to match protocol types that are known to NBAR. NBAR is capable of classifying the following types of protocols:

Non-UDP and non-TCP IP protocols

TCP and UDP protocols that use statically assigned port numbers

TCP and UDP protocols that dynamically assign port numbers and therefore require stateful inspection.

Table 2 lists the protocols that NBAR can classify. This table organizes the NBAR-supported protocols by category.

Table 2 NBAR-Supported Protocols  

Category
Protocol
Type
Well-Known Port Number
Description
Syntax
Cisco IOS Release1

Enterprise Application

Citrix ICA

TCP/
UDP

Dynamically Assigned

Citrix ICA traffic by application name

citrix
citrix app

12.1(2)E
12.1(5)T

PCAnywhere

TCP

5631, 65301

Symantic pcAnywhere

pcanywhere

12.0(5)XE2
12.1(1)E
12.1(5)T

PCAnywhere

UDP

22, 5632

Symantic pcAnywhere

pcanywhere

12.0(5)XE2
12.1(1)E
12.1(5)T

Novadigm

TCP/ UDP

3460-3465

Novadigm Enterprise Desktop Manager  (EDM)

novadigm

12.1(2)E
12.1(5)T

SAP

TCP

3300-3315 (sap-pgm. pdlm)
3200-3215 (sap-app. pdlm)
3600-3615 (sap-msg. pdlm)

Application server to application server traffic (sap-pgm.pdlm)

Client to application server traffic (sap-app.pdlm)

Client to message server traffic (sap-msg.pdlm)

sap

12.3
12.3T
12.2T
12.1E

Routing Protocol

BGP

TCP/ UDP

179

Border Gateway Protocol

bgp

12.0(5)XE2
12.1(1)E
12.1(5)T

EGP

IP

8

Exterior Gateway Protocol

egp

12.0(5)XE2
12.1(1)E
12.1(5)T

EIGRP

IP

88

Enhanced Interior Gateway Routing Protocol

eigrp

12.0(5)XE2
12.1(1)E
12.1(5)T

OSPF

TCP

Dynamically Assigned

Open Shortest Path First

ospf

12.3(8)T

RIP

UDP

520

Routing Information Protocol

rip

12.0(5)XE2
12.1(1)E
12.1(5)T

Database

SQL*NET

TCP/ UDP

Dynamically Assigned

SQL*NET for Oracle

sqlnet

12.0(5)XE2
12.1(1)E
12.1(5)T

MS- SQLServer

TCP

1433

Microsoft SQL Server Desktop Videocon-
ferencing

sqlserver

12.0(5)XE2
12.1(1)E
12.1(5)T

Security and Tunneling

GRE

IP

47

Generic Routing Encapsulation

gre

12.0(5)XE2
12.1(1)E
12.1(5)T

IPINIP

IP

4

IP in IP

ipinip

12.0(5)XE2
12.1(1)E
12.1(5)T

IPsec

IP

50, 51

IP Encapsulating Security Payload/
Authentication-
Header

ipsec

12.0(5)XE2
12.1(1)E
12.1(5)T

L2TP

UDP

1701

L2F/L2TP Tunnel

l2tp

12.0(5)XE2
12.1(1)E
12.1(5)T

MS-PPTP

TCP

1723

Microsoft Point-to-Point Tunneling Protocol for VPN

pptp

12.0(5)XE2
12.1(1)E
12.1(5)T

SFTP

TCP

990

Secure FTP

secure-ftp

12.0(5)XE2
12.1(1)E
12.1(5)T

Security and Tunneling (continued)

SHTTP

TCP

443

Secure HTTP

secure-http

12.0(5)XE2
12.1(1)E
12.1(5)T

SIMAP

TCP/
UDP

585, 993

Secure IMAP

secure-imap

12.0(5)XE2
12.1(1)E
12.1(5)T

SIRC

TCP/
UDP

994

Secure IRC

secure-irc

12.0(5)XE2
12.1(1)E
12.1(5)T

SLDAP

TCP/
UDP

636

Secure LDAP

secure-ldap

12.0(5)XE2
12.1(1)E
12.1(5)T

SNNTP

TCP/
UDP

563

Secure NNTP

secure-nntp

12.0(5)XE2
12.1(1)E
12.1(5)T

SPOP3

TCP/
UDP

995

Secure POP3

secure-pop3

12.0(5)XE2
12.1(1)E
12.1(5)T

STELNET

TCP

992

Secure Telnet

secure-telnet

12.0(5)XE2
12.1(1)E
12.1(5)T

SOCKS

TCP

1080

Firewall Security Protocol

socks

12.0(5)XE2
12.1(1)E
12.1(5)T

SSH

TCP

22

Secured Shell

ssh

12.0(5)XE2
12.1(1)E
12.1(5)T

Network Management

ICMP

IP

1

Internet Control Message Protocol

icmp

12.0(5)XE2
12.1(1)E
12.1(5)T

SNMP

TCP/
UDP

161, 162

Simple Network Management Protocol

snmp

12.0(5)XE2
12.1(1)E
12.1(5)T

Syslog

UDP

514

System Logging Utility

syslog

12.0(5)XE2
12.1(1)E
12.1(5)T

Network Mail Services

IMAP

TCP/
UDP

143, 220

Internet Message Access Protocol

imap

12.0(5)XE2
12.1(1)E
12.1(5)T

POP3

TCP/
UDP

110

Post Office Protocol

pop3

12.0(5)XE2
12.1(1)E
12.1(5)T

Exchange

TCP

135

MS-RPC for Exchange

exchange

12.0(5)XE2
12.1(1)E
12.1(5)T

Notes

TCP/
UDP

1352

Lotus Notes

notes

12.0(5)XE2
12.1(1)E
12.1(5)T

SMTP

TCP

25

Simple Mail Transfer Protocol

smtp

12.0(5)XE2
12.1(1)E
12.1(5)T

Directory

DHCP/
BOOTP

UDP

67, 68

Dynamic Host Configuration Protocol/ Bootstrap Protocol

dhcp

12.0(5)XE2
12.1(1)E
12.1(5)T

Finger

TCP

79

Finger User Information Protocol

finger

12.0(5)XE2
12.1(1)E
12.1(5)T

DNS

TCP/
UDP

53

Domain Name System

dns

12.0(5)XE2
12.1(1)E
12.1(5)T

Kerberos

TCP/
UDP

88, 749

Kerberos Network Authentication Service

kerberos

12.0(5)XE2
12.1(1)E
12.1(5)T

LDAP

TCP/
UDP

389

Lightweight Directory Access Protocol

ldap

12.0(5)XE2
12.1(1)E
12.1(5)T

Streaming Media

CU-SeeMe

TCP/
UDP

7648, 7649

Desktop Video Conferencing

cuseeme

12.0(5)XE2
12.1(1)E
12.1(5)T

CU-SeeMe

UDP

24032

Desktop Video Conferencing

cuseeme

12.0(5)XE2
12.1(1)E
12.1(5)T

Netshow

TCP/ UDP

Dynamically Assigned

Microsoft Netshow

netshow

12.0(5)XE2
12.1(1)E
12.1(5)T

RealAudio

TCP/ UDP

Dynamically Assigned

RealAudio Streaming Protocol

realaudio

12.0(5)XE2
12.1(1)E
12.1(5)T

StreamWorks

UDP

Dynamically Assigned

Xing Technology Stream Works Audio and Video

streamwork

12.0(5)XE2
12.1(1)E
12.1(5)T

VDOLive

TCP/ UDP

Dynamically Assigned

VDOLive Streaming Video

vdolive

12.0(5)XE2
12.1(1)E
12.1(5)T

Streaming Media/ Multimedia

RTSP

TCP/ UDP

Dynamically Assigned

Real Time Streaming Protocol

rtsp

12.3(11)T

MGCP

TCP/ UDP

2427, 2428, 2727

Media Gateway Control Protocol

mgcp

12.3(7)T

Internet

FTP

TCP

Dynamically Assigned

File Transfer Protocol

ftp

12.0(5)XE2
12.1(1)E
12.1(5)T

Gopher

TCP/ UDP

70

Internet Gopher Protocol

gopher

12.0(5)XE2
12.1(1)E
12.1(5)T

HTTP

TCP

802

Hypertext Transfer Protocol

http

12.0(5)XE2
12.1(1)E
12.1(5)T

IRC

TCP/ UDP

194

Internet Relay Chat

irc

12.0(5)XE2
12.1(1)E
12.1(5)T

Telnet

TCP

23

Telnet Protocol

telnet

12.0(5)XE2
12.1(1)E
12.1(5)T

Internet (continued)

TFTP

UDP

Dynamically Assigned

Trivial File Transfer Protocol

tftp

12.0(5)XE2
12.1(1)E
12.1(5)T

NNTP

TCP/ UDP

119

Network News Transfer Protocol

nntp

12.0(5)XE2
12.1(1)E
12.1(5)T

Signaling

RSVP

UDP

1698, 1699

Resource Reservation Protocol

rsvp

12.0(5)XE2
12.1(1)E
12.1(5)T

RPC

NFS

TCP/ UDP

2049

Network File System

nfs

12.0(5)XE2
12.1(1)E
12.1(5)T

Sunrpc

TCP/ UDP

Dynamically Assigned

Sun Remote Procedure Call

sunrpc

12.0(5)XE2
12.1(1)E
12.1(5)T

Non-IP and LAN/
Legacy

NetBIOS

TCP/ UDP

137, 138, 139

NetBIOS over IP (MS Windows)

netbios

12.0(5)XE2
12.1(1)E
12.1(5)T

Misc.

NTP

TCP/ UDP

123

Network Time Protocol

ntp

12.0(5)XE2
12.1(1)E
12.1(5)T

Printer

TCP/ UDP

515

Printer

printer

12.1(2)E
12.1(5)T

X Windows

TCP

6000-6003

X11, X Windows

xwindows

12.0(5)XE2
12.1(1)E
12.1(5)T

r-commands

TCP

Dynamically Assigned

rsh, rlogin, rexec

rcmd

12.0(5)XE2
12.1(1)E
12.1(5)T

Voice

H.323

TCP

Dynamically Assigned

H.323 Teleconferencing Protocol

h323

12.3(7)T

RTCP

TCP/ UDP

Dynamically Assigned

Real-Time Control Protocol

rtcp

12.1E
12.2T
12.3
12.3T
12.3(7)T

RTP

TCP/ UDP

Dynamically Assigned

Real-Time Transport Protocol Payload Classification

rtp

12.2(8)T

SIP

TCP/UPD

5060

Session Initiation Protocol

sip

12.3(7)T

SCCP/ Skinny

TCP

2000, 2001, 2002

Skinny Client Control Protocol

skinny

12.3(7)T

Skype3

TCP/UDP

Dynamically Assigned

Peer-to-Peer VoIP Client Software.

Note Cisco currently supports Skype version 1 only.

skype

12.4(4)T

Peer-to-Peer File-Sharing Applications

BitTorrent

TCP

Dynamically Assigned, or
6881-6889

BitTorrent File Transfer Traffic

bittorrent

12.4(2)T

Direct Connect

TCP/ UDP

411

Direct Connect File Transfer Traffic

directconnect

12.4(4)T

eDonkey/ eMule

TCP

4662

eDonkey File- Sharing Application

eMule traffic is also classified as eDonkey traffic in NBAR.

edonkey

12.3(11)T

FastTrack

N/A

Dynamically Assigned

FastTrack

fasttrack

12.1(12c)E

Gnutella

TCP

Dynamically Assigned

Gnutella

gnutella

12.1(12c)E

KaZaA

TCP/ UPD

Dynamically Assigned

KaZaA

Note that earlier KaZaA version 1 traffic can be classified using FastTrack.

kazaa2

12.2(8)T

WinMX

TCP

6699

WinMX Traffic

winmx

12.3(7)T

1 Indicates the Cisco IOS maintenance release that first supported the protocol. This table is updated when a protocol is added to a new Cisco IOS release train.

2 In Release 12.3(4)T, the NBAR Extended Inspection for Hypertext Transfer Protocol (HTTP) Traffic feature was introduced. This feature allows NBAR to scan TCP ports that are not well known and identify HTTP traffic traversing these ports.

3 Skype was introduced in Cisco IOS Release 12.4(4)T. As a result of this introduction, Skype is now native in (included with) the Cisco IOS software and uses the NBAR infrastructure new to Cisco IOS Release 12.4(4)T.


Custom Protocols Created with the ip nbar custom Command

The variable-field-name value is used in conjunction with the variable field-name field-length options that are entered when you create a custom protocol using the ip nbar custom command. The variable option allows NBAR to match traffic on the basis of a specific value of a custom protocol. For instance, if ip nbar custom ftdd 125 variable scid 2 tcp range 5001 5005 is entered to create a custom protocol, and then a class map using the match protocol ftdd scid 804 is created, the created class map will match all traffic that has the value "804" at byte 125 entering or leaving TCP ports 5001 to 5000.

Up to 24 variable values per custom protocol can be expressed in class maps. For instance, in the following configuration, 4 variables are used and 20 more "scid" values could be used.

Router(config)# ip nbar custom ftdd field scid 125 variable 1 tcp range 5001 5005

Router(config)# class-map active-craft
Router(config-cmap)# match protocol ftdd scid 0x15
Router(config-cmap)# match protocol ftdd scid 0x21

Router(config)# class-map passive-craft
Router(config-cmap)# match protocol ftdd scid 0x11
Router(config-cmap)# match protocol ftdd scid 0x22

Match Protocol Command Restrictions (Catalyst 6500 Series Switches Only)

Policy maps contain traffic classes. Traffic classes contain one or more match commands that can be used to match packets (and organize them into groups) on the basis of a protocol type or application. You can create as many traffic classes as needed.

Cisco IOS Release 12.2(18)ZY includes software intended for use on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA engine. For this release and platform, note the following restrictions for using policy maps and match protocol commands:

A single traffic class can be configured to match a maximum of 8 protocols or applications.

Multiple traffic classes can be configured to match a cumulative maximum of 95 protocols or applications.

Examples

The following example configures NBAR to match FTP traffic:

Router(config-cmap)# match protocol ftp

In the following example, custom protocol ftdd is created by using a variable. A class map matching this custom protocol based on the variable is also created. In this example, class map matchscidinftdd will match all traffic that has the value "804" at byte 125 entering or leaving TCP ports 5001 to 5005. The variable scid is 2 bytes in length.

Router(config)# ip nbar custom ftdd 125 variable scid 2 tcp range 5001 5005

Router(config)# class-map matchscidinftdd
Router(config-cmap)# match protocol ftdd scid 804

The same example above can also be done by using hexadecimal values in the class map as follows:

Router(config)# ip nbar custom ftdd 125 variable scid 2 tcp range 5001 5005

Router(config)# class-map matchscidinftdd
Router(config-cmap)# match protocol ftdd scid 0x324

In the following example, the variable keyword is used while you create a custom protocol, and class maps are configured to classify different values within the variable field into different traffic classes. Specifically, in the example below, variable scid values 0x15, 0x21, and 0x27 will be classified into class map active-craft, while scid values 0x11, 0x22, and 0x25 will be classified into class map passive-craft.


Router(config)# ip nbar custom ftdd field scid 125 variable 1 tcp range 5001 5005

Router(config)# class-map active-craft
Router(config-cmap)# match protocol ftdd scid 0x15
Router(config-cmap)# match protocol ftdd scid 0x21
Router(config-cmap)# match protocol ftdd scid 0x27

Router(config)# class-map passive-craft
Router(config-cmap)# match protocol ftdd scid 0x11
Router(config-cmap)# match protocol ftdd scid 0x22
Router(config-cmap)# match protocol ftdd scid 0x25

Related Commands

Command
Description

class-map

Creates a class map to be used for matching packets to a specified class.

ip nbar custom

Extends the capability of NBAR Protocol Discovery to classify and monitor additional static port applications, or allows NBAR to classify nonsupported static port traffic.


policy-map

To create or modify a policy map that can be attached to one or more interfaces to specify a service policy, use the policy-map command in global configuration mode. To delete a policy map, use the no form of this command. The policy-map command enters policy-map configuration mode in which you can configure or modify the class policies for that policy map.

Supported Platforms Other Than Cisco 10000 Series Routers

policy-map [type {stack | access-control | port-filter | queue-threshold | logging log-policy}] policy-map-name

no policy-map [type {stack | access-control | port-filter | queue-threshold | logging log-policy}] policy-map-name

Cisco 10000 Series Router

policy-map [type {control | service}] policy-map-name

no policy-map [type {control | service}] policy-map-name

Syntax Description

type stack

(Optional) Determines the exact pattern to look for in the protocol stack of interest.

type access-control

(Optional) Enables the policy map for the flexible packet matching feature.

type port-filter

(Optional) Enables the policy map for the port-filter feature.

type queue-threshold

(Optional) Enables the policy map for the queue-threshold feature.

type logging

(Optional) Enables the policy map for the control-plane packet logging feature.

log-policy

Type of log policy for control-plane logging.

policy-map-name

Name of the policy map. The name can be a maximum of 40 alphanumeric characters.

type control

(Optional) Creates a control policy map.

type service

(Optional) Creates a service policy map.


Command Default

The policy map is not configured.

Command Modes

Global configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.

12.4(4)T

The type access-control keywords were added to support flexible packet matching. The type port-filter and type queue-threshold keywords were added to support control-plane protection.

12.4(6)T

The type logging keywords were added to support control-plane packet logging.

12.2(31)SB

The type control and type service keywords were added to support the Cisco 10000 series router.

12.2(18)ZY

This command was integrated into Cisco IOS Release 12.2(18)ZY. This command was modified to enhance Network-Based Application Recognition (NBAR) functionality on the Catalyst 6500 series switch that is equipped with the Supervisor 32/programmable intelligent services accelerator (PISA) engine.


Usage Guidelines

Use the policy-map command to specify the name of the policy map to be created, added to, or modified before you configure policies for classes whose match criteria are defined in a class map. The policy-map command enters policy-map configuration mode in which you can configure or modify the class policies for that policy map.

You can configure class policies in a policy map only if the classes have match criteria defined for them. You use the class-map and match commands to configure the match criteria for a class. Because you can configure a maximum of 64 class maps, no policy map can contain more than 64 class policies.

A single policy map can be attached to multiple interfaces concurrently. When you attempt to attach a policy map to an interface, the attempt is denied if the available bandwidth on the interface cannot accommodate the total bandwidth requested by class policies comprising the policy map. In this case, if the policy map is already attached to other interfaces, it is removed from them.

Whenever you modify class policy in an attached policy map, class-based weighted fair queueing (CBWFQ) is notified and the new classes are installed as part of the policy map in the CBWFQ system.

Class Queues (Cisco 10000 Series Routers Only)

The PRE2 allows you to configure 31 class queues in a policy map.

In a policy map, the PRE3 allows you to configure one priority level 1 queue, plus one priority level 2 queue, plus 12 class queues, plus one default queue.

Control Policies (Cisco 10000 Series Routers Only)

Control policies define the actions that your system will take in response to specified events and conditions.

A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed.

There are three steps involved in defining a control policy:

1. Create one or more control class maps, by using the class-map type control command.

2. Create a control policy map, using the policy-map type control command.

A control policy map contains one or more control policy rules. A control policy rule associates a control class map with one or more actions. Actions are numbered and executed sequentially.

3. Apply the control policy map to a context, using the service-policy type control command.

Service Policies (Cisco 10000 Series Routers Only)

Service policy maps and service profiles contain a collection of traffic policies and other functionality. Traffic policies determine which functionality will be applied to which session traffic. A service policy map or service profile may also contain a network-forwarding policy, which is a specific type of traffic policy that determines how session data packets will be forwarded to the network.

Policy Map Restrictions (Catalyst 6500 Series Switches Only)

Cisco IOS Release 12.2(18)ZY includes software intended for use on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA engine. For this release and platform, note the following restrictions for using policy maps and match commands:

You cannot modify an existing policy map if the policy map is attached to an interface. To modify the policy map, remove the policy map from the interface by using the no form of the service-policy command.

Policy maps contain traffic classes. Traffic classes contain one or more match commands that can be used to match packets (and organize them into groups) on the basis of a protocol type or application. You can create as many traffic classes as needed. However, the following restrictions apply:

A single traffic class can be configured to match a maximum of 8 protocols or applications.

Multiple traffic classes can be configured to match a cumulative maximum of 95 protocols or applications.

Examples

The following example creates a policy map called policy1 and configures two class policies included in that policy map. The class policy called class1 specifies policy for traffic that matches access control list (ACL) 136. The second class is the default class to which packets that do not satisfy configured match criteria are directed.

! The following commands create class-map class1 and define its match criteria:
class-map class1
 match access-group 136

! The following commands create the policy map, which is defined to contain policy
! specification for class1 and the default class:
policy-map policy1

class class1
 bandwidth 2000
 queue-limit 40

class class-default
 fair-queue 16
 queue-limit 20

The following example creates a policy map called policy9 and configures three class policies to belong to that map. Of these classes, two specify policy for classes with class maps that specify match criteria based on either a numbered ACL or an interface name, and one specifies policy for the default class called class-default to which packets that do not satisfy configured match criteria are directed.

policy-map policy9
class acl136
bandwidth 2000
queue-limit 40
class ethernet101
bandwidth 3000
random-detect exponential-weighting-constant 10

class class-default
fair-queue 10
queue-limit 20

Examples for Cisco 10000 Series Routers Only

The following example shows the configuration of a control policy map named rule4. Control policy map rule4 contains one policy rule, which is the association of the control class named class3 with the action to authorize subscribers using the network access server (NAS) port ID. The service-policy type control command is used to apply the control policy map globally.

class-map type control match-all class3
 match access-type pppoe
 match domain cisco.com
 available nas-port-id
!
policy-map type control rule4
 class type control class3
  authorize nas-port-id
!
service-policy type control rule4

The following example shows the configuration of a service policy map named redirect-profile:

policy-map type service redirect-profile
 class type traffic CLASS-ALL
  redirect to group redirect-sg

Related Commands

Command
Description

bandwidth (policy-map class)

Specifies or modifies the bandwidth allocated for a class belonging to a policy map.

class (policy-map)

Specifies the name of the class whose policy you want to create or change, and the default class (commonly known as the class-default class) before you configure its policy.

class class-default

Specifies the default class whose bandwidth is to be configured or modified.

class-map

Creates a class map to be used for matching packets to a specified class.

fair-queue (class-default)

Specifies the number of dynamic queues to be reserved for use by the class-default class as part of the default class policy.

queue-limit

Specifies or modifies the maximum number of packets that the queue can hold for a class policy configured in a policy map.

random-detect (interface)

Enables WRED or DWRED.

random-detect exponential-weighting-constant

Configures the WRED and DWRED exponential weight factor for the average queue size calculation.

random-detect precedence

Configures WRED and DWRED parameters for a particular IP Precedence.

service-policy

Attaches a policy map to an input interface or VC or an output interface or VC to be used as the service policy for that interface or VC.



Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2007 Cisco Systems, Inc. All rights reserved.

hometocprevnextglossaryfeedbacksearchhelp

Posted: Mon May 7 10:57:13 PDT 2007
All contents are Copyright © 1992--2007 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.