cc/td/doc/product/software/ios122/122newft/122limit/122z
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

Network-Based Application Recognition, Cisco IOS Release 12.2(18)ZY2

match protocol http


Network-Based Application Recognition, Cisco IOS Release 12.2(18)ZY2


Network-Based Application Recognition (NBAR) is a classification engine that recognizes and classifies a wide variety of protocols and applications. When NBAR recognizes and classifies a protocol or application, the network can be configured to apply the appropriate quality of service (QoS) for that application or traffic with that protocol.

Configuration Information

Configuration information begins with the "Classifying Network Traffic Using NBAR Roadmap" module of the Cisco IOS Quality of Service Solutions Configuration Guide at the following URL:

http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_trfc_nbar_map.html

For a complete list of NBAR-related features included in the Cisco IOS Quality of Service Solutions Configuration Guide, see the Supported NBAR-Related Features table located in the roadmap.

New or Modified Commands

The following commands are new or modified for this feature:

match protocol http

match protocol http

To configure Network-Based Application Recognition (NBAR) to match HTTP traffic by URL, host, Multipurpose Internet Mail Extension (MIME) type, or fields in HTTP packet headers, use the match protocol http command in class-map configuration mode. To disable NBAR from matching HTTP traffic by URL, host, or MIME type, or fields in HTTP packet headers, use the no form of this command.

match protocol http [url url-string | host hostname-string | mime MIME-type | c-header-field c-header-field-string | s-header-field s-header-field-string]

no match protocol http [url url-string | host hostname-string | mime MIME-type | c-header-field c-header-field-string | s-header-field s-header-field-string]

Catalyst 6500 Series Switch Equipped with the Supervisor 32/PISA Engine

match protocol http [content-encoding content-encoding-name-string | from from-address-string | host hostname-string | location location-name-string | mime MIME-type | referer referer-address-string | server server-software-name-string | url url-string | user-agent user-agent-software-name-string]

no match protocol http [content-encoding content-encoding-name-string | from from-address-string | host hostname-string | location location-name-string | mime
MIME-type | referer referer-address-string | server server-software-name-string | url url-string | user-agent user-agent-software-name-string]

Syntax Description

url

(Optional) Specifies matching by a URL.

url-string

(Optional) User-specified URL of HTTP traffic to be matched.

host

(Optional) Specifies matching by a hostname.

hostname-string

(Optional) User-specified hostname to be matched.

mime

(Optional) Specifies matching by a MIME text string.

MIME-type

(Optional) User-specified MIME text string to be matched.

c-header-field

(Optional) Specifies matching by a string in the header field in HTTP client messages.

Note HTTP client messages are often called HTTP request messages.

c-header-field-string

(Optional) User-specified text string within the HTTP client message (HTTP request message) to be matched.

s-header-field

(Optional) Specifies matching by a string in the header field in the HTTP server messages.

Note HTTP server messages are often called HTTP response messages.

s-header-field-string

(Optional) User-specified text within the HTTP server message (HTTP response message) to be matched.

Catalyst 6500 Series Switch Equipped with the Supervisor 32/PISA Engine

content-encoding

(Optional) Specifies matching by the encoding mechanism used to package the entity body.

content-encoding-name-string

(Optional) User-specified content-encoding name.

from

(Optional) Specifies matching by the e-mail address of the person controlling the user agent.

from-address-string

(Optional) User-specified e-mail address.

location

(Optional) Specifies matching by the exact location of the resource from request.

location-name-string

(Optional) User-specified location of the resource.

referer

(Optional) Specifies matching by the address from which the resource request was obtained.

referer-address-name-string

(Optional) User-specified address of the referer resource.

server

(Optional) Specifies matching by the software used by the origin server handling the request.

server-software-name-string

(Optional) User-specified software name.

user-agent

(Optional) Specifies matching by the software used by the agent sending the request.

user-agent-software-name-string

(Optional) User-specified name of the software used by the agent sending the request.


Command Default

NBAR does not match HTTP traffic by URL, host, MIME type, or fields in HTTP packet headers.

Command Modes

Class-map configuration (config-cmap)

Command History

Release
Modification

12.0(5)XE2

This command was introduced.

12.1(1)E

This command was integrated into Cisco IOS Release 12.1(1)E.

12.1(2)E

This command was modified to include the hostname-string argument.

12.1(5)T

This command was integrated into Cisco IOS Release 12.1(5)T.

12.1(13)E

This command became available on Catalyst 6000 family switches without FlexWAN modules.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(17a)SX1

This command was integrated into Cisco IOS Release 12.2(17a)SX1.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T, and the NBAR Extended Inspection for HTTP Traffic feature was introduced. This feature allows NBAR to scan TCP ports that are not well known and to identify HTTP traffic traversing these ports.

12.4(2)T

This command was integrated into Cisco IOS Release 12.4(2)T and was modified to include the c-header-field c-header-field-string and s-header-field s-header-field-string keywords and arguments.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(18)ZY2

This command was integrated into Cisco IOS Release 12.2(18)ZY2, and support was provided for the Catalyst 6500 series switch that is equipped with the Supervisor 32/PISA engine.

Note For this Cisco IOS release and this platform, the c-header-field c-header-field-string and s-header-field s-header-field-string keywords and arguments are not available. To achieve the same functionality, use the individual keywords and arguments as shown in the syntax for the Catalyst 6500 series switch.


Usage Guidelines

Classification of HTTP Traffic by Host, URL, or MIME

In Cisco IOS Release 12.3(4)T, the NBAR Extended Inspection for HTTP Traffic feature was introduced. This feature allows NBAR to scan TCP ports that are not well-known and to identify HTTP traffic traversing these ports. This feature is enabled automatically when a service policy containing the match protocol http command is attached to an interface.

When matching by MIME type, the MIME type can contain any user-specified text string. See the following web page for the IANA-registered MIME types:

http://www.iana.org/assignments/media-types/index.html

When matching by MIME type, NBAR matches a packet containing the MIME type and all subsequent packets until the next HTTP transaction.

When matching by host, NBAR performs a regular expression match on the host field contents inside the HTTP packet and classifies all packets from that host.

HTTP client request matching supports GET, PUT, HEAD, POST, DELETE, OPTIONS, and TRACE. When matching by URL, NBAR recognizes the HTTP packets containing the URL and then matches all packets that are part of the HTTP request. When specifying a URL for classification, include only the portion of the URL that follows the www.hostname.domain in the match statement. For example, for the URL www.cisco.com/latest/whatsnew.html, include only /latest/whatsnew.html with the match statement (for instance, match protocol http url /latest/whatsnew.html).


Note For Cisco IOS Release 12.2(18)ZY2 on the Cisco Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA engine, up to 56 parameters or sub-classifications can be specified with the match protocol http command. These parameters or sub-classifications can be a combination of any of the available match choices, such as HOST matches, MIME matches, server matches, URL matches, and so on. For other Cisco IOS releases and platforms, the maximum is 24 parameters or sub-classifications.


To match the www.anydomain.com portion, use the hostname matching feature. The parameter specification strings can take the form of a regular expression with the following options:

Option
Description

*

Match zero or more characters in this position.

?

Match any one character in this position.

|

Match one of a choice of characters.

(|)

Match one of a choice of characters in a range. For example cisco.(gif | jpg) matches either cisco.gif or cisco.jpg.

[ ]

Match any character in the range specified, or one of the special characters. For example, [0-9] is all of the digits. [*] is the "*" character and [[] is the "[" character.


Classification of HTTP Header Fields

In Cisco IOS Release 12.3(11)T, NBAR introduced expanded ability for users to classify HTTP traffic using information in the HTTP header fields.

HTTP works using a client/server model: HTTP clients open connections by sending a request message to an HTTP server. The HTTP server then returns a response message to the HTTP client (this response message is typically the resource requested in the request message from the HTTP client). After delivering the response, the HTTP server closes the connection and the transaction is complete.

HTTP header fields are used to provide information about HTTP request and response messages. HTTP has numerous header fields. For additional information on HTTP headers, see section 14 of RFC 2616: Hypertext Transfer Protocol—HTTP/1.1. This document can be read at the following URL:

http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

For request messages (client to server), the following HTTP header fields can be identified by using NBAR:

User-Agent

Referer

From

For response messages (server to client), the following header fields can be identified by using NBAR:

Server

Location

Content-Encoding

Content-Base


Note Use of the Content-Base field has not been implemented by the HTTP community. (See RFC 2616 for details.) Therefore, the Content-Base field is not identified by NBAR on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA engine.


Within NBAR, the match protocol http c-header-field command is used to specify request messages (the "c" in the c-header-field portion of the command is for client). The match protocol http s-header-field command is used to specify response messages (the "s" in the s-header-field portion of the command is for server).

It is important to note that combinations of URL, host, MIME type, and HTTP headers can be used during NBAR configuration. These combinations provide customers with more flexibility to classify specific HTTP traffic based on their network requirements.


Note For Cisco IOS Release 12.2(18)ZY2 on the Cisco Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA engine, the c-header-field and s-header-field keywords and associated arguments are not available. Instead, use the individual keywords and arguments as shown in the syntax to achieve the same functionality.


Examples

The following example classifies, within class map class1, HTTP packets based on any URL containing the string whatsnew/latest followed by zero or more characters:

class-map class1
 match protocol http url whatsnew/latest*

The following example classifies, within class map class2, packets based on any hostname containing the string cisco followed by zero or more characters:

class-map class2
 match protocol http host cisco*

The following example classifies, within class map class3, packets based on the JPEG MIME type:

class-map class3
 match protocol http mime "*jpeg"

In the following example, any response message that contains "gzip" in the Content-Base (if available), Content-Encoding, Location, or Server header fields will be classified by NBAR. Typically, the term "gzip" would be found in the Content-Encoding header field of the response message.

class-map class4
 match protocol http s-header-field "gzip"

In the following example, HTTP header fields are combined with a URL to classify traffic. In this example, traffic with a User-Agent field of "CERN-LineMode/3.0" and a Server field of "CERN/3.0", along with URL "www.cisco.com", will be classified using NBAR.

class-map match-all c-http  match protocol http c-header-field "CERN-LineMode/3.0"  match protocol http s-header-field "CERN/3.0"  match protocol http url "www.cisco.com"

Catalyst 6500 Series Router Equipped with a Supervisor 32/PISA Engine Example

In the following two examples, the individual keywords and associated arguments are used to specify traffic (instead of the c-header-field and the s-header-field keywords).

In the first example, the user-agent, referrer, and from keywords are specified. In the second example, the server, location, content-encoding keywords are specified.

class-map match-all test1
 match protocol http user-agent Mozilla
 match protocol http referrer *10.0.10.50
 match protocol http from *cisco.com

class-map match-all test2
 match protocol http server Apache
 match protocol http location *cisco.com
 match protocol http content-encoding compress


hometocprevnextglossaryfeedbacksearchhelp

Posted: Mon Dec 3 15:04:26 PST 2007
All contents are Copyright © 1992--2007 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.