Network-Based Application Recognition, Cisco IOS Release 12.2(18)ZY2

Network-Based Application Recognition (NBAR) is a classification engine that recognizes and classifies a wide variety of protocols and applications. When NBAR recognizes and classifies a protocol or application, the network can be configured to apply the appropriate quality of service (QoS) for that application or traffic with that protocol.

Configuration information begins with the "Classifying Network Traffic Using NBAR Roadmap" module of the Cisco IOS Quality of Service Solutions Configuration Guide at the following URL:

For a complete list of NBAR-related features included in the Cisco IOS Quality of Service Solutions Configuration Guide, see the Supported NBAR-Related Features table located in the roadmap.

match protocol http

To configure Network-Based Application Recognition (NBAR) to match HTTP traffic by URL, host, Multipurpose Internet Mail Extension (MIME) type, or fields in HTTP packet headers, use the match protocol http command in class-map configuration mode. To disable NBAR from matching HTTP traffic by URL, host, or MIME type, or fields in HTTP packet headers, use the no form of this command.

match protocol http [url url-string | host hostname-string | mime MIME-type | c-header-field c-header-field-string | s-header-field s-header-field-string]

no match protocol http [url url-string | host hostname-string | mime MIME-type | c-header-field c-header-field-string | s-header-field s-header-field-string]

Syntax Description


url	(Optional) Specifies matching by a URL.
url-string	(Optional) User-specified URL of HTTP traffic to be matched.
host	(Optional) Specifies matching by a hostname.
hostname-string	(Optional) User-specified hostname to be matched.
mime	(Optional) Specifies matching by a MIME text string.
MIME-type	(Optional) User-specified MIME text string to be matched.
c-header-field	(Optional) Specifies matching by a string in the header field in HTTP client messages. Note HTTP client messages are often called HTTP request messages.
c-header-field-string	(Optional) User-specified text string within the HTTP client message (HTTP request message) to be matched.
s-header-field	(Optional) Specifies matching by a string in the header field in the HTTP server messages. Note HTTP server messages are often called HTTP response messages.
s-header-field-string	(Optional) User-specified text within the HTTP server message (HTTP response message) to be matched.
Catalyst 6500 Series Switch Equipped with the Supervisor 32/PISA Engine
content-encoding	(Optional) Specifies matching by the encoding mechanism used to package the entity body.
content-encoding-name-string	(Optional) User-specified content-encoding name.
from	(Optional) Specifies matching by the e-mail address of the person controlling the user agent.
from-address-string	(Optional) User-specified e-mail address.
location	(Optional) Specifies matching by the exact location of the resource from request.
location-name-string	(Optional) User-specified location of the resource.
referer	(Optional) Specifies matching by the address from which the resource request was obtained.
referer-address-name-string	(Optional) User-specified address of the referer resource.
server	(Optional) Specifies matching by the software used by the origin server handling the request.
server-software-name-string	(Optional) User-specified software name.
user-agent	(Optional) Specifies matching by the software used by the agent sending the request.
user-agent-software-name-string	(Optional) User-specified name of the software used by the agent sending the request.

Command Default

NBAR does not match HTTP traffic by URL, host, MIME type, or fields in HTTP packet headers.

Command Modes

Command History


Release	Modification
12.0(5)XE2	This command was introduced.
12.1(1)E	This command was integrated into Cisco IOS Release 12.1(1)E.
12.1(2)E	This command was modified to include the hostname-string argument.
12.1(5)T	This command was integrated into Cisco IOS Release 12.1(5)T.
12.1(13)E	This command became available on Catalyst 6000 family switches without FlexWAN modules.
12.2(14)S	This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(17a)SX1	This command was integrated into Cisco IOS Release 12.2(17a)SX1.
12.3(4)T	This command was integrated into Cisco IOS Release 12.3(4)T, and the NBAR Extended Inspection for HTTP Traffic feature was introduced. This feature allows NBAR to scan TCP ports that are not well known and to identify HTTP traffic traversing these ports.
12.4(2)T	This command was integrated into Cisco IOS Release 12.4(2)T and was modified to include the c-header-field c-header-field-string and s-header-field s-header-field-string keywords and arguments.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(18)ZY2	This command was integrated into Cisco IOS Release 12.2(18)ZY2, and support was provided for the Catalyst 6500 series switch that is equipped with the Supervisor 32/PISA engine. Note For this Cisco IOS release and this platform, the c-header-field c-header-field-string and s-header-field s-header-field-string keywords and arguments are not available. To achieve the same functionality, use the individual keywords and arguments as shown in the syntax for the Catalyst 6500 series switch.

Usage Guidelines

In Cisco IOS Release 12.3(4)T, the NBAR Extended Inspection for HTTP Traffic feature was introduced. This feature allows NBAR to scan TCP ports that are not well-known and to identify HTTP traffic traversing these ports. This feature is enabled automatically when a service policy containing the match protocol http command is attached to an interface.

When matching by MIME type, the MIME type can contain any user-specified text string. See the following web page for the IANA-registered MIME types:

When matching by MIME type, NBAR matches a packet containing the MIME type and all subsequent packets until the next HTTP transaction.

When matching by host, NBAR performs a regular expression match on the host field contents inside the HTTP packet and classifies all packets from that host.

HTTP client request matching supports GET, PUT, HEAD, POST, DELETE, OPTIONS, and TRACE. When matching by URL, NBAR recognizes the HTTP packets containing the URL and then matches all packets that are part of the HTTP request. When specifying a URL for classification, include only the portion of the URL that follows the www.hostname.domain in the match statement. For example, for the URL www.cisco.com/latest/whatsnew.html, include only /latest/whatsnew.html with the match statement (for instance, match protocol http url /latest/whatsnew.html).

Note For Cisco IOS Release 12.2(18)ZY2 on the Cisco Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA engine, up to 56 parameters or sub-classifications can be specified with the match protocol http command. These parameters or sub-classifications can be a combination of any of the available match choices, such as HOST matches, MIME matches, server matches, URL matches, and so on. For other Cisco IOS releases and platforms, the maximum is 24 parameters or sub-classifications.

To match the www.anydomain.com portion, use the hostname matching feature. The parameter specification strings can take the form of a regular expression with the following options:


Option	Description
*	Match zero or more characters in this position.
?	Match any one character in this position.
\|	Match one of a choice of characters.
(\|)	Match one of a choice of characters in a range. For example cisco.(gif \| jpg) matches either cisco.gif or cisco.jpg.
[ ]	Match any character in the range specified, or one of the special characters. For example, [0-9] is all of the digits. [] is the "" character and [[] is the "[" character.

In Cisco IOS Release 12.3(11)T, NBAR introduced expanded ability for users to classify HTTP traffic using information in the HTTP header fields.

HTTP works using a client/server model: HTTP clients open connections by sending a request message to an HTTP server. The HTTP server then returns a response message to the HTTP client (this response message is typically the resource requested in the request message from the HTTP client). After delivering the response, the HTTP server closes the connection and the transaction is complete.

HTTP header fields are used to provide information about HTTP request and response messages. HTTP has numerous header fields. For additional information on HTTP headers, see section 14 of RFC 2616: Hypertext Transfer Protocol—HTTP/1.1. This document can be read at the following URL:

For request messages (client to server), the following HTTP header fields can be identified by using NBAR:

For response messages (server to client), the following header fields can be identified by using NBAR:

Note

Use of the Content-Base field has not been implemented by the HTTP community. (See RFC 2616 for details.) Therefore, the Content-Base field is not identified by NBAR on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA engine.

Within NBAR, the match protocol http c-header-field command is used to specify request messages (the "c" in the c-header-field portion of the command is for client). The match protocol http s-header-field command is used to specify response messages (the "s" in the s-header-field portion of the command is for server).

It is important to note that combinations of URL, host, MIME type, and HTTP headers can be used during NBAR configuration. These combinations provide customers with more flexibility to classify specific HTTP traffic based on their network requirements.

Note For Cisco IOS Release 12.2(18)ZY2 on the Cisco Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA engine, the c-header-field and s-header-field keywords and associated arguments are not available. Instead, use the individual keywords and arguments as shown in the syntax to achieve the same functionality.

Examples

The following example classifies, within class map class1, HTTP packets based on any URL containing the string whatsnew/latest followed by zero or more characters:

The following example classifies, within class map class2, packets based on any hostname containing the string cisco followed by zero or more characters:

The following example classifies, within class map class3, packets based on the JPEG MIME type:

In the following example, any response message that contains "gzip" in the Content-Base (if available), Content-Encoding, Location, or Server header fields will be classified by NBAR. Typically, the term "gzip" would be found in the Content-Encoding header field of the response message.

In the following example, HTTP header fields are combined with a URL to classify traffic. In this example, traffic with a User-Agent field of "CERN-LineMode/3.0" and a Server field of "CERN/3.0", along with URL "www.cisco.com", will be classified using NBAR.

In the following two examples, the individual keywords and associated arguments are used to specify traffic (instead of the c-header-field and the s-header-field keywords).

In the first example, the user-agent, referrer, and from keywords are specified. In the second example, the server, location, content-encoding keywords are specified.

Table Of Contents