|
Table Of Contents
Network-Based Application Recognition, Cisco IOS Release 12.2(18)ZY2
Network-Based Application Recognition, Cisco IOS Release 12.2(18)ZY2
Network-Based Application Recognition (NBAR) is a classification engine that recognizes and classifies a wide variety of protocols and applications. When NBAR recognizes and classifies a protocol or application, the network can be configured to apply the appropriate quality of service (QoS) for that application or traffic with that protocol.
Configuration Information
Configuration information begins with the "Classifying Network Traffic Using NBAR Roadmap" module of the Cisco IOS Quality of Service Solutions Configuration Guide at the following URL:
http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_trfc_nbar_map.html
For a complete list of NBAR-related features included in the Cisco IOS Quality of Service Solutions Configuration Guide, see the Supported NBAR-Related Features table located in the roadmap.
New or Modified Commands
The following commands are new or modified for this feature:
match protocol http
To configure Network-Based Application Recognition (NBAR) to match HTTP traffic by URL, host, Multipurpose Internet Mail Extension (MIME) type, or fields in HTTP packet headers, use the match protocol http command in class-map configuration mode. To disable NBAR from matching HTTP traffic by URL, host, or MIME type, or fields in HTTP packet headers, use the no form of this command.
match protocol http [url url-string | host hostname-string | mime MIME-type | c-header-field c-header-field-string | s-header-field s-header-field-string]
no match protocol http [url url-string | host hostname-string | mime MIME-type | c-header-field c-header-field-string | s-header-field s-header-field-string]
Catalyst 6500 Series Switch Equipped with the Supervisor 32/PISA Engine
match protocol http [content-encoding content-encoding-name-string | from from-address-string | host hostname-string | location location-name-string | mime MIME-type | referer referer-address-string | server server-software-name-string | url url-string | user-agent user-agent-software-name-string]
no match protocol http [content-encoding content-encoding-name-string | from from-address-string | host hostname-string | location location-name-string | mime
MIME-type | referer referer-address-string | server server-software-name-string | url url-string | user-agent user-agent-software-name-string]Syntax Description
Command Default
NBAR does not match HTTP traffic by URL, host, MIME type, or fields in HTTP packet headers.
Command Modes
Class-map configuration (config-cmap)
Command History
Usage Guidelines
Classification of HTTP Traffic by Host, URL, or MIME
In Cisco IOS Release 12.3(4)T, the NBAR Extended Inspection for HTTP Traffic feature was introduced. This feature allows NBAR to scan TCP ports that are not well-known and to identify HTTP traffic traversing these ports. This feature is enabled automatically when a service policy containing the match protocol http command is attached to an interface.
When matching by MIME type, the MIME type can contain any user-specified text string. See the following web page for the IANA-registered MIME types:
http://www.iana.org/assignments/media-types/index.html
When matching by MIME type, NBAR matches a packet containing the MIME type and all subsequent packets until the next HTTP transaction.
When matching by host, NBAR performs a regular expression match on the host field contents inside the HTTP packet and classifies all packets from that host.
HTTP client request matching supports GET, PUT, HEAD, POST, DELETE, OPTIONS, and TRACE. When matching by URL, NBAR recognizes the HTTP packets containing the URL and then matches all packets that are part of the HTTP request. When specifying a URL for classification, include only the portion of the URL that follows the www.hostname.domain in the match statement. For example, for the URL www.cisco.com/latest/whatsnew.html, include only /latest/whatsnew.html with the match statement (for instance, match protocol http url /latest/whatsnew.html).
Note For Cisco IOS Release 12.2(18)ZY2 on the Cisco Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA engine, up to 56 parameters or sub-classifications can be specified with the match protocol http command. These parameters or sub-classifications can be a combination of any of the available match choices, such as HOST matches, MIME matches, server matches, URL matches, and so on. For other Cisco IOS releases and platforms, the maximum is 24 parameters or sub-classifications.
To match the www.anydomain.com portion, use the hostname matching feature. The parameter specification strings can take the form of a regular expression with the following options:
Classification of HTTP Header Fields
In Cisco IOS Release 12.3(11)T, NBAR introduced expanded ability for users to classify HTTP traffic using information in the HTTP header fields.
HTTP works using a client/server model: HTTP clients open connections by sending a request message to an HTTP server. The HTTP server then returns a response message to the HTTP client (this response message is typically the resource requested in the request message from the HTTP client). After delivering the response, the HTTP server closes the connection and the transaction is complete.
HTTP header fields are used to provide information about HTTP request and response messages. HTTP has numerous header fields. For additional information on HTTP headers, see section 14 of RFC 2616: Hypertext Transfer Protocol—HTTP/1.1. This document can be read at the following URL:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
For request messages (client to server), the following HTTP header fields can be identified by using NBAR:
•User-Agent
•Referer
•From
For response messages (server to client), the following header fields can be identified by using NBAR:
•Server
•Location
•Content-Encoding
•Content-Base
Note Use of the Content-Base field has not been implemented by the HTTP community. (See RFC 2616 for details.) Therefore, the Content-Base field is not identified by NBAR on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA engine.
Within NBAR, the match protocol http c-header-field command is used to specify request messages (the "c" in the c-header-field portion of the command is for client). The match protocol http s-header-field command is used to specify response messages (the "s" in the s-header-field portion of the command is for server).
It is important to note that combinations of URL, host, MIME type, and HTTP headers can be used during NBAR configuration. These combinations provide customers with more flexibility to classify specific HTTP traffic based on their network requirements.
Note For Cisco IOS Release 12.2(18)ZY2 on the Cisco Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA engine, the c-header-field and s-header-field keywords and associated arguments are not available. Instead, use the individual keywords and arguments as shown in the syntax to achieve the same functionality.
Examples
The following example classifies, within class map class1, HTTP packets based on any URL containing the string whatsnew/latest followed by zero or more characters:
class-map class1
match protocol http url whatsnew/latest*
The following example classifies, within class map class2, packets based on any hostname containing the string cisco followed by zero or more characters:
class-map class2
match protocol http host cisco*
The following example classifies, within class map class3, packets based on the JPEG MIME type:
class-map class3
match protocol http mime "*jpeg"
In the following example, any response message that contains "gzip" in the Content-Base (if available), Content-Encoding, Location, or Server header fields will be classified by NBAR. Typically, the term "gzip" would be found in the Content-Encoding header field of the response message.
class-map class4
match protocol http s-header-field "gzip"
In the following example, HTTP header fields are combined with a URL to classify traffic. In this example, traffic with a User-Agent field of "CERN-LineMode/3.0" and a Server field of "CERN/3.0", along with URL "www.cisco.com", will be classified using NBAR.
class-map match-all c-http match protocol http c-header-field "CERN-LineMode/3.0" match protocol http s-header-field "CERN/3.0" match protocol http url "www.cisco.com"
Catalyst 6500 Series Router Equipped with a Supervisor 32/PISA Engine Example
In the following two examples, the individual keywords and associated arguments are used to specify traffic (instead of the c-header-field and the s-header-field keywords).
In the first example, the user-agent, referrer, and from keywords are specified. In the second example, the server, location, content-encoding keywords are specified.
class-map match-all test1
match protocol http user-agent Mozilla
match protocol http referrer *10.0.10.50
match protocol http from *cisco.com
class-map match-all test2
match protocol http server Apache
match protocol http location *cisco.com
match protocol http content-encoding compress
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.
Posted: Mon Dec 3 15:04:26 PST 2007
All contents are Copyright © 1992--2007 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.