Вы находитесь на странице: 1из 133

QoS: NBAR Configuration Guide Cisco IOS Release 15.

1MT

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883

Americas Headquarters

CONTENTS
Classifying Network Traffic Using NBAR 1 Finding Feature Information 1 Prerequisites for Using NBAR 2 Restrictions for Using NBAR 2 Layer 2 NBAR Restrictions 3 Information About Using NBAR 3 NBAR Functionality 4 NBAR Benefits 5 NBAR and Classification of HTTP Traffic 5 Classification of HTTP Traffic by URL Host or MIME 6 Classification of HTTP Traffic Using the HTTP Header Fields 7 Combinations of Classification of HTTP Headers and URL Host or MIME Type to Identify HTTP Traffic 9 NBAR and Classification of Citrix ICA Traffic 9 Classification of Citrix ICA Traffic by Published Application Name 9 Classification of Citrix ICA Traffic by ICA Tag Number 10 NBAR and RTP Payload Type Classification 11 NBAR and Classification of Custom Protocols and Applications 11 NBAR and Classification of Peer-to-Peer File-Sharing Applications 11 NBAR and Classification of Streaming Protocols 12 NBAR and AutoQoS 13 NBAR and FWSM Integration 13 NBAR and TelePresence PDLM 13 NBAR-Supported Protocols 14 NBAR Memory Management 70 NBAR Protocol Discovery 71 Non-intrusive Protocol Discovery 71 NBAR Protocol Discovery MIB 71 NBAR Configuration Processes 72 Where to Go Next 72 Additional References 72

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT ii

Contents

Feature Information for Classifying Network Traffic Using NBAR 77 Glossary 78 Enabling Protocol Discovery 81 Finding Feature Information 81 Prerequisites for Enabling Protocol Discovery 81 Information About Protocol Discovery 81 Protocol Discovery Functionality 82 How to Configure Protocol Discovery 82 Enabling Protocol Discovery on an Interface 82 Reporting Protocol Discovery Statistics 83 Configuration Examples for Enabling Protocol Discovery 84 Example Enabling Protocol Discovery on an Interface 84 Example Reporting Protocol Discovery Statistics 84 Where to Go Next 85 Additional References 85 Feature Information for Enabling Protocol Discovery 86 Configuring NBAR Using the MQC 89 Finding Feature Information 89 Prerequisites for Configuring NBAR Using the MQC 89 Information About Configuring NBAR Using the MQC 90 NBAR and the MQC Functionality 90 NBAR and the match protocol Commands 90 How to Configure NBAR Using the MQC 91 Configuring a Traffic Class 91 Configuring a Traffic Policy 93 Attaching a Traffic Policy to an Interface or Subinterface 94 Verifying NBAR Using the MCQ 96 Configuration Examples for Configuring NBAR Using the MQC 97 Example Configuring a Traffic Class 97 Example Configuring a Traffic Policy 98 Example Attaching a Traffic Policy to an Interface or Subinterface 98 Example Verifying the NBAR Protocol-to-Port Mappings 99 Where to Go Next 99 Additional References 99 Feature Information for Configuring NBAR Using the MQC 100

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT iii

Contents

Adding Application Recognition Modules 105 Finding Feature Information 105 Prerequisites for Adding Application Recognition Modules 105 Information About Adding Application Recognition Modules 105 PDLM Functionality 106 PDLM Versioning 106 How to Add Application Recognition Modules 107 Downloading a PDLM 107 Verifying the Downloaded PDLMs 108 Configuration Examples for Adding Application Recognition Modules 109 Example Downloading a PDLM 109 Example Verifying the Downloaded PDLMs 109 Where to Go Next 111 Additional References 111 Feature Information for Adding Application Recognition Modules 112 Creating a Custom Protocol 115 Finding Feature Information 115 Prerequisites for Creating a Custom Protocol 115 Information About Creating a Custom Protocol 115 NBAR and Custom Protocols 116 MQC and NBAR Custom Protocols 116 How to Create a Custom Protocol 117 Defining a Custom Protocol 117 Examples 118 Configuring a Traffic Class to Use the Custom Protocol 119 Configuring a Traffic Policy 120 Attaching the Traffic Policy to an Interface 122 Displaying Custom Protocol Information 123 Configuration Examples for Creating a Custom Protocol 124 Example Creating a Custom Protocol 124 Example Configuring a Traffic Class to Use the Custom Protocol 124 Example Configuring a Traffic Policy 125 Example Attaching the Traffic Policy to an Interface 125 Example Displaying Custom Protocol Information 126 Additional References 126

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT iv

Contents

Feature Information for Creating a Custom Protocol 127

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT v

Classifying Network Traffic Using NBAR


Network-Based Application Recognition (NBAR) is a classification engine that recognizes and classifies a wide variety of protocols and applications. When NBAR recognizes and classifies a protocol or application, the network can be configured to apply the appropriate quality of service (QoS) for that application or traffic with that protocol. This module contains overview information about classifying network traffic using NBAR. The processes for configuring NBAR are documented in separate modules.

Note

This module includes information for both NBAR and Distributed Network-Based Application Recognition (dNBAR). dNBAR is NBAR used on the Cisco 7500 router with a Versatile Interface Processor (VIP) and on the Catalyst 6500 family of switches with a FlexWAN module or serial interface processor (SIP). The implementation of NBAR and dNBAR is identical. Therefore, unless otherwise noted, the term NBAR is used throughout this module to describe both NBAR and dNBAR. The term dNBAR is used only when applicable. Finding Feature Information, page 1 Prerequisites for Using NBAR, page 2 Restrictions for Using NBAR, page 2 Information About Using NBAR, page 3 Where to Go Next, page 72 Additional References, page 72 Feature Information for Classifying Network Traffic Using NBAR, page 77 Glossary, page 78

Finding Feature Information


Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 1

Classifying Network Traffic Using NBAR Prerequisites for Using NBAR

Prerequisites for Using NBAR


CEF Before you configure NBAR, you must enable Cisco Express Forwarding (CEF).

Note

This prerequisite does not apply if you are using Cisco IOS Release 12.2(18)ZYA.

Stateful Switchover Support NBAR is currently not supported with Stateful Switchover (SSO). This restriction applies to the Catalyst 6500 switches and to the Cisco 7500 and Cisco 7600 series routers. Memory Requirements for dNBAR To use dNBAR on a Cisco 7500 series router, you must be using a slot controller (or VIP processor) that has 64 MB of DRAM or more. Therefore, before configuring dNBAR on your Cisco 7500 series router, review the DRAM specifications for your particular slot controller or VIP processor.

Restrictions for Using NBAR


NBAR does not support the following: More than 24 concurrent URLs, hosts, or Multipurpose Internet Mail Extension (MIME) type matches.

Note

For Cisco IOS Release 12.2(18)ZYA and Cisco IOS Release 15.1(2)T, the maximum number of concurrent URLs, hosts, or MIME type matches is 56. Matching beyond the first 400 bytes in a packet payload in Cisco IOS releases before Cisco IOS Release 12.3(7)T. In Cisco IOS Release 12.3(7)T, this restriction was removed, and NBAR now supports full payload inspection. The only exception is that NBAR can inspect custom protocol traffic for only 255 bytes into the payload. Non-IP traffic. MPLS-labeled packets. NBAR classifies IP packets only. You can, however, use NBAR to classify IP traffic before the traffic is handed over to MPLS. Use the Modular Quality of Service (QoS) Command-Line Interface (CLI) (MQC) to set the IP differentiated services code point (DSCP) field on the NBAR-classified packets and make Multiprotocol Label Switching (MPLS) map the DSCP setting to the MPLS experimental (EXP) setting inside the MPLS header. Multicast and other non-CEF switching modes. Fragmented packets. Pipelined persistent HTTP requests. URL/host/MIME classification with secure HTTP. Asymmetric flows with stateful protocols. Packets that originate from or that are destined to the router running NBAR.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 2

Layer 2 NBAR Restrictions Information About Using NBAR

NBAR is not supported on the following logical interfaces: Fast Etherchannel

Note

Fast Etherchannels are supported in Cisco IOS Release 12.2(18)ZYA. Dialer interfaces until Cisco IOS Release 12.2(4)T Interfaces where tunneling or encryption is used

Note

You cannot use NBAR to classify output traffic on a WAN link where tunneling or encryption is used. Therefore, you should configure NBAR on other interfaces of the router (such as a LAN link) to perform input classification before the traffic is switched to the WAN link. Layer 2 NBAR Restrictions, page 3

Layer 2 NBAR Restrictions


The phrase "Layer 2 NBAR" refers to NBAR functionality used with Layer 2 interfaces (such as switchports, trunks, or Etherchannels). Layer 2 NBAR functionality can also be used with service modules such as a Firewall Service Module (FWSM) and an Intrusion Detection Service Module (IDSM) with the following restriction. Layer 2 NBAR is not supported on Layer 2 interfaces that are configured as part of a service module (such as FWSM and IDSM) when those service modules are configured in inline mode (that is, network traffic is in a direct path through the service module).

Note

This restriction does not apply to NBAR functionality that is used with Layer 3 interfaces. However, Layer 2 NBAR is supported in non-inline mode with service modules even when using Switched Port Analyzer (SPAN), Remote SPAN (RSPAN), or VLAN Access Control List (VACL) Capture functionality to send traffic to a service module. For more information about the FWSM and its connection features, see the "Configuring Advanced Connection Features" module of the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide. For more information about the IDSM, see the "Configuring IDSM-2" module of the Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface. For more information about SPAN or RSPAN, see the "Configuring SPAN and RSPAN" module of the Catalyst 6500 Series Software Configuration Guide . For more information about VACL Capture, see the "VACL Capture for Granular Traffic Analysis with Cisco Catalyst 6000/6500 Running Cisco IOS Software" module.

Information About Using NBAR


NBAR Functionality, page 4

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 3

NBAR Functionality Information About Using NBAR

NBAR Benefits, page 5 NBAR and Classification of HTTP Traffic, page 5 NBAR and Classification of Citrix ICA Traffic, page 9 NBAR and RTP Payload Type Classification, page 11 NBAR and Classification of Custom Protocols and Applications, page 11 NBAR and Classification of Peer-to-Peer File-Sharing Applications, page 11 NBAR and Classification of Streaming Protocols, page 12 NBAR and AutoQoS, page 13 NBAR and FWSM Integration, page 13 NBAR and TelePresence PDLM, page 13 NBAR-Supported Protocols, page 14 NBAR Memory Management, page 70 NBAR Protocol Discovery, page 71 NBAR Protocol Discovery MIB, page 71 NBAR Configuration Processes, page 72

NBAR Functionality
NBAR is a classification engine that recognizes and classifies a wide variety of protocols and applications, including web-based and other difficult-to-classify applications and protocols that use dynamic TCP/UDP port assignments. When NBAR recognizes and classifies a protocol or application, the network can be configured to apply the appropriate QoS for that application or traffic with that protocol. The QoS is applied using the Modular Quality of Service Command-Line Interface (MQC).

Note

For more information about NBAR and its relationship with the MQC, see the "Configuring NBAR Using the MQC" module. Examples of the QoS features that can be applied to the network traffic (using the MQC) after NBAR has recognized and classified the application or protocol include the following: Class-Based Marking Class-Based Weighted Fair Queuing (CBWFQ) Low Latency Queuing (LLQ) Traffic Policing Traffic Shaping

Note

For Cisco IOS Release 12.2(18)ZYA on the Catalyst 6500 series switch (that is equipped with a Supervisor 32/programmable intelligent services accelerator [PISA]), only the QoS features listed below can be configured. These features can be configured (using the MQC) after NBAR has recognized and classified the application or protocol. Traffic Classification Traffic Marking Traffic Policing

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 4

NBAR Benefits Information About Using NBAR

Note

For more information about the QoS features, see the "Quality of Service Overview" module. For more information about the Catalyst 6500 series switch and QoS, see the "Configuring QoS" module of the Catalyst 6500 Series Software Configuration Guide. NBAR introduces several classification features that identify applications and protocols from Layer 4 through Layer 7. These classification features include the following: Statically assigned TCP and UDP port numbers. Non-TCP and non-UDP IP protocols. Dynamically assigned TCP and UDP port numbers.

This kind of classification requires stateful inspection; that is, the ability to inspect a protocol across multiple packets during packet classification. Subport classification or classification based on deep-packet inspection.

Deep-packet classification is classification performed at a finer level of granularity. For instance, if a packet is already classified as HTTP traffic, it may be further classified by HTTP traffic with a specific URL.

Note

Access control lists (ACLs) can also be used for classifying static port protocols. However, NBAR is easier to configure, and NBAR can provide classification statistics that are not available when ACLs are used. NBAR includes a Protocol Discovery feature that provides an easy way to discover application protocols that are operating on an interface. For more information about Protocol Discovery, see the "Enabling Protocol Discovery" module.

Note

NBAR classifies network traffic by application or protocol. Network traffic can be classified without using NBAR. For information about classifying network traffic without using NBAR, see the "Classifying Network Traffic" module.

NBAR Benefits
Improved Network Management Identifying and classifying network traffic is an important first step in implementing QoS. A network administrator can more effectively implement QoS in a networking environment after identifying the amount and the variety of applications and protocols that are running on a network. NBAR gives network administrators the ability to see the variety of protocols and the amount of traffic generated by each protocol. After gathering this information, NBAR allows users to organize traffic into classes. These classes can then be used to provide different levels of service for network traffic, thereby allowing better network management by providing the right level of network resources for network traffic.

NBAR and Classification of HTTP Traffic


This section includes information about the following topics:

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 5

Classifying Network Traffic Using NBAR Classification of HTTP Traffic by URL Host or MIME

Classification of HTTP Traffic by URL Host or MIME, page 6 Classification of HTTP Traffic Using the HTTP Header Fields, page 7 Combinations of Classification of HTTP Headers and URL Host or MIME Type to Identify HTTP Traffic, page 9

Classification of HTTP Traffic by URL Host or MIME


NBAR can classify application traffic by looking beyond the TCP/UDP port numbers of a packet. This is subport classification. NBAR looks into the TCP/UDP payload itself and classifies packets based on content within the payload such as that transaction identifier, message type, or other similar data. Classification of HTTP traffic by URL, host, or Multipurpose Internet Mail Extension (MIME) type is an example of subport classification. NBAR classifies HTTP traffic by text within the URL or host fields of a request using regular expression matching. HTTP client request matching in NBAR supports most HTTP request methods such as GET, PUT, HEAD, POST, DELETE, OPTIONS, CONNECT, and TRACE. The NBAR engine then converts the specified match string into a regular expression. The figure below illustrates a network topology with NBAR in which Router Y is the NBAR-enabled router.

When specifying a URL for classification, include only the portion of the URL that follows the www.hostname .domain in the match statement. For example, for the URL www.cisco.com/latest/ whatsnew.html, include only /latest/whatsnew.html with the match statement (for instance, match protocol http url /latest/whatsnew.html).

Note

For Cisco IOS Release 12.2(18)ZY2 and later releases on the Cisco Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA, and for Cisco IOS Release 15.1(2)T and later releases, up to 56 parameters or subclassifications per protocol per router can be specified with the match protocol http command. These parameters or subclassifications can be a combination of any of the available match choices, such as host matches, MIME matches, server matches, and URL matches. For other Cisco IOS releases and platforms, the maximum is 24 parameters or subclassifications per protocol per router. Host specification is identical to URL specification. NBAR performs a regular expression match on the host field contents inside an HTTP packet and classifies all packets from that host. For example, for the URL www.cisco.com/latest/whatsnew.html, include only www.cisco.com. For MIME type matching, the MIME type can contain any user-specified text string. A list of the IANAsupported MIME types can be found at the following URL: http://www.iana.org/assignments/media-types/ When matching by MIME type, NBAR matches a packet containing the MIME type and all subsequent packets until the next HTTP transaction.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 6

Classifying Network Traffic Using NBAR Classification of HTTP Traffic Using the HTTP Header Fields

NBAR supports URL and host classification in the presence of persistent HTTP. NBAR does not classify packets that are part of a pipelined request. With pipelined requests, multiple requests are pipelined to the server before previous requests are serviced. Pipelined requests are a less commonly used type of persistent HTTP request. In Cisco IOS Release 12.3(4)T, the NBAR Extended Inspection for HTTP Traffic feature was introduced. This feature allows NBAR to scan TCP ports that are not well known and to identify HTTP traffic that traverses these ports. HTTP traffic classification is no longer limited to the well-known and defined TCP ports.

Classification of HTTP Traffic Using the HTTP Header Fields


In Cisco IOS Release 12.3(11)T, NBAR introduced expanded ability for users to classify HTTP traffic using information in the HTTP header fields. HTTP works using a client/server model. HTTP clients open connections by sending a request message to an HTTP server. The HTTP server then returns a response message to the HTTP client (this response message is typically the resource requested in the request message from the HTTP client). After delivering the response, the HTTP server closes the connection and the transaction is complete. HTTP header fields are used to provide information about HTTP request and response messages. HTTP has numerous header fields. For additional information on HTTP headers, see section 14 of RFC 2616: Hypertext Transfer Protocol--HTTP/1.1. This RFC can be found at the following URL: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html NBAR can classify the following HTTP header fields: For request messages (client to server), the following HTTP header fields can be identified using NBAR: User-Agent Referer From For response messages (server to client), the following HTTP header fields can be identified using NBAR: Server Location Content-Encoding Content-Base

Note

Use of the Content-Base field has not been implemented by the HTTP community. (See RFC 2616 for details.) Therefore, the Content-Base field is not identified by NBAR on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA. Within NBAR, the match protocol http c-header-field command is used to specify that NBAR identify request messages (the "c" in the c-header-field portion of the command is for client). The match protocol http s-header-field command is used to specify response messages (the "s" in the s-header-fieldportion of the command is for server).

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 7

Classifying Network Traffic Using NBAR Classification of HTTP Traffic Using the HTTP Header Fields

Note

For Cisco IOS Release 12.2(18)ZY2 and later releases on the Cisco Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA, and for Cisco IOS Release 15.1(2)T and later releases, the c-headerfield and s-header-field keywords and associated arguments in the match protocol http command are not available. The same functionality is achieved by using the individual keywords and arguments. For more information, see the syntax of the match protocol http command in the Cisco IOS Quality of Service Solutions Command Reference.

Note

The c-header-field performs sub-classification based on a single value in the user-agent, referrer, or from header field values and the s-header-field performs sub-classification based on a single value that in the server, location, content-encoding, or content-base header field values. These header field values are not related to each other. Hence the c-header and s-header fields are replaced by user-agent, referrer, from, server, content-base, content-encoding, and location parameters as per the intent and need of HTTP subclassification.

Examples In the following example, any request message that contains "somebody@cisco.com" in the User-Agent, Referer, or From fields will be classified by NBAR. Typically, a term with a format similar to "somebody@cisco.com" would be found in the From header field of the HTTP request message.
class-map match-all class1 match protocol http c-header-field "somebody@cisco.com"

In the following example, any request message that contains "http://www.cisco.com/routers" in the UserAgent, Referer, or From fields will be classified by NBAR. Typically, a term with a format similar to "http://www.cisco.com/routers" would be found in the Referer header field of the HTTP request message.
class-map match-all class2 match protocol http c-header-field "http://www.cisco.com/routers"

In the following example, any request message that contains "CERN-LineMode/2.15" in the User-Agent, Referer, or From header fields will be classified by NBAR. Typically, a term with a format similar to "CERN-LineMode/2.15" would be found in the User-Agent header field of the HTTP request message.
class-map match-all class3 match protocol http c-header-field "CERN-LineMode/2.15"

In the following example, any response message that contains " CERN/3.0" in the Content-Base (if available), Content-Encoding, Location, or Server header fields will be classified by NBAR. Typically, a term with a format similar to "CERN/3.0" would be found in the Server header field of the response message.
class-map match-all class4 match protocol http s-header-field "CERN/3.0"

In the following example, any response message that contains " http://www.cisco.com/routers" in the Content-Base (if available), Content-Encoding, Location, or Server header fields will be classified by NBAR. Typically, a term with a format similar to " http://www.cisco.com/routers " would be found in the Content-Base (if available) or Location header field of the response message.
class-map match-all class5 match protocol http s-header-field "http://www.cisco.com/routers"

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 8

NBAR and Classification of Citrix ICA Traffic Combinations of Classification of HTTP Headers and URL Host or MIME Type to Identify HTTP Traffic

In the following example, any response message that contains " gzip" in the Content-Base (if available), Content-Encoding, Location, or Server header fields will be classified by NBAR. Typically, the term "gzip" would be found in the Content-Encoding header field of the response message.
class-map match-all class6 match protocol http s-header-field "gzip"

Combinations of Classification of HTTP Headers and URL Host or MIME Type to Identify HTTP Traffic
Note that combinations of URL, Host, MIME type, and HTTP headers can be used during NBAR configuration. These combinations provide customers with more flexibility to classify specific HTTP traffic based on their network requirements. Examples In the following example, HTTP header fields are combined with a URL to classify traffic. In this example, traffic with a User-Agent field of "CERN-LineMode/3.0" and a Server field of "CERN/3.0," along with URL "www.cisco.com/routers," will be classified using NBAR:
class-map match-all c-http match protocol http c-header-field "CERN-LineMode/3.0" match protocol http s-header-field "CERN/3.0" match protocol http url "www.cisco.com/routers"

NBAR and Classification of Citrix ICA Traffic


NBAR can classify Citrix Independent Computing Architecture (ICA) traffic and perform subport classification of Citrix traffic based on the published application name or ICA tag number. This section includes information about the following topics: Classification of Citrix ICA Traffic by Published Application Name, page 9 Classification of Citrix ICA Traffic by ICA Tag Number, page 10

Classification of Citrix ICA Traffic by Published Application Name


NBAR can monitor Citrix ICA client requests for a published application destined to a Citrix ICA Master browser. After the client requests the published application, the Citrix ICA Master browser directs the client to the server with the most available memory. The Citrix ICA client then connects to this Citrix ICA server for the application.

Note

For Citrix to monitor and classify traffic by the published application name, Server Browser Mode on the Master browser must be used. In Server Browser Mode, NBAR statefully tracks and monitors traffic and performs a regular expression search on the packet contents for the published application name specified by the match protocol citrix command. The published application name is specified by using the app keyword and the applicationname-string argument of the match protocol citrix command. For more information about the match protocol citrix command, see the Cisco IOS Quality of Service Solutions Command Reference. The Citrix ICA session triggered to carry the specified application is cached, and traffic is classified appropriately for the published application name.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 9

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Citrix ICA Client Modes Citrix ICA clients can be configured in various modes. NBAR cannot distinguish among Citrix applications in all modes of operation. Therefore, network administrators might need to collaborate with Citrix administrators to ensure that NBAR properly classifies Citrix traffic. A Citrix administrator can configure Citrix to publish Citrix applications individually or as the entire desktop. In the Published Desktop mode of operation, all applications within the published desktop of a client use the same TCP session. Therefore, differentiation among applications is impossible, and NBAR can be used to classify Citrix applications only as aggregates (by looking at port 1494). The Published Application mode for Citrix ICA clients is recommended when you use NBAR. In Published Application mode, a Citrix administrator can configure a Citrix client in either seamless or non-seamless (windows) modes of operation. In nonseamless mode, each Citrix application uses a separate TCP connection, and NBAR can be used to provide interapplication differentiation based on the name of the published application. Seamless mode clients can operate in one of two submodes: session sharing or nonsession sharing. In seamless session sharing mode, all clients share the same TCP connection, and NBAR cannot differentiate among applications. Seamless sharing mode is enabled by default on some software releases. In seamless nonsession sharing mode, each application for each particular client uses a separate TCP connection. NBAR can provide interapplication differentiation in seamless nonsession sharing mode.

Note

NBAR operates properly in Citrix ICA secure mode. Pipelined Citrix ICA client requests are not supported.

Classification of Citrix ICA Traffic by ICA Tag Number


Citrix uses one TCP session each time an application is opened. In the TCP session, a variety of Citrix traffic may be intermingled in the same session. For example, print traffic may be intermingled with interactive traffic, causing interruption and delay for a particular application. Most people would prefer that printing be handled as a background process and that printing not interfere with the processing of higherpriority traffic. To accommodate this preference, the Citrix ICA protocol includes the ability to identify Citrix ICA traffic based on the ICA tag number of the packet. The ability to identify, tag, and prioritize Citrix ICA traffic is referred to as ICA Priority Packet Tagging. With ICA Priority Packet Tagging, Citrix ICA traffic is categorized as high, medium, low, and background, depending on the ICA tag of the packet. When ICA traffic priority tag numbers are used, and the priority of the traffic is determined, QoS features can be implemented to determine how the traffic will be handled. For example, QoS traffic policing can be configured to transmit or drop packets with a specific priority. Citrix ICA Packet Tagging The Citrix ICA tag is included in the first two bytes of the Citrix ICA packet, after the initial negotiations are completed between Citrix client and server. These bytes are not compressed or encrypted. The first two bytes of the packet (byte 1 and byte 2) contain the byte count and the ICA priority tag number. Byte 1 contains the low-order byte count, and the first two bits of byte 2 contain the priority tags. The other six bits contain the high-order byte count. The ICA priority tag value can be a number from 0 to 3. The number indicates the packet priority, with 0 being the highest priority and 3 being the lowest priority. To prioritize Citrix traffic by the ICA tag number of the packet, you specify the tag number using the icatag keyword and the ica-tag-value argument of the match protocol citrix command. For more information

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 10

NBAR and RTP Payload Type Classification Classification of Citrix ICA Traffic by ICA Tag Number

about the match protocol citrix command, see the Cisco IOS Quality of Service Solutions Command Reference.

NBAR and RTP Payload Type Classification


RTP is a packet format for multimedia data streams. It can be used for media-on-demand as well as for interactive services such as Internet telephony. RTP consists of a data and a control part. The control part is called Real-Time Transport Control Protocol (RTCP). RTCP is a separate protocol that is supported by NBAR. It is important to note that the NBAR RTP Payload Type Classification feature does not identify RTCP packets and that RTCP packets run on odd-numbered ports while RTP packets run on evennumbered ports. The data part of RTP is a thin protocol that provides support for applications with real-time properties such as continuous media (audio and video), which includes timing reconstruction, loss detection, and security and content identification. RTP is discussed in RFC 1889 (A Transport Protocol for Real-Time Applications)and RFC 1890 (RTP Profile for Audio and Video Conferences with Minimal Control). The RTP payload type is the data transported by RTP in a packet, for example audio samples or compressed video data. The RTP payload classification takes place in the persistent mode, wherein a fully qualified RTP session NBAR does the payload sub-classification. For example, RFC 2833 requires persistent processing for RTP payload sub-clasification within a classified flow. The NBAR RTP Payload Type Classification feature not only allows one to statefully identify real-time audio and video traffic but can also differentiate on the basis of audio and video codecs to provide more granular QoS. The RTP Payload Type Classification feature, therefore, looks deep into the RTP header to classify RTP packets.

NBAR and Classification of Custom Protocols and Applications


NBAR supports the use of custom protocols to identify custom applications. Custom protocols support static port-based protocols and applications that NBAR does not currently support. You can add to the set of protocols and application types that NBAR recognizes by creating custom protocols. Custom protocols extend the capability of NBAR Protocol Discovery to classify and monitor additional static port applications and allows NBAR to classify nonsupported static port traffic.

Note

For more information about specifying user-defined (custom) protocols, see the "Creating a Custom Protocol" module.

NBAR and Classification of Peer-to-Peer File-Sharing Applications


The following are the most common peer-to-peer file-sharing applications supported by NBAR: BitTorrent DirectConnect eDonkey eMule FastTrack Grokster JTella

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 11

NBAR and Classification of Streaming Protocols Classification of Citrix ICA Traffic by ICA Tag Number

Kazaa (as well as Kazaa Lite and Kazaa Lite Resurrection) Morpheus Win MX

Gnutella Also Supported Gnutella is another file-sharing protocol that became classifiable using NBAR in Cisco IOS Release 12.1(12c)E. Applications that use the Gnutella protocol include Bearshare, Gnewtellium, Gnucleus, Gtk-Gnutella, Limewire, Mutella, Phex, Qtella, Swapper, and Xolo. The match protocol gnutella file-transfer regular-expression and match protocol fasttrack file-transfer regular-expression commands are used to enable Gnutella and FastTrack classification in a traffic class. The file-transfer keyword indicates that a regular expression variable will be used to identify specific Gnutella or FastTrack traffic. The regular-expression variable can be expressed as "*" to indicate that all FastTrack or Gnutella traffic be classified by a traffic class. In the following example, all FastTrack traffic is classified into class map nbar:
class-map match-all nbar match protocol fasttrack file-transfer "*"

Similarly, all Gnutella traffic is classified into class map nbar in the following example:
class-map match-all nbar match protocol gnutella file-transfer "*"

Wildcard characters in a regular expression can also be used to identify specified Gnutella and FastTrack traffic. These regular expression matches can be used to match on the basis of filename extension or a particular string in a filename. In the following example, all Gnutella files that have the .mpeg extension will be classified into class map nbar.
class-map match-all nbar match protocol gnutella file-transfer "*.mpeg"

In the following example, only Gnutella traffic that contains the characters "cisco" is classified:
class-map match-all nbar match protocol gnutella file-transfer "*cisco*"

The same examples can be used for FastTrack traffic:


class-map match-all nbar match protocol fasttrack file-transfer "*.mpeg"

or
class-map match-all nbar match protocol fasttrack file-transfer "*cisco*"

NBAR and Classification of Streaming Protocols


In Cisco IOS Release 12.3(7)T, NBAR introduced support for Real Time Streaming Protocol (RTSP). RTSP is the protocol used for applications with steaming audio, such as the following: Apple QuickTime RealAudio (RealSystems G2)

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 12

NBAR and AutoQoS Classification of Citrix ICA Traffic by ICA Tag Number

Windows Media Services

NBAR and AutoQoS


Earlier Cisco IOS releases included two features that allow you to automate the deployment of QoS on your network: AutoQoS--Voice over IP (VoIP); and AutoQoS for the Enterprise. Both of these AutoQoS features take advantage of the traffic classification functionality of NBAR.

Note

Cisco IOS Release 12.2(18)ZY (and later) does not support the AutoQoS--Voice over IP (VoIP) feature on the Catalyst 6500 series switch. AutoQoS--VoIP This feature was available with Cisco IOS Release 12.2(15)T. The AutoQoS--VoIP feature allows you to automate the deployment of QoS on your network and provides a means for simplifying the implementation and provisioning of QoS for VoIP traffic. For more information about the AutoQoS--VoIP feature and how it uses NBAR, see the "AutoQoS--VoIP" module. AutoQoS for the Enterprise This feature was available with Cisco IOS Release 12.3(11)T. The AutoQoS for the Enterprise feature allows you to automate the deployment of QoS in a general business environment, particularly for midsize companies and branch offices of larger companies. It expands on the functionality available with the AutoQoS--VoIP feature. For more information about the AutoQoS for the Enterprise feature and how it uses NBAR, see the "AutoQoS for the Enterprise" module.

NBAR and FWSM Integration


With Cisco IOS Release 12.2(18)ZYA, the functionality of NBAR to recognize protocols and applications has been integrated with the Firewall Service Module (FWSM) on the Catalyst 6500 series switch. Available with this release are the following commands that can be used for classifying and tagging traffic to the FWSM: ip nbar protocol-tagging show ip nbar protocol-tagging

For more information about the FWSM and its connection features, see the "Configuring Advanced Connection Features" module of the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide. For more information about FWSM commands (including the two commands listed above), see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Service Module Command Reference Guide.

NBAR and TelePresence PDLM


Cisco IOS Release 12.2(18)ZYA2 NBAR introduced support for the Cisco TelePresence PDLM. Cisco TelePresence integrates advanced audio, high-definition video and interactive elements with the power of the underlying network to deliver an immersive meeting experience. The Telepresence PDLM uses NBAR to identify TelePresence media and TelePresence control traffic over the network. TelePresence media traffic and TelePresence control traffic are treated differently by QoS and

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 13

NBAR-Supported Protocols Classification of Citrix ICA Traffic by ICA Tag Number

so must be classified separately. TelePresence media traffic must have a low latency. TelePresence control traffic does not require a low latency but should not be dropped.

NBAR-Supported Protocols
The match protocol(NBAR) command is used to classify traffic on the basis of protocols supported by NBAR. NBAR is capable of classifying the following types of protocols: Non-UDP and non-TCP IP protocols TCP and UDP protocols that use statically assigned port numbers TCP and UDP protocols that use statically assigned port numbers but still require stateful inspection TCP and UDP protocols that dynamically assign port numbers and therefore require stateful inspection

The table below lists the NBAR-supported protocols available in Cisco IOS software, sorted by category. The table also provides information about the protocol type, the well-known port numbers (if applicable), the syntax for entering the protocol in NBAR, and the Cisco IOS release in which the protocol was initially supported. This table is updated when a protocol is added to a new Cisco IOS release train. Many peer-to-peer file-sharing applications not listed in this table can be classified using FastTrack or Gnutella. See the NBAR and Classification of Peer-to-Peer File-Sharing Applications, page 11 for additional information. RTSP can be used to classify various types of applications that use streaming audio. See the NBAR and Classification of Streaming Protocols, page 12 for additional information.

Note

Support for some protocols can be added to NBAR using application recognition modules (also known as Packet Description Language Modules [PDLMs]). For more information about PDLMs, see the "Adding Application Recognition Modules" module.

Note

The table below includes the NBAR-supported protocols available with the 12.2(18)ZY and 12.2(18)ZYA releases. Protocols included in the 12.2(18)ZY and 12.2(18)ZYA releases are supported on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA.

Table 1: NBAR-Supported Protocols

Category Enterprise Application

Protocol Citrix ICA

Type TCP/ UDP

Well-Known Port Number

Description

Syntax citrix citrix app citrix ica-tag

Cisco IOS Release 12.1(2)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T

TCP: 1494, Citrix ICA 2512, 2513, traffic 2598 UDP: 1604 TCP: 5631, Symantic 65301 UDP: 22, PCAnywhere 5632

PCAnywhere

TCP/UDP

pcanywhere

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 14

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category

Protocol Novadigm

Type TCP/ UDP

Well-Known Port Number 3460-3465

Description

Syntax

Cisco IOS Release 12.1(2)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1E 12.2T 12.2(18)ZYA1 12.3 12.3T 15.1(2)T

Novadigm novadigm Enterprise Desktop Manager (EDM) Application server to application server traffic (sap-pgm.pdlm) Client to application server traffic (sap-app.pdlm) Client to message server traffic (sapmsg.pdlm) sap

SAP

TCP

3300-3315 (sappgm. pdlm) 3200-3215 (sapapp. pdlm) 3600-3615 (sapmsg. pdlm)

Exchange1

TCP

135

MS-RPC for Exchange

exchange

12.1(1)E 12.1(5)T 12.2(18)ZY 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T

MAPI

TCP

135

Messaging Application Programming Interface

mapi

Routing Protocol

BGP

TCP/ UDP

179

Border Gateway bgp Protocol

EGP

IP

Exterior Gateway Protocol

egp

EIGRP

IP

88

Enhanced eigrp Interior Gateway Routing Protocol

1 For Release 12.2(18)ZYA, Cisco supports Exchange 03 and 07 only. MS client access is recognized, but web client access is not recognized.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 15

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category

Protocol OSPF

Type IP

Well-Known Port Number 89

Description Open Shortest Path First Routing Information Protocol SQL*NET for Oracle

Syntax ospf

Cisco IOS Release 12.2(18)ZYA1 12.3(8)T 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T

RIP

UDP

520

rip

Database

SQL*NET

TCP/ UDP

1521

sqlnet

MS- SQLServer TCP

1433

Microsoft SQL sqlserver Server Desktop Videoconferenci ng Common Internet File System Digital Imaging and Communication s in Medicine Health Level Seven Financial Information Exchange cifs

CIFS

TCP

139, 445

Health

DiCom

TCP

Dynamically Assigned

dicom

HL7

TCP

Dynamically Assigned Dynamically Assigned 47

hl7

Financial

FIX

TCP

fix

Security and Tunneling

GRE

IP

Generic Routing gre Encapsulation

IPINIP

IP

IP in IP

ipinip

IPsec

IP

50, 51

IP Encapsulating ipsec Security Payload/

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 16

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category

Protocol

Type

Well-Known Port Number

Description AuthenticationHeader

Syntax

Cisco IOS Release

L2TP

UDP

1701

L2F/L2TP Tunnel

l2tp

12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T

MS-PPTP

TCP

1723

Microsoft Point- pptp to-Point Tunneling Protocol for VPN Secure FTP secure-ftp

SFTP

TCP

990

Security and Tunneling (Continued)

SHTTP

TCP

443

Secure HTTP

secure-http

SIMAP

TCP/ UDP

585, 993

Secure IMAP

secure-imap

SIRC

TCP/ UDP

994

Secure IRC

secure-irc

SLDAP

TCP/ UDP

636

Secure LDAP

secure-ldap

SNNTP

TCP/ UDP

563

Secure NNTP

secure-nntp

SPOP3

TCP/ UDP

995

Secure POP3

secure-pop3

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 17

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category

Protocol STELNET

Type TCP

Well-Known Port Number 992

Description Secure Telnet

Syntax secure-telnet

Cisco IOS Release 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T

SOCKS

TCP

1080

Firewall Security Protocol Secured Shell

socks

SSH

TCP

22

ssh

Network Management

ICMP

IP

Internet Control Message Protocol

icmp

SNMP

TCP/ UDP

161, 162

Simple Network snmp Management Protocol System Logging syslog Utility

Syslog

UDP

514

Network Mail Services

IMAP

TCP/ UDP

143, 220

Internet imap Message Access Protocol Post Office Protocol pop3

POP3

TCP/ UDP

110

Notes

TCP/ UDP

1352

Lotus Notes

notes

SMTP

TCP

25

Simple Mail Transfer Protocol

smtp

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 18

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category Directory

Protocol DHCP/ BOOTP

Type UDP

Well-Known Port Number 67, 68

Description Dynamic Host Configuration Protocol/ Bootstrap Protocol Finger User Information Protocol Domain Name System

Syntax dhcp

Cisco IOS Release 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T

Finger

TCP

79

finger

DNS

TCP/ UDP

53

dns

Kerberos

TCP/ UDP

88, 749

Kerberos Network Authentication Service Lightweight Directory Access Protocol Desktop Video Conferencing

kerberos

LDAP

TCP/ UDP

389

ldap

Streaming Media

CU-SeeMe

TCP/ UDP

TCP: 7648, 7649 UDP: 24032 Dynamically Assigned

cuseeme

Netshow

TCP/ UDP

Microsoft Netshow

netshow

RealAudio

TCP/ UDP

Dynamically Assigned Dynamically Assigned

RealAudio Streaming Protocol Xing Technology Stream Works Audio and Video

realaudio

StreamWorks

UDP

streamwork

VDOLive

TCP/ UDP

Static (7000) with inspection

VDOLive vdolive Streaming Video

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 19

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category

Protocol RTSP

Type TCP/ UDP

Well-Known Port Number Dynamically Assigned 2427, 2428, 2727

Description Real Time Streaming Protocol

Syntax rtsp

Cisco IOS Release 12.2(18)ZYA1 12.3(11)T 15.1(2)T 12.3(7)T 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T

MGCP

TCP/ UDP

Media Gateway mgcp Control Protocol

YouTube2

TCP

Both static (80) Online Videoyoutube and dynamically Sharing Website assigned Dynamically Assigned File Transfer Protocol ftp

Internet

FTP

TCP

Gopher

TCP/ UDP

70

Internet Gopher Protocol

gopher

HTTP

TCP

803

Hypertext Transfer Protocol Internet Relay Chat

http

IRC

TCP/ UDP

194

irc

Telnet

TCP

23

Telnet Protocol

telnet

TFTP

UDP

Static (69) with inspection

Trivial File Transfer Protocol Network News Transfer Protocol

tftp

NNTP

TCP/ UDP

119

nntp

2 For Release 12.2(18)ZYA, access to YouTube via HTTP only will be recognized. 3 In Release 12.3(4)T, the NBAR Extended Inspection for Hypertext Transfer Protocol (HTTP) Traffic feature was introduced. This feature allows NBAR to scan TCP ports that are not well known and to identify HTTP traffic that is traversing these ports.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 20

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category Signaling

Protocol RSVP

Type UDP

Well-Known Port Number 1698, 1699

Description Resource Reservation Protocol Network File System

Syntax rsvp

Cisco IOS Release 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(2)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T

RPC

NFS

TCP/ UDP

2049

nfs

Sunrpc

TCP/ UDP

Dynamically Assigned

Sun Remote Procedure Call

sunrpc

MSN-messenger TCP

1863

MSN Messenger msn-messenger Chat Messages4 Yahoo Messenger Chat Messages AOL Instant Messenger Chat Messages NetBIOS over IP (MS Windows) Network Time Protocol yahoomessenger aol-messenger

Yahoomessenger

TCP

5050, 5101

AOL-messenger TCP

5190, 443

Non-IP and LAN/ Legacy

NetBIOS

TCP/ UDP

137, 138, 139

netbios

Misc.

NTP

TCP/ UDP

123

ntp

Printer

TCP/ UDP

515

Printer

printer

X Windows

TCP

6000-6003

X11, X Windows

xwindows

4 For Release 12.2(18)ZYA, messages ("chat") from Yahoo, MSN, and AOL are recognized. Messages from Lotus and SameTime are not recognized. Video and voice from Instant Messaging are also not recognized.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 21

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category

Protocol r-commands

Type TCP

Well-Known Port Number Dynamically Assigned

Description

Syntax

Cisco IOS Release 12.1(1)E 12.1(5)T 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T

rsh, rlogin, rexec rcmd

AppleQTC

TCP/UDP

458

Apple Quick Time Character Generator Clear Case Protocol Software Informer corba-iiop

appleqtc

Chargen

TCP/UDP

19

chargen

ClearCase

TCP/UDP

371

clearcase

Corba

TCP/UDP

683, 684

Corba Internet Inter-Orb Protocol (IIOP) Daytime Protocol Doom

12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1

Daytime

TCP/UDP

13

daytime

Doom

TCP/UDP

666

doom

Echo

TCP/UDP

Echo Protocol

echo

IBM DB2

TCP/UDP

523

IBM Information Management Internet Packet Exchange

ibm-db2

IPX

TCP/UDP

213

ipx

ISAKMP

TCP/UDP

500

Internet Security isakmp Association and Key Management Interoperable Self Installation isi-gl

ISI-GL

TCP/UDP

55

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 22

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category

Protocol

Type

Well-Known Port Number Graphics Language

Description

Syntax

Cisco IOS Release

KLogin KShell 3Com AMP3 3Com TSMUX 3PC

TCP TCP TCP/UDP TCP/UDP TCP/UDP

543 544 629 106 34

KLogin KShell 3Com AMP3 3Com TSMUX Third Party Connect Protocol Texas Instruments 914 Terminal Plan 9 file service ACAP 62 888

klogin kshell 3com-amp3 3com-tsmux 3pc

12.2(18)ZYA 12.2(18)ZYA1 12.2(18)ZYA 12.2(18)ZYA1 15.1(3)T 15.1(3)T 15.1(3)T

914 C/G

TCP/UDP

211

914c/g

15.1(3)T

9PFS ACAP

TCP/UDP TCP/UDP ACAS AccessBuilder

564 674 TCP/UDP TCP/UDP 699 599 104 149

9pfs acap ACA Services Access Builder

15.1(3)T 15.1(3)T acas accessbuilder 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

AccessNetwork ACP ACR-NEMA AED-512

TCP/UDP TCP/UDP TCP/UDP TCP/UDP

Access Network accessnetwork Aeolon Core Protocol ACR-NEMA Digital Img AED 512 Emulation service AgentX Alpes AMInet acp acr-nema aed-512

Agentx Alpes AMInet AN ANET

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

705 463 2639 107 212

agentx alpes aminet

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Active Networks an ATEXSSTR anet

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 23

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category ANSANotify ANSATrader AODV Apertus-LDP

Protocol TCP/UDP TCP/UDP TCP/UDP TCP/UDP

Type 116 124 654 539

Well-Known Port Number ANSA REX Notify ansatrader AODV Apertus Tech Load Distribution appleqtcsrvr Applix ac arcisdms ARGUS Ariel1 421 422 ARIS A remote network server system

Description ansanotify ansatrader aodv apertus-ldp

Syntax 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Cisco IOS Release

AppleQTSRVR Applix ARCISDMS ARGUS Ariel1

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP Ariel2 Ariel3

545 999 262 13 419 TCP/UDP TCP/UDP 104 384

appleqtcsrvr applix arcisdms argus ariel1 Ariel2 Ariel3 aris arns

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T ariel2 ariel3 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

ARIS ARNS

TCP/UDP TCP/UDP

ASA ASA-ApplProto ASIPRegistry ASIPWebadmin AS-Servermap AT-3 AT-5

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

386 502 687 311 449 203 205

ASA Message asa router object def asa-appl-proto asipregistry AppleShare IP WebAdmin AS Server Mapper AppleTalk Unused AppleTalk Unused asa-appl-proto asipregistry asip-webadmin as-servermap at-3 at-5

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 24

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category AT-7 AT-8 AT-Echo AT-NBP AT-RTMP

Protocol TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

Type 207 208 204 202 201

Well-Known Port Number AppleTalk Unused AppleTalk Unused

Description at-7 at-8

Syntax 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Cisco IOS Release

AppleTalk Echo at-echo AppleTalk Name Binding AppleTalk Routing Maintenance at-nbp at-rtmp

AT-ZIS Audit Auditd Aurora-CMGR

TCP/UDP TCP/UDP TCP/UDP TCP/UDP AURP

206 182 48 364 TCP/UDP

AppleTalk Zone at-zis Information Unisys Audit SITP Digital Audit daemon Aurora CMGR 387 audit auditd aurora-cmgr Appletalk Update-Based Routing Pro. Authentication Service avian ax25 banyan-rpc banyan-vip bbnrccmon bdp

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T aurp 15.1(3)T

AUTH Avian AX25 Banyan-RPC Banyan-VIP BBNRCCMON BDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

TCP/UDP 486 93 567 573 10 581

113 avian AX.25 Frames banyan-rpc banyan-vip BBN RCC Monitoring Bundle Discovery protocol

auth 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

15.1(3)T

BFTP

TCP/UDP

152

Background File bftp Transfer Program

15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 25

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category BGMP BGP BGS-NSI Bhevent BHFHS BHMDS BL-IDM BMPP BNA Bnet Borland-DSJ

Protocol TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP BR-SAT-Mon

Type 264 179 482 357 248 310 142 632 49 415 707 TCP/UDP

Well-Known Port Number BGMP

Description bgmp

Syntax 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T br-sat-mon

Cisco IOS Release

Border Gateway bgp Protocol bgs-nsi bhevent bhfhs bhmds bgs-nsi bhevent bhfhs bhmds

Britton Lee IDM bl-idm bmpp BNA bnet borland-dsj 76 bmpp bna bnet borland-dsj Backroom SATNET Monitoring Cable Port A/X cab-protocol cadlock CAIlic

15.1(3)T

Cableport-AX Cab-Protocol Cadlock CAIlic TCP/UDP TCP/UDP TCP/UDP

TCP/UDP 595 770 216

282 CAB Protocol cadlock Computer Associates Intl License Server CBT Certificate Distribution Center cfdptkt CFTP Chaos chcmd cimplex

cableport-ax 15.1(3)T 15.1(3)T 15.1(3)T

15.1(3)T

CBT CDC

TCP/UDP TCP/UDP

7 223

cbt cdc

15.1(3)T 15.1(3)T

CFDPTKT CFTP CHAOS ChShell Cimplex

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

120 62 16 562 673

cfdptkt cftp chaos chshell cimplex

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 26

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category Cisco-FNA Cisco-SYS Cisco-TDP Cisco-TNA Cloanto-Net-1 CMIP-Agent CMIP-Man Coauthor

Protocol TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP Codaauth2 Collaborator

Type 130 132 711 131 356 164 163 1529 TCP/UDP TCP/UDP 542 110 2 437 759 531 693

Well-Known Port Number

Description

Syntax 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T codaauth2 collaborator 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Cisco IOS Release

cisco FNATIVE cisco-fna cisco SYSMAINT Cisco TDP cisco-sys cisco-tdp

cisco TNATIVE cisco-tna cloanto-net-1 CMIP/TCP Agent CMIP/TCP Manager oracle 370 622 commerce Compaq Peer Protocol Management Utility comscm con chat almanid Connection Endpoint contentserver corerjd rpc Communication s Integrator Computer Protocol Heart Beat cloanto-net-1 cmip-agent cmip-man coauthor codaauth2 collaborator commerce compaq-peer compressnet comscm con conference connendp

15.1(3)T 15.1(3)T

Commerce Compaq-Peer Compressnet COMSCM CON Conference Connendp

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

ContentServer CoreRJD Courier Covia CPHB

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

3365 284 530 64 73

contentserver corerjd courier covia cphb

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 27

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category CPNX

Protocol TCP/UDP

Type 72

Well-Known Port Number Computer Protocol Network Executive creativepartnr creativeserver crs Combat Radio Transport Protocol Combat Radio User Datagram 624 348

Description cpnx

Syntax 15.1(3)T

Cisco IOS Release

Creativepartnr Creativeserver CRS CRTP

TCP/UDP TCP/UDP TCP/UDP TCP/UDP

455 453 507 126

creativepartnr creativeserver crs crtp

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

CRUDP

TCP/UDP CryptoAdmin CSI-SGWP

127 TCP/UDP TCP/UDP

crudp Crypto Admin Cabletron Management Protocol csnet-ns ctf custix cvc_hostd cybercash cycleserv cycleserv2 dantz dasp datasurfsrv datasurfsrvsec datex-asn

15.1(3)T cryptoadmin csi-sgwp 15.1(3)T 15.1(3)T

CSNET-NS CTF CUSTIX CVC_Hostd Cybercash Cycleserv Cycleserv2 Dantz DASP DataSurfSRV

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

105 84 528 442 551 763 772 497 439 461 462 355

Mailbox Name Nameserver Common Trace Facility Customer Ixchange cvc_hostd cybercash cycleserv cycleserv2 dantz dasp DataRamp Svr DataRamp Svr svs datex-asn

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

DataSurfSRVSe TCP/UDP c Datex-ASN TCP/UDP

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 28

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category Dbase DCCP

Protocol TCP/UDP TCP/UDP

Type 217 33

Well-Known Port Number dBASE Unix

Description dbase

Syntax 15.1(3)T 15.1(3)T

Cisco IOS Release

Datagram dccp Congestion Control Protocol DCN Measurement Subsystems Device Control Protocol dctp DDM Distributed File management 446 dcn-meas

DCN-Meas

TCP/UDP

19

15.1(3)T

DCP DCTP DDM-DFM

TCP/UDP TCP/UDP TCP/UDP

93 675 447

dcp dctp ddm-dfm

15.1(3)T 15.1(3)T 15.1(3)T

DDM-RDB

TCP/UDP

DDM-Remote ddm-rdb Relational Database Access ddm-ssl 15.1(3)T

15.1(3)T

DDM-SSL

TCP/UDP

448

DDM-Remote DB Access Using Secure Sockets Datagram Delivery Protocol D-II Data Exchange dec_dlm decap decauth decbsrv DECLadebug Remote Debug Protocol decvms-sysmgt dei-icda

DDP

TCP/UDP

37

ddp

15.1(3)T

DDX DEC_DLM Decap Decauth Decbsrv Decladebug

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

116 625 403 316 579 410

ddx dec_dlm decap decauth decbsrv decladebug

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Decvms-sysmgt DEI-ICDA

TCP/UDP TCP/UDP

441 618

decvms-sysmgt dei-icda

15.1(3)T 15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 29

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category DEOS

Protocol TCP/UDP

Type 76

Well-Known Port Number Distributed External Object Store device Dissimilar Gateway Protocol DHCP Failover dhcp-failover2 DHCPv6 Client

Description deos

Syntax 15.1(3)T

Cisco IOS Release

Device DGP

TCP/UDP TCP/UDP

801 86

device dgp

15.1(3)T 15.1(3)T

DHCP-Failover DHCPFailover2 DHCPv6-client DHCPv6-server Digital-VRC

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP Directplay

647 847 546 547 466 TCP/UDP 6073 3337 3335

dhcp-failover dhcp-failover2 dhcpv6-client

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T directplay 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

DHCPv6 Server dhcpv6-server digital-vrc 2234 DirectPlay8 Direct TV Data Catalog Direct TV Software Updates Direct TV Tickers Direct TV Webcasting Discard campaign contribution disclosures DIXIE Protocol Specification digital-vrc DirectPlay directplay8 directv-catlg directv-soft

Directplay8 Directv-Catlg Directv-Soft

TCP/UDP TCP/UDP TCP/UDP

Directv-Tick Directv-Web Discard Disclose

TCP/UDP TCP/UDP TCP/UDP TCP/UDP

3336 3334 9 667

directv-tick directv-web discard disclose

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Dixie DLS

TCP/UDP TCP/UDP

96 197

dixie

15.1(3)T 15.1(3)T

Directory dls Location Service

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 30

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category DLS-Mon

Protocol TCP/UDP

Type 198

Well-Known Port Number

Description

Syntax 15.1(3)T

Cisco IOS Release

Directory dls-mon Location Service Monitor DNSIX Network dn6-nlm-aud Level Module Audit DNA-CML Domain Name Server lookup DNSIX Securit Attribute Token Map dpsi dsfgw dna-cml dns dnsix

DN6-NLMAUD DNA-CML DNS DNSIX

TCP/UDP

195

15.1(3)T

TCP/UDP TCP/UDP TCP/UDP

436 53 90

15.1(3)T 15.1(3)T 15.1(3)T

DPSI DSFGW DSP DSP3270

TCP/UDP TCP/UDP TCP/UDP TCP/UDP DSR

315 438 33 246 TCP/UDP

dpsi dsfgw

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Display Support dsp Protocol Display Systems dsp3270 Protocol 48

Dynamic Source dsr Routing Protocol dtag-ste-sb dtk dwr egp 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

DTAG-DTE-SB TCP/UDP DTK DWR EGP TCP/UDP TCP/UDP TCP/UDP

352 365 644 8

DTAG dtk dwr Exterior Gateway Protocol

EIGRP

TCP/UDP

88

Enhanced eigrp Interior Gateway Routing Protocol errlog copy/ server daemon EMBL Nucleic Data Transfer elcsd embl-ndt

15.1(3)T

ELCSD EMBL-NDT

TCP/UDP TCP/UDP

704 394

15.1(3)T 15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 31

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category EMCON EMFIS-CNTLl EMFIS-Data Encap Entomb Entrust-AAAS Entrust-AAMS Entrust-ASH

Protocol TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

Type 14 141 140 98 775 680 681 710

Well-Known Port Number EMCON EMFIS Control Service EMFIS Data Service Encapsulation Header entomb entrust-aaas entrust-aams Entrust Administration Service Handler Entrust Key Management Service Handler entrust-sps

Description emcon emfis-cntl emfis-data encap entomb entrust-aaas entrust-aams entrust-ash

Syntax 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Cisco IOS Release

Entrust-KMSH

TCP/UDP

709

entrust-kmsh

15.1(3)T

Entrust-SPS ERPC

TCP/UDP TCP/UDP

640 121

entrust-sps

15.1(3)T 15.1(3)T

Encore erpc Expedited Remote Pro.Call 621 259 escp-ip Efficient Short Remote Operations esro-emsdp

ESCP-IP ESRO-GEN

TCP/UDP TCP/UDP

escp-ip esro-gen

15.1(3)T 15.1(3)T

ESRP-EMSDP EtherIP Eudora-Set EXEC Fatserv FC

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

642 97 592 512 347 133

ESRO-EMSDP V1.3

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Ethernet-within- etherip IP Encapsulation Eudora Set remote process execution; Fatmen Server Fibre Channel eudora-set exec fatserv fc

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 32

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category FCP Finger FIRE FlexLM FLN-SPX FTP-Agent FTP-Data FTPS-Data

Protocol TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

Type 510 79 125 744 221 574 20 989

Well-Known Port Number FirstClass Protocol Finger FIRE

Description fcp finger fire

Syntax 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Cisco IOS Release

Flexible License flexlm Manager Berkeley rlogind fln-spx with SPX auth FTP Software Agent System File Transfer ftp protocol, data, over TLS/ SSL Fujitsu Device Control ftp-agent ftp-data ftps-data

Fujitsu-Dev GACP GDOMAP Genie

TCP/UDP TCP/UDP TCP/UDP TCP/UDP Genrad-MUX GGF-NCP

747 190 538 402 TCP/UDP TCP/UDP

fujitsu-dev

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T genrad-mux 15.1(3)T 15.1(3)T

Gateway Access gacp Control Protocol gdomap Genie Protocol 176 678 gdomap genie genrad-mux

GNU ggf-ncp Generation Foundation NCP ggp ginad gmtp go-login gopher graphics 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

GGP Ginad GMTP Go-Login Gopher Graphics

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

3 634 100 491 70 41

Gateway-toGateway ginad GMTP go-login Gopher Graphics

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 33

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category GRE Groove GSS-HTTP GSS-XLICEN

Protocol TCP/UDP TCP/UDP TCP/UDP TCP/UDP

Type 47 2492 488 128

Well-Known Port Number

Description

Syntax 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Cisco IOS Release

General Routing gre Encapsulation groove gss-http groove gss-http

GNU gss-xlicen Generation Foundation NCP GTP-User Plane gtp-user ha-cluster hap hassle ha-cluster hap hassle

GTP-User HA-Cluster HAP Hassle HCP-Wismar

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

2152 694 661 375 686

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Hardware hcp-wismar Control Protocol Wismar hdap HELLO_PORT hems 139 612 HMMP Operation hdap hello-port hems Host Identity Protocol HMMP Indication hmmp-op

HDAP Hello-port HEMS

TCP/UDP TCP/UDP TCP/UDP HIP HMMP-IND

263 652 151 TCP/UDP TCP/UDP 613 20 0 101 383

15.1(3)T 15.1(3)T 15.1(3)T hip hmmp-ind 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

HMMP-OP HMP HOPOPT Hostname HP-Alarm-Mgr

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

Host Monitoring hmp IPv6 Hop-byHop Option NIC Host Name Server hp performance data alarm manager hp performance data collector hopopt hostname hp-alarm-mgr

HP-Collector

TCP/UDP

381

hp-collector

15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 34

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category HP-ManagedNode HTTP-ALT HTTP-Mgmt HTTP-RPCEPMAP Hybrid-POP Hyper-G Hyperwave-ISP IAFDBase IAFServer IASD IATP

Protocol TCP/UDP

Type 382

Well-Known Port Number hp performance data managed node HTTP Alternate http-mgmt HTTP RPC Ep Map hybrid-pop hyper-g hyperwave-isp iafdbase iafserver iasd Interactive Agent Transfer Protocol IBM Application 523 Internet Backplane Protocol ICL coNETion locate server ICL coNETion server info Internet Control Message idfp Inter-Domain Policy Routing Protocol

Description hp-managednode http-alt http-mgmt http-rpc-epmap hybrid-pop hyper-g hyperwave-isp iafdbase iafserver iasd iatp

Syntax 15.1(3)T

Cisco IOS Release

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

8080 280 593 473 418 692 480 479 432 117

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

IBM-App

TCP/UDP IBM-DB2

385 TCP/UDP 6714

ibm-app IBM-DB2 ibprotocol

15.1(3)T ibm-db2 15.1(3)T 15.1(3)T

IBProtocol

TCP/UDP

ICLCNet-Locate TCP/UDP ICLNet_SVInfo TCP/UDP ICMP IDFP IDPR TCP/UDP TCP/UDP TCP/UDP

886 887 1 549 35

iclcnet-locate iclcnet_svinfo icmp idfp idpr

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 35

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category IDPRr-CMTP

Protocol TCP/UDP

Type 38

Well-Known Port Number IDPR Control Message Transport Proto Inter-Domain Routing Protocol ieee-mms ieee-mms-ssl Ipsilon Flow Management Protocol Cisco interior gateway iiop IL Transport Protocol

Description idpr-cmtp

Syntax 15.1(3)T

Cisco IOS Release

IDRP

TCP/UDP

45

idrp

15.1(3)T

IEEE-MMS IEEE-MMSSSL IFMP

TCP/UDP TCP/UDP TCP/UDP

651 695 101

ieee-mms ieee-mms-ssl ifmp

15.1(3)T 15.1(3)T 15.1(3)T

IGRP IIOP IL IMSP InBusiness Infoseek Ingres-Net

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP I-NLSP

9 535 40 406 244 414 134 TCP/UDP

igrp iiop il

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T i-nlsp 15.1(3)T

Interactive Mail imsp Support Protocol inbusiness InfoSeek INGRES-NET Service 52 inbusiness infoseek ingres-net Integrated Net Layer Security TUBA intecourier

Intecourier Integra-SME

TCP/UDP TCP/UDP

495 484

intecourier

15.1(3)T 15.1(3)T

Integra Software integra-sme Management Environment intrinsa ipcd IP Payload Compression Protocol intrinsa ipcd ipcomp

Intrinsia IPCD IPComp

TCP/UDP TCP/UDP TCP/UDP

503 576 108

15.1(3)T 15.1(3)T 15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 36

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category IPCServer IPCV IPDD IPINIP IPIP

Protocol TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

Type 600 71 578 4 94

Well-Known Port Number Sun IPC server Internet Packet Core Utility ipdd IP in IP IP-within-IP Encapsulation Protocol IPLT

Description ipcserver ipcv ipdd ipinip ipip

Syntax 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Cisco IOS Release

IPLT IPP IPPC Ipv6-Frag Ipv6-ICMP Ipv6INIP ipv6-NonXT Ipv6-OPTS

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP Ipv6-Route

129 631 67 44 58 41 59 60 TCP/UDP 194 529 28 379 380

iplt

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T ipv6-route 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Internet Printing ipp Protocol Internet Pluribus ippc Packet Core Fragment Header for IPv6 ICMP for IPv6 Ipv6 encapsulated ipv6-frag ipv6-icmp ipv6inip

No Next Header ipv6-nonxt for IPv6 Destination ipv6-opts Options for IPv6 43 Internet Relay Chat IRC-SERV Routing Header for IPv6 irc irc-serv

IRC IRC-SERV IRTP IS99C IS99S

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

Internet Reliable irtp Transaction TIA/EIA/IS-99 modem client TIA/EIA/IS-99 modem server is99c is99s

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 37

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category ISAKMP

Protocol TCP/UDP

Type 500

Well-Known Port Number

Description

Syntax 15.1(3)T

Cisco IOS Release

Internet Security isakmp Association & Key Management Protocol ISIS over IPv4 ISO ILL Protocol iso-ip iso-tp0 isis iso-ill iso-ip iso-tp0

ISIS ISO-ILL ISO-IP ISO-TP0 ISO-TP4 ISO-TSAP ISO-TSAP-C2

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

124 499 147 146 29 102 399

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

ISO Transport iso-tp4 Protocol Class 4 ISO-TSAP Class iso-tsap 0 ISO Transport Class 2 NonControl itm-mcell-s IPX in IP Jargon kali k-block 584 186 157 iso-tsap-c2

ITM-MCELL-S IXP-IN-IP Jargon Kali K-Block

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP Keyserver KIS Knet-CMP

828 111 148 2213 287 TCP/UDP TCP/UDP TCP/UDP

itm-mcell-s ixp-in-ip jargon kali k-block Key Server KIS Protocol KNET/VM Command/ Message Protocol konspire2b p2p network kpasswd kryptolan l2tp

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T keyserver kis knet-cmp 15.1(3)T 15.1(3)T 15.1(3)T

Konspire2b Kpasswd Kryptolan L2TP

TCP/UDP TCP/UDP TCP/UDP TCP/UDP

6085 464 398 1701

Konspire2b kpasswd kryptolan l2tp

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 38

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category

Protocol LA-Maint

Type TCP/UDP

Well-Known Port Number 51

Description IMP Logical Address Maintenance lanserver Locus Address Resolution Protocol Lightweight Directory Access Protocol LDP Leaf-1 Leaf-2 Legent Corporation Legent Corporation ljk-login Locus PCInterface Conn Server Locus PCInterface Net Map Ser MacOS Server Admin magenta-logic mailbox-lm mailq maitrd manet masqdialer

Syntax la-maint

Cisco IOS Release 15.1(3)T

LANServer LARP

TCP/UDP TCP/UDP

637 91

lanserver larp

15.1(3)T 15.1(3)T

LDAP

TCP/UDP

389

ldap

15.1(3)T

LDP Leaf-1 Leaf-2 Legent-1 Legent-2 LJK-Login Locus-Con

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

646 25 26 373 374 472 127

ldp leaf-1 leaf-2 legent-1 legent-2 ljk-login locus-con

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Locus-Map

TCP/UDP

125

locus-map

15.1(3)T

MAC-SRVRAdmin Magenta-Logic Mailbox-LM Mailq Maitrd MANET MasqDialer TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

TCP/UDP TCP/UDP 505 174 997 138 224

660 313 mailbox-lm MAILQ maitrd MANET Protocols masqdialer

mac-srvr-admin magenta-logic 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

15.1(3)T 15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 39

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category Matip-Type-A Matip-Type-B MCIDAS

Protocol TCP/UDP TCP/UDP TCP/UDP

Type 350 351 112

Well-Known Port Number MATIP Type A MATIP Type B McIDAS Data Transmission Protocol mcns-sec

Description matip-type-a matip-type-b mcidas

Syntax 15.1(3)T 15.1(3)T 15.1(3)T

Cisco IOS Release

MCNS-Sec MDCPortmapper MeComm MeRegister Merit-INP

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

638 685 668 669 32

mcns-sec

15.1(3)T

mdc-portmapper mdc-portmapper 15.1(3)T mecomm meregister MERIT Internodal Protocol meta5 metagram meter Micro Focus Cobol MFE Network Services Protocol 349 490 Mobile Internetworking Control Pro. micromuse-lm MIT Dover Spooler mecomm meregister merit-inp 15.1(3)T 15.1(3)T 15.1(3)T

Meta5 Metagram Meter Mfcobol MFE-NSP

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

393 99 570 86 31

meta5 metagram meter mfcobol mfe-nsp

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

MFTP Micom-PFS MICP TCP/UDP

TCP/UDP TCP/UDP 95

mftp micom-pfs micp

mftp micom-pfs 15.1(3)T

15.1(3)T 15.1(3)T

Micromuse-LM MIT-DOV MIT-ML-Dev Mobile

TCP/UDP TCP/UDP TCP/UDP TCP/UDP

1534 91 83 55 434

micromuse-lm mit-dov

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

MIT ML Device mit-ml-dev IP Mobility mobileip-agent mobile mobileip-agent

MobileIP-Agent TCP/UDP

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 40

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category MobilIP-MN Mondex Monitor Mortgageware MPLS-IN-IP MPM

Protocol TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

Type 435 471 561 367 137 45

Well-Known Port Number mobilip-mn mondex monitor mortgageware MPLS-in-IP Message Processing Module MPM FLAGS Protocol MPM [default send]

Description mobilip-mn mondex monitor mortgageware mpls-in-ip mpm

Syntax 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Cisco IOS Release

MPM-Flags MPM-SND MPP MPTN MRM MSDP

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP MSExchRouting MSFT-GC

44 46 218 397 679 639 TCP/UDP TCP/UDP 3269

mpm-flags mpm-snd

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T msexch-routing msft-gc 15.1(3)T 15.1(3)T 15.1(3)T

Netix Message mpp Posting Protocol Multi Protocol Trans. Net mrm msdp 691 3268 mptn mrm msdp MS Exchange Routing Microsoft Global Catalog

MSFT-GC-SSL

TCP/UDP

Microsoft msft-gc-ssl Global Catalog with LDAP/SSL msg-auth msg-icp msnp msg-auth msg-icp msnp

MSG-AUTH MSG-ICP MSNP MS-OLAP MSP MS-Rome

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

31 29 1863 2393 18 569

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Microsoft OLAP ms-olap Message Send Protocol microsoft rome msp ms-rome

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 41

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category MS-Shuttle MS-SQLl-M MTP

Protocol TCP/UDP TCP/UDP TCP/UDP

Type 568 1434 92

Well-Known Port Number

Description

Syntax 15.1(3)T 15.1(3)T 15.1(3)T

Cisco IOS Release

microsoft shuttle ms-shuttle Microsoft-SQLMonitor Multicast Transport Protocol ms-sql-m mtp

Multiling-HTTP TCP/UDP Multiplex TCP/UDP

777 171

Multiling HTTP multiling-http Network Innovations Multiplex Plus Fives MUMPS Multiplexing mylex-mapd MySQL Host Name Server namp 54 multiplex

15.1(3)T 15.1(3)T

Mumps MUX Mylex-MAPD MySQL Name NAMP

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP NARP

188 18 467 3306 42 167 TCP/UDP

mumps mux mylex-mapd mysql name namp

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

NBMA Address narp Resolution Protocol Netnews Administration System nced ncld ncp ndsauth nest-protocol net8-cman net-assistant nas

NAS

TCP/UDP

991

15.1(3)T

NCED NCLD NCP NDSAuth Nest-Protocol Net8-CMAN Net-Assistant

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

404 405 524 353 489 1830 3283

nced ncld NCP NDSAUTH nest-protocol Oracle Net8 CMan Admin net-assistant

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 42

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category Netblt

Protocol TCP/UDP

Type 30

Well-Known Port Number Bulk Data Transfer Protocol netgw readnews Network based RCS Remote Job Service Remote Job Service Remote Job Service Remote Job Service NETSC NETSC IBM NetView DM 730 731 for emergency broadcasts Novell Netware over IP new who NextStep Window Server Network File System Who Is

Description netblt

Syntax 15.1(3)T

Cisco IOS Release

NetGW NetNews NetRCS NetRJS-1 NetRJS-2 NetRJS-3 NetRJS-4 NETSC-Dev NETSC-Prod NetViewDM1

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP NetviewDM2 NetviewDM3

741 532 742 71 72 73 74 155 154 729 TCP/UDP TCP/UDP 533 396 550 178 2049 43

netgw netnews netrcs netrjs-1 netrjs-2 netrjs-3 netrjs-4 netsc-dev netsc-prod netviewdm1 IBM NetView DM IBM NetView DM netwall netware-ip new-rwho nextstep nfs nicname

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T netviewdm2 netviewdm3 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Netwall Netware-IP New-RWHO NextStep NFS NicName

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 43

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category NI-FTP NI-Mail Nlogin NMAP NMSP

Protocol TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

Type 47 61 758 689 537

Well-Known Port Number NI FTP NI MAIL nlogin nmap Networked Media Streaming Protocol nnsp Lotus Notes(R) Novastor Backup npmp-gui npmp-local npmp-trap nqs 760 NSFNET-IGP IIOP Name Service over TLS/SSL Network Security Risk Management Protocol NSS-Routing NSW User System FE ntalk Network Time Protocol

Description ni-ftp ni-mail nlogin nmap nmsp

Syntax 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Cisco IOS Release

NNSP Notes NovaStorBakcu p NPMP-GUI NPMP-Local NPMP-Trap NQS

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP NS

433 1352 308 611 610 609 607 TCP/UDP 85 261

nnsp notes novastorbakcup npmp-gui npmp-local npmp-trap nqs ns nsfnet-igp nsiiops

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T ns 15.1(3)T 15.1(3)T 15.1(3)T

NSFNET-IGP NSIIOPS

TCP/UDP TCP/UDP

NSRMP

TCP/UDP

359

nsrmp

15.1(3)T

NSS-Routing NSW-FE Ntalk NTP

TCP/UDP TCP/UDP TCP/UDP TCP/ UDP

159 27 518 123

nss-routing nsw-fe ntalk ntp

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 44

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category NVP-II NXEdit OBCBinder OBEX ObjCall OCS_AMU OCS_CMU OCServer ODMR OHIMSRV OLSR

Protocol TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

Type 11 126 183 650 94 429 428 184 366 506 698

Well-Known Port Number Network Voice Protocol nxedit ocbinder obex Tivoli Object Dispatcher ocs_amu ocs_cmu ocserver odmr ohimsrv olsr 900 764 onmux opalis-rdv opalis-robot

Description nvp-ii nxedit ocbinder obex objcall ocs_amu ocs_cmu ocserver odmr ohimsrv olsr omginitialrefs omserv onmux opalis-rdv opalis-robot

Syntax 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T omginitialrefs omserv 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Cisco IOS Release

OMGInitialRefs TCP/UDP OMServ ONMUX Opalis-RDV Opalis-Robot OPC-Job-Start TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP 417 536 314 423

15.1(3)T 15.1(3)T

IBM Operations opc-job-start Planning and Control Start IBM Operations opc-job-track Planning and Control Track openport openvms-sysipc oraclenames Oracle Net8 Cman openport openvms-sysipc oraclenames oraclenet8cman

OPC-Job-Track

TCP/UDP

424

15.1(3)T

Openport OpenVMSSysipc OracleNames OracleNet8CM AN

TCP/UDP TCP/UDP TCP/UDP TCP/UDP

260 557 1575 1630

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 45

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category ORA-Srv Orbix-Config Orbix-Locator Orbix-Loc-SSL OSPF OSU-NMS

Protocol TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

Type 1525 3076 3075 3077 89 192

Well-Known Port Number Oracle TCP/IP Listener Orbix 2000 Config Orbix 2000 Locator Orbix 2000 Locator SSL Open Shortest Path First OSU Network Monitoring System Parsec Gameserver passgo passgo-tivoli 586 Perf Analysis Workbench PCMail Server Prospero Data Access Protocol personal-link pftp PGM Reliable Transport Protocol Philips VideoConferencing Phone photuris

Description ora-srv orbix-config orbix-locator orbix-loc-ssl ospf osu-nms

Syntax 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Cisco IOS Release

Parsec-Game Passgo Passgo-Tivoli

TCP/UDP TCP/UDP TCP/UDP Password-Chg

6582 511 627 TCP/UDP 345 158 344 281 662 113

parsec-game passgo passgo-tivoli Password Change pawserv pcmail-srv pdap personal-link pftp pgm

15.1(3)T 15.1(3)T 15.1(3)T password-chg 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Pawserv PCMail-SRV PDAP Personal-link PFTP PGM

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

Philips-VC Phonebook Photuris

TCP/UDP TCP/UDP TCP/UDP

583 767 468

philips-vc phonebook photuris

15.1(3)T 15.1(3)T 15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 46

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category PIM

Protocol TCP/UDP

Type 103

Well-Known Port Number Protocol Independent Multicast PIM-RP-DISC pip Private IP Encapsulation within IP pirp PKIX-3 CA/RA pkix-timestamp PNNI over IP Post Office Protocol Version 2 110 494 Air Soft Power Burst Point-to-Point Tunneling Protocol Network PostScript Packet Radio Measurement Prospero Resource Manager Node Man Prospero Resource Manager Sys. Man

Description pim

Syntax 15.1(3)T

Cisco IOS Release

PIM-RP-DISC PIP PIPE

TCP/UDP TCP/UDP TCP/UDP

496 1321 131

pim-rp-disc pip pipe

15.1(3)T 15.1(3)T 15.1(3)T

PIRP

TCP/UDP

553 829 318 102 109

pirp pkix-3-ca-ra pkix-timestamp pnni pop2

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

PKIX-3-CA-RA TCP/UDP PKIXTimestamp PNNI Pop2 TCP/UDP TCP/UDP TCP/UDP

Pop3 POV-Ray Powerburst PPTP TCP/UDP TCP/UDP

TCP/UDP TCP/UDP 485 1723

Post Office Protocol pov-ray powerburst pptp

pop3 pov-ray 15.1(3)T 15.1(3)T

15.1(3)T 15.1(3)T

Print-SRV PRM PRM-NM

TCP/UDP TCP/UDP TCP/UDP

170 21 409

print-srv prm prm-nm

15.1(3)T 15.1(3)T 15.1(3)T

PRM-SM

TCP/UDP

408

prm-sm

15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 47

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category Profile Prospero

Protocol TCP/UDP TCP/UDP

Type 136 191

Well-Known Port Number PROFILE Naming System Prospero Directory Service PTC Name Service Performance Transparency Protocol PTP Event PTP General pump PUP purenoise Packet Video Protocol Password Generator Protocol qbikgdp 189 628 The Quick Mail Transfer Protocol QNX Quote of the Day qrh quotad

Description profile prospero

Syntax 15.1(3)T 15.1(3)T

Cisco IOS Release

PTCNameServic TCP/UDP e PTP TCP/UDP

597 123

ptcnameservice ptp

15.1(3)T 15.1(3)T

PTP-Event PTP-General Pump PUP Purenoise PVP PWDGen

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

319 320 751 12 663 75 129

ptp-event ptp-general pump pup purenoise pvp pwdgen

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

QBIKGDP

TCP/UDP QFT QMQP

368 TCP/UDP TCP/UDP 209

qbikgdp Queued File Transport qmqp qmtp

15.1(3)T qft qmqp 15.1(3)T 15.1(3)T 15.1(3)T

QMTP

TCP/UDP

QNX QoTD QRH QUOTD

TCP/UDP TCP/UDP TCP/UDP TCP/UDP

106 17 752 762

qnx qotd qrh quotad

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 48

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category RAP RDA RDB-DBSDISP RDP Realm-RUSD

Protocol TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

Type 38 630 1571 27 688

Well-Known Port Number Route Access Protocol rda Oracle Remote Data Base Reliable Data Protocol ApplianceWare managment protocol Remote Mail Checking Protocol rfs server remote-kis repcmd repscmd rescap Routing Information Protocol ripng 180 748

Description rap rda rdb-dbs-disp rdp realm-rusd

Syntax 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Cisco IOS Release

RE-Mail-CK

TCP/UDP

50

re-mail-ck

15.1(3)T

RemoteFS Remote-KIS REPCMD REPSCMD RESCAP RIP

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

556 185 641 653 283 520

remotefs remote-kis repcmd repscmd rescap rip

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

RIPING

TCP/UDP RIS RIS-CM

521 TCP/UDP TCP/UDP

ripng Intergraph Russell Info Sci Calendar Manager rje rlp

15.1(3)T ris ris-cm 15.1(3)T 15.1(3)T

RJE RLP

TCP/UDP TCP/UDP

5 39

Remote Job Entry Resource Location Protocol rlzdbase rmc

15.1(3)T 15.1(3)T

RLZDBASE RMC

TCP/UDP TCP/UDP

635 657

rlzdbase rmc

15.1(3)T 15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 49

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category RMIActivation RMIRegistry RMonitor RMT RPC2Portmap RRH RRP

Protocol TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

Type 1098 1099 560 411 369 753 648

Well-Known Port Number rmiactivation rmiregistry rmonitord Remote MT Protocol rpc2portmap rrh Registry Registrar Protocol Berkeley rshd with SPX auth rsvd rsvp_tunnel RSVP-E2EIGNORE rsync rtip RTSPS 696 MIT Remote Virtual Disk Protocol rxe saft Simple Asynchronous File Transfer sanity SATNET and Backroom EXPAK

Description rmiactivation rmiregistry rmonitor rmt rpc2portmap rrh rrp

Syntax 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Cisco IOS Release

RSH-SPX RSVD RSVP_Tunnel RSVP-E2EIgnore Rsync RTIP RTSPS

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP Rushd

222 168 363 134 873 771 322 TCP/UDP 66

rsh-spx rsvd rsvp_tunnel rsvp-e2e-ignore rsync rtip rtsps rushd rvd

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T rushd 15.1(3)T 15.1(3)T

RVD

TCP/UDP

RXE SAFT

TCP/UDP TCP/UDP

761 487

rxe saft

15.1(3)T 15.1(3)T

Sanity SAT-EXPAK

TCP/UDP TCP/UDP

643 64

sanity sat-expak

15.1(3)T 15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 50

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category SAT-Mon SCC-Security SCC-SP

Protocol TCP/UDP TCP/UDP TCP/UDP

Type 69 582 96

Well-Known Port Number SATNET Monitoring scc-security Semaphore Communication s Sec. Pro. SCO Desktop Administration Server scohelp scoi2odialog Internet Configuration Manager SCO System Administration Server SCO Web Server Manager 3

Description sat-mon scc-security scc-sp

Syntax 15.1(3)T 15.1(3)T 15.1(3)T

Cisco IOS Release

SCO-DTMgr

TCP/UDP

617

sco-dtmgr

15.1(3)T

SCOHELP SCOI2ODialog SCO-Inetmgr

TCP/UDP TCP/UDP TCP/UDP

457 360 615

scohelp scoi2odialog sco-inetmgr

15.1(3)T 15.1(3)T 15.1(3)T

SCO-SysMgr

TCP/UDP

616

sco-sysmgr

15.1(3)T

SCOWebsrvrMg3 SCOWebsrvrMgr SCPS

TCP/UDP

598

sco-websrvrmg3 15.1(3)T

TCP/UDP TCP/UDP SCTP

620 105 TCP/UDP

SCO WebServer sco-websrvrmgr Manager SCPS 132 scps Stream Control Transmission Protocol scx-proxy sdnskmp sdrp

15.1(3)T 15.1(3)T sctp 15.1(3)T

SCX-Proxy SDNSKMP SDRP

TCP/UDP TCP/UDP TCP/UDP

470 558 42

scx-proxy SDNSKMP Source Demand Routing Protocol ftp protocol, control, over TLS/SSL

15.1(3)T 15.1(3)T 15.1(3)T

Secure-ftp

TCP/UDP

990

secure-ftp

15.1(3)T

Secure-IRC

TCP/UDP

994

irc protocol over secure-irc TLS

15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 51

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category Secure-LDAP Secure-NNTP Secure-Pop3 Secure-Telnet Secure-VMTP Semantix Send Server-IPX

Protocol TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

Type 636 563 995 992 82 361 169 213

Well-Known Port Number ldap protocol over TLS nntp protocol over TLS pop3 protocol over TLS telnet protocol over TLS SECUREVMTP semantix SEND Internetwork Packet Exchange Protocol Service Status update Secure Electronic Transaction

Description secure-ldap secure-nntp secure-pop3 secure-telnet secure-vmtp semantix send server-ipx

Syntax 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Cisco IOS Release

Servstat SET

TCP/UDP TCP/UDP

633 257

servstat set

15.1(3)T 15.1(3)T

SFS-Config SFS-SMP-Net

TCP/UDP TCP/UDP

452 451

Cray SFS config sfs-config server Cray Network Semaphore server Simple File Transfer Protocol 440 153 sgmp-traps Shockwave shrinkwrap sfs-smp-net

15.1(3)T 15.1(3)T

SFTP

TCP/UDP

115

sftp

15.1(3)T

SGCP SGMP SGMP-Traps Shockwave Shrinkwrap TCP/UDP TCP/UDP TCP/UDP

TCP/UDP TCP/UDP 160 1626 358

sgcp sgmp sgmp-traps shockwave shrinkwrap

sgcp sgmp 15.1(3)T 15.1(3)T 15.1(3)T

15.1(3)T 15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 52

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category SIAM SIFT-UFT

Protocol TCP/UDP TCP/UDP

Type 498 608

Well-Known Port Number siam

Description siam

Syntax 15.1(3)T 15.1(3)T

Cisco IOS Release

Sender-Initiated/ sift-uft Unsolicited File Transfer silc sitaradir sitaramgmt sitaraserver SKIP skronk SM smakynet smartsdp silc sitaradir sitaramgmt sitaraserver skip skronk sm smakynet smartsdp

SILC SitaraDir SitaraMgmt Sitaraserver SKIP SKRONK SM Smakynet SmartSDP SMP SMPNameRes SMSD SMSP

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

706 2631 2630 2629 57 460 122 122 426 121 901 596 413

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Simple Message smp Protocol smpnameres smsd Storage Management Services Protocol 25 smpnameres smsd smsp

SMTP

TCP/UDP

Simple Mail Transfer Protocol SMUX snagas snare s-net snp

smtp

15.1(3)T

SMUX SNAGas Snare S-Net SNP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

TCP/UDP 108 509 166 109

199 SNA Gateway Access Server snare Sirius Systems Sitara Networks Protocol

smux 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 53

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category SNPP

Protocol TCP/UDP

Type 444 580 215 572 656 90 130 478 66 150 118 1433 200

Well-Known Port Number

Description

Syntax 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Cisco IOS Release

Simple Network snpp Paging Protocol SNTP HEARTBEAT Insignia Solutions sonar spmp Sprite RPC Protocol Secure Packet Shield spsc Oracle SQL*NET SQL-NET SQL Services Microsoft-SQLServer IBM System Resource Controller Spider Remote Monitoring Protocol 119 362 ss7ns SSCOPMCE Secure Shell Protocol SSLshell sntp-heartbeat softpc sonar spmp sprite-rpc sps spsc sql*net sql-net sqlserv sqlserver src

SNTP-Heartbeat TCP/UDP SoftPC Sonar SPMP Sprite-RPC SPS SPSC SQL*Net SQL-Net SQLServ SQLServer SRC TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

SRMP

TCP/UDP

193

srmp

15.1(3)T

SRP SRSSend SS7NS SSCOPMCE SSH Sshell TCP/UDP TCP/UDP TCP/UDP TCP/UDP

TCP/UDP TCP/UDP 477 128 22 614

SpectraLink Radio Protocol srssend ss7ns sscopmce ssh sshell

srp srssend 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

15.1(3)T 15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 54

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category SST ST StatSRV STMF STP

Protocol TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

Type 266 5 133 501 118

Well-Known Port Number SCSI on ST Stream Statistics Service stmf Schedule Transfer Protocol streettalk STUN

Description sst st statsrv stmf stp

Syntax 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Cisco IOS Release

StreetTalk Stun-NAT STX Submission

TCP/UDP TCP/UDP TCP/UDP TCP/UDP

566 3478 527 587 247 89 665 77

streettalk stun-nat

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Stock IXChange stx submission subntbcst_tftp SU/MIT Telnet Gateway sun-dr SUN ND PROTOCOLTemporary SUPDUP 1010 Survey Measurement Server Location Swift Remote Virtural File Protocol IP with Encryption submission subntbcst_tftp su-mit-tg sun-dr sun-nd

Subntbcst_TFTP TCP/UDP SU-MIT-TG Sun-DR Sun-ND TCP/UDP TCP/UDP TCP/UDP

SupDup

TCP/UDP Surf

95 TCP/UDP 243 427 97

supdup surf sur-meas svrloc swift-rvf

15.1(3)T surf 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Sur-Meas Svrloc Swift-RVF

TCP/UDP TCP/UDP TCP/UDP

Swipe Synoptics-Trap

TCP/UDP TCP/UDP

53 412

swipe

15.1(3)T 15.1(3)T

Trap Convention synoptics-trap Port

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 55

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category

Protocol

Type 392 391

Well-Known Port Number SynOptics Port Broker Port SynOptics SNMP Relay Port TAC News talk TCF Tobit David Replica Tobit David Service Layer teedtap send Telnet newdate tenfold Texar Security Port 492

Description synotics-broker synotics-relay

Syntax 15.1(3)T 15.1(3)T

Cisco IOS Release

Synotics-Broker TCP/UDP Synotics-Relay TCP/UDP

TAC News Talk TCF TD-Replica TD-Service Teedtap Tell Telnet Tempo Tenfold Texar

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TICF-1

98 517 87 268 267 559 754 23 526 658 333 TCP/UDP

tacnews talk tcf td-replica td-service teedtap tell telnet tempo tenfold texar

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Transport ticf-1 Independent Convergence for FNA 15.1(3)T

TICF-2

TCP/UDP

493

Transport ticf-2 Independent Convergence for FNA Timbuktu timeserver tinc oracle timbuktu timed tinc tlisrv

Timbuktu Timed TINC TLISRV

TCP/UDP TCP/UDP TCP/UDP TCP/UDP

407 525 655 1527

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 56

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category TLSP

Protocol TCP/UDP

Type 56

Well-Known Port Number Transport Layer Security Protocol NEC Corporation tns-cml tn-tl-fd1 TP++ Transport Protocol tpip Trunk-1 Trunk-2

Description tlsp

Syntax 15.1(3)T

Cisco IOS Release

TNETOS TNS-CML TN-TL-FD1 TP++ TPIP Trunk-1 Trunk-2 TServer

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

377 590 476 39 594 23 24 450

tnETOS tns-cml tn-tl-fd1 tp++ tpip trunk-1 trunk-2

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Computer tserver Supported Telecomunicatio n Applications TTP UAAC Protocol Unisys ARPs 136 390 List Processor ulp ulpnet Unidata LDM Unify Uninterruptible Power Supply Cray Unified Resource Manager UTI ttp uaac uarps UDPLite uis ulistproc ulp ulpnet unidata-ldm unify ups urm

TTP UAAC UARPs

TCP/UDP TCP/UDP TCP/UDP UDPLite UIS

84 145 219 TCP/UDP TCP/UDP 372 522 483 388 181 401 606

15.1(3)T 15.1(3)T 15.1(3)T udplite uis 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

uLISTProc ULP ULPNet Unidata-LDM Unify UPS URM

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

UTI

TCP/UDP

120

uti

15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 57

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category Utime UTMPCD UTMPSD UUCP UUCP-Path UUCP-rLogin UUIDGEN VACDSM-App

Protocol TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

Type 519 431 430 540 117 541 697 671 670 690

Well-Known Port Number unixtime utmpcd utmpsd uucpd UUCP Path Service uucp-rlogin UUIDGEN VACDSM-APP

Description utime utmpcd utmpsd uucp uucp-path uucp-rlogin uuidgen vacdsm-app

Syntax 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Cisco IOS Release

VACDSM-SWS TCP/UDP VATP TCP/UDP

VACDSM-SWS vacdsm-sws Velazquez Application Transfer Protocol 575 769 videotex VISA Protocol vmnet vmpwscs VMTP vnas vatp

VEMMI VID Videotex VISA VMNet VMPWSCS VMTP VNAS VPP VPPS-QUA VPPS-VIA VRRP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

TCP/UDP TCP/UDP 516 70 175 214 81 577 677 672 676 112

vemmi vid videotex visa vmnet vmpwscs vmtp vnas

vemmi vid 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

15.1(3)T 15.1(3)T

Virtual Presence vpp Protocol vpps-qua vpps-via Virtual Router Redundancy Protocol vsinet vpps-qua vpps-via vrrp

VSINet

TCP/UDP

996

vsinet

15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 58

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category VSLMP WAP-Push WAP-PushHTTP WAP-PushHTTPS WAPPushsecure WAP-VACL-S WAP-VCAL

Protocol TCP/UDP TCP/UDP TCP/UDP TCP/UDP

Type 312 2948 4035 4036

Well-Known Port Number vslmp WAP PUSH

Description vslmp wap-push

Syntax 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Cisco IOS Release

WAP Push wap-push-http OTA-HTTP port WAP Push OTA-HTTP secure WAP PUSH SECURE WAP vCal Secure WAP vCal 9204 9206 WAP connectionless session service WAP secure connectionless session service WAP session service WAP secure session service WIDEBAND EXPAK WIDEBAND Monitoring webster whoami World Fusion wpgs wap-push-https

TCP/UDP TCP/UDP TCP/UDP WAP-VCARD WAP-VCARDS

2949 9207 9205 TCP/UDP TCP/UDP 9200

wap-pushsecure wap-vcal-s wap-vcal WAP vCard WAP vCard Secure wap-wsp

15.1(3)T 15.1(3)T 15.1(3)T wap-vcard wap-vcard-s 15.1(3)T 15.1(3)T 15.1(3)T

WAP-WSP

TCP/UDP

WAP-WSP-S

TCP/UDP

9202

wap-wsp-s

15.1(3)T

WAP-WSPWTP WAP-WSPWTP-S WB-Expak WB-Mon Webster WhoAmI WorldFusion WPGS

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

9201 9203 79 78 765 565 2595 780

wap-wsp-wtp wap-wsp-wtp-s wb-expak wb-mon webster whoami worldfusion wpgs

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 59

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category WSN XAct-Backup X-Bone-CTL XDTP

Protocol TCP/UDP TCP/UDP TCP/UDP TCP/UDP

Type 74 911 265 3088

Well-Known Port Number Wang Span Network xact-backup Xbone CTL eXtensible Data Transfer Protocol XFER Utility Cross Net Debugger XNS Authentication XNS Clearinghouse 165 XEROX NS IDP XNS mail XNS Time Protocol XTP xvttp Xyplex ANSI Z39.50 zannet Zebra server LockD

Description wsn xact-backup x-bone-ctl xdtp

Syntax 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Cisco IOS Release

XFER XNET XNS-Auth XNS-CH

TCP/UDP TCP/UDP TCP/UDP TCP/UDP XNS-Courier

82 15 56 54 TCP/UDP 22 58 52 36 508 173 210 317 346 4045

xfer xnet xns-auth xns-ch Xerox xns-idp xns-mail xns-time xtp xvttp xyplex-mux z39.50 zannet zserv lockd

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T xns-courier 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 15.1(3)T

XNS-IDP XNS-Mail XNS-Time XTP XVTTP XYPlex-Mux z39.50 Zannet ZServ LockD

TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP TCP/UDP

Microsoft-DS

TCP/UDP

445

Microsoft Directory Services

microsoftds

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 60

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category Nickname

Protocol TCP/UDP

Type 43

Well-Known Port Number Nickname

Description nicname

Syntax 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T sqlexec

Cisco IOS Release

NPP

TCP/UDP

92

Network Payment Protocol ORASRV

npp

ORASRV

TCP

1525

ora-srv

RTelnet

TCP/UDP

107

Remote Telnet Service Rate Control Protocol 9088

rtelnet

RCP

TCP/UDP

469

rcp

SQLExec

TCP/UDP

SQL Exec

12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T

Systat

TCP/UDP

11

System Statistics systat

TACACS

TCP/UDP

49, 65

Terminal Access tacacs Controller Access-Control System Time time

Time

TCP/UDP

37

VNC

UDP

5800, 5900, 5901 63

Virtual Network vnc Computing Whois++ whois++

Whois++

TCP/UDP

XDMCP

UDP

177

X Display xdmcp Manager Control Protocol

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 61

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category Miscellaneous (contd.) AN ARGUS ARIS AX25 BBNR RCC Mon BNA BR-SAT-Mon

Protocol 3pc

Type IP

Well-Known Port Number 34

Description Third Party Connect Protocol

Syntax 3pc

Cisco IOS Release 15.1(3)T

IP IP IP IP IP IP IP

107 13 104 93 10 49 76

Active Networks an ARGUS ARIS AX.25 Frames BBN RCC Monitoring BNA Backroom SATNET Monitoring CBT CFTP Chaos Compaq Peer Protocol Computer Protocol Heart Beat 72 argus aris ax25 bbnrccmon bna br-sat-mon

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

CBT CFTP Choas Compaq-Peer CPHB

IP IP IP IP IP

7 62 16 110 73

cbt cftp chaos compaq-peer cphb

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

CPNX

IP

Computer Protocol Network Executive Combat Radio Transport Protocol crudp

cpnx

15.1(3)T

CRTP

IP

126

crtp

15.1(3)T

CRUDP DCCP

IP IP

127 33

Combat Radio User Datagram

15.1(3)T 15.1(3)T

Datagram dccp Congestion Control Protocol

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 62

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category DCN-Meas

Protocol IP

Type 19

Well-Known Port Number DCN Measurement Subsystems Datagram Delivery Protocol D-II Data Exchange Dissimilar Gateway Protocol

Description dcn-meas

Syntax 15.1(3)T

Cisco IOS Release

DDP

IP

37

ddp

15.1(3)T

DDX DGP

IP IP

116 86

ddx dgp

15.1(3)T 15.1(3)T

DSR

IP

48

Dynamic Source dsr Routing Protocol Exterior Gateway Protocol egp

15.1(3)T

EGP

IP

15.1(3)T

EIGRP

IP

88

Enhanced eigrp Interior Gateway Routing Protocol EMCON Encapsulation Header emcon encap

15.1(3)T

EMCON Encap EtherIP FC FIRE GGP GMTP GRE HIP HMP

IP IP IP IP IP IP IP IP IP IP

14 98 97 133 125 3 100 47 139 20

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Ethernet-within- etherip IP Encapsulation Fibre Channel FIRE Gateway-toGateway GMTP fc fire ggp gmtp

General Routing gre Encapsulation Host Identity Protocol hip

Host Monitoring hmp

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 63

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category HopOpt

Protocol IP IATP

Type 0 IP

Well-Known Port Number IPv6 Hop-byHop Option 117

Description hopopt Interactive Agent Transfer Protocol Internet Control Message idpr

Syntax 15.1(3)T iatp

Cisco IOS Release

15.1(3)T

ICMP IDPR IP

IP 35

1 Inter-Domain Policy Routing Protocol IDPR Control Message Transport Proto Inter-Domain Routing Protocol Ipsilon Flow Management Protocol Cisco interior gateway IL Transport Protocol Integrated Net Layer Security TUBA IP Payload Compression Protocol Internet Packet Core Utility IP in IP IP-within-IP Encapsulation Protocol IPLT

icmp 15.1(3)T

15.1(3)T

IDPR-CMTP

IP

38

idpr-cmtp

15.1(3)T

IDRP

IP

45

idrp

15.1(3)T

IFMP

IP

101

ifmp

15.1(3)T

IGRP IL I-NLSP

IP IP IP

9 40 52

igrp il i-nlsp

15.1(3)T 15.1(3)T 15.1(3)T

IMPCOMP

IP

108

ipcomp

15.1(3)T

IPCU IPinIP IPIP

IP IP IP

71 4 94

ipcv ipinip ipip

15.1(3)T 15.1(3)T 15.1(3)T

IPLT

IP

129

iplt

15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 64

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category IPPC IPv6-Frag IPv6-ICMP IPv6INIP IPv6-NONXT IPv6-Opts

Protocol IP IP IP IP IP IP IPv6-Route IRTP

Type 67 44 58 41 59 60 IP IP 124 29 111 91

Well-Known Port Number

Description

Syntax 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T ipv6-route

Cisco IOS Release

Internet Pluribus ippc Packet Core Fragment Header for IPv6 ICMP for IPv6 Ipv6 encapsulated ipv6-frag ipv6-icmp ipv6inip

No Next Header ipv6-nonxt for IPv6 Destination ipv6-opts Options for IPv6 43 28 ISIS over IPv4 Routing Header for IPv6

15.1(3)T 15.1(3)T

Internet Reliable irtp Transaction isis 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

ISIS ISO-TP4 IXP-in-IP LARP

IP IP IP IP

ISO Transport iso-tp4 Protocol Class 4 IPX in IP Locus Address Resolution Protocol Leaf-1 Leaf-2 MANET Protocols MERIT Internodal Protocol MFE Network Services Protocol Mobile Internetworking Control Pro. ixp-in-ip larp

Leaf-1 Leaf-2 MANET Merit-Inp

IP IP IP IP

25 26 138 32

leaf-1 leaf-2 manet merit-inp

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

MFE-NSP

IP

31

mfe-nsp

15.1(3)T

MICP

IP

95

micp

15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 65

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category Mobile MPLS-in-IP MTP

Protocol IP IP IP

Type 55 137 92

Well-Known Port Number IP Mobility MPLS-in-IP Multicast Transport Protocol Multiplexing

Description mobile mpls-in-ip mtp

Syntax 15.1(3)T 15.1(3)T 15.1(3)T

Cisco IOS Release

Mux NARP

IP IP

18 54

mux

15.1(3)T 15.1(3)T

NBMA Address narp Resolution Protocol Bulk Data Transfer Protocol NSFNET-IGP Network Voice Protocol Open Shortest Path First PGM Reliable Transport Protocol Protocol Independent Multicast 131 netblt

Netblt

IP

30

15.1(3)T

NSFNET-IGP NVP-II OSPF PGM

IP IP IP IP

85 11 89 113

nsfnet-igp nvp-ii ospf pgm

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

PIM

IP

103

pim

15.1(3)T

Pipe

IP

Private IP Encapsulation within IP PNNI over IP prm ptp

pipe

15.1(3)T

PNNI PRM PTP IP IP

IP 21 123

102 Packet Radio Measurement Performance Transparency Protocol PUP Packet Video Protocol

pnni 15.1(3)T 15.1(3)T

15.1(3)T

PUP PVP

IP IP

12 75

pup pvp

15.1(3)T 15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 66

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category QNX RDP RSVP-E2EIgnore RVD

Protocol IP IP IP IP

Type 106 27 134 66

Well-Known Port Number QNX Reliable Data Protocol RSVP-E2EIGNORE MIT Remote Virtual Disk Protocol SATNET and Backroom EXPAK SATNET Monitoring Semaphore Communication s Sec. Pro. SCPS Stream Control Transmission Protocol Source Demand Routing Protocol SECUREVMTP SKIP SM

Description qnx rdp rsvp-e2e-ignore rvd

Syntax 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Cisco IOS Release

SAT-EXPAK

IP

64

sat-expak

15.1(3)T

SAT-Mon SCC-SP

IP IP

69 96

sat-mon scc-sp

15.1(3)T 15.1(3)T

SCPS SCTP

IP IP

105 132

scps sctp

15.1(3)T 15.1(3)T

SDRP

IP

42

sdrp

15.1(3)T

Secure-VMTP SKIP SM SMP SNP

IP IP IP IP IP Sprite-RPC SPS

82 57 122 121 109 IP IP

secure-vmtp skip sm

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T sprite-rpc sps 15.1(3)T 15.1(3)T

Simple Message smp Protocol Sitara Networks Protocol 90 130 snp Sprite RPC Protocol Secure Packet Shield

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 67

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category SRP SSCOPMCE ST STP

Protocol IP IP IP IP

Type 119 128 5 118

Well-Known Port Number SpectraLink Radio Protocol SSCOPMCE Stream Schedule Transfer Protocol SUN ND PROTOCOLTemporary IP with Encryption TCF Transport Layer Security Protocol TP++ Transport Protocol Trunk-1 Trunk-2 TTP UDPLite UTI VISA Protocol VMTP Virtual Router Redundancy Protocol WIDEBAND EXPAK WIDEBAND Monitoring

Description srp sscopmce st stp

Syntax 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

Cisco IOS Release

SUN-ND

IP

77

sun-nd

15.1(3)T

Swipe TCF TLSP

IP IP IP

53 87 56

swipe tcf tlsp

15.1(3)T 15.1(3)T 15.1(3)T

TP++ Trunk-1 Trunk-2 TTP UDPLite UTI VISA VMTP VRRP

IP IP IP IP IP IP IP IP IP

39 23 24 84 136 120 70 81 112

tp++ trunk-1 trunk-2 ttp udplite uti visa vmtp vrrp

15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T

WB-Expak WB-Mon

IP IP

79 78

wb-expak wb-mon

15.1(3)T 15.1(3)T

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 68

Classifying Network Traffic Using NBAR Classification of Citrix ICA Traffic by ICA Tag Number

Category WSN XNET XNS-LDP XTP Voice

Protocol IP IP IP IP H.323

Type 74 15 22 36 TCP

Well-Known Port Number Wang Span Network Cross Net Debugger XEROX NS IDP XTP Dynamically Assigned Dynamically Assigned

Description wsn xnet xns-idp xtp H.323 Teleconferencin g Protocol

Syntax 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T h323

Cisco IOS Release

12.3(7)T 12.2(18)ZYA1 15.1(2)T 12.1E 12.2T 12.2(18)ZYA1 12.3 12.3T 12.3(7)T 15.1(2)T 12.2(8)T 12.2(18)ZYA1 15.1(2)T

RTCP

TCP/ UDP

Real-Time rtcp Control Protocol

RTP

TCP/ UDP

Dynamically Assigned

Real-Time Transport Protocol Payload Classification

rtp

Cisco-phone5

UDP

5060

Cisco IP Phones cisco-phone and PC-Based Unified Communicators Session Initiation Protocol sip

12.2(18)ZYA 12.2(18)ZYA1 15.1(2)T 12.3(7)T 12.2(18)ZYA1 15.1(2)T 12.3(7)T 12.2(18)ZYA1 15.1(2)T 12.4(4)T

SIP

TCP/UPD

5060

SCCP/ Skinny

TCP

2000, 2001, 2002 Dynamically Assigned

Skinny Client skinny Control Protocol Peer-to-Peer VoIP Client Software skype

Skype6

TCP/UDP

5 For Release 12.2(18)ZYA, only SIP and Skinny telephone connections (cisco-phone traffic connections) are recognized. H.323 telephone connections are not recognized. 6 Skype was introduced in Cisco IOS Release 12.4(4)T. As a result of this introduction, Skype is now native in (included with) the Cisco IOS software and uses the NBAR infrastructure new to Cisco IOS Release 12.4(4)T. Cisco software supports Skype 1.0, 2.5, and 3.0. Note that certain hardware platforms do not support Skype. For instance, Skype is not supported on the Catalyst 6500 series switch that is equipped with a Supervisor/PISA.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 69

NBAR Memory Management Classification of Citrix ICA Traffic by ICA Tag Number

Category

Protocol TelePresence

Type TCP/UDP

Well-Known Port Number Dynamically Assigned

Description Cisco TelePresence System

Syntax telepresencemedia telepresencecontrol bittorrent

Cisco IOS Release 12.2(18)ZYA2 15.1(2)T

Peer-to-Peer File-Sharing Applications

BitTorrent

TCP

Dynamically Assigned, or 6881-6889 411

BitTorrent File Transfer Traffic Direct Connect File Transfer Traffic eDonkey FileSharing Application eMule traffic is also classified as eDonkey traffic in NBAR.

12.4(2)T 12.2(18)ZYA1 15.1(2)T 12.4(4)T 12.2(18)ZYA1 15.1(2)T 12.3(11)T 12.2(18)ZYA1 15.1(2)T

Direct Connect

TCP/ UDP

directconnect

eDonkey/ eMule TCP

4662

edonkey

FastTrack

N/A

Dynamically Assigned Dynamically Assigned Dynamically Assigned

FastTrack

fasttrack

12.1(12c)E 12.2(18)ZYA1 15.1(2)T 12.1(12c)E 12.2(18)ZYA1 15.1(2)T 12.2(8)T 12.2(18)ZYA1 15.1(2)T

Gnutella

TCP

Gnutella

gnutella

KaZaA

TCP/ UPD

KaZaA Note that earlier KaZaA version 1 traffic can be classified using FastTrack. WinMX Traffic

kazaa2

WinMX

TCP

6699

winmx

12.3(7)T 12.2(18)ZYA1 15.1(2)T

NBAR Memory Management


NBAR uses approximately 150 bytes of DRAM for each traffic flow that requires stateful inspection. (See NBAR Memory Management, page 70 for a list of protocols supported by NBAR that require stateful inspection.) When NBAR is configured, it allocates 1 MB of DRAM to support up to 5000 concurrent traffic flows. NBAR checks to see if more memory is required to handle additional concurrent stateful traffic flows. If such a need is detected, NBAR expands its memory usage in increments of 200 to 400 Kb.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 70

NBAR Protocol Discovery Non-intrusive Protocol Discovery

Note

This expansion of memory by NBAR does not apply if a PISA is in use.

NBAR Protocol Discovery


NBAR includes a feature called Protocol Discovery. Protocol discovery provides an easy way to discover the application protocols that are operating on an interface. For more information about protocol discovery, see the "Enabling Protocol Discovery" module.

Note

With Cisco IOS Release 12.2(18)ZYA, intended for use on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA, Protocol Discovery supports Layer 2 Etherchannels. Non-intrusive Protocol Discovery, page 71

Non-intrusive Protocol Discovery


Cisco IOS Release 12.2(18)ZYA1 includes a feature called Non-intrusive Protocol Discovery. The Nonintrusive Protocol Discovery feature enables the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA to perform protocol discovery in out-of-band (that is, offline) mode. In offline mode, a copy of the network traffic is used to discover the application protocols that are operating on an interface, leaving the network traffic undisturbed and available for other purposes. Non-intrusive Protocol Discovery is closely associated with a feature called Intelligent Traffic Redirect (ITR). ITR allows network administrators to optimize system performance by identifying the specific traffic that needs to be redirected to the Supervisor 32/PISA for deep-packet inspection. Non-intrusive Protocol Discovery is achieved by enabling ITR on an interface on which protocol discovery has been enabled. For more information about the commands used to enable ITR, see the Catalyst Supervisor Engine 32 PISA IOS Command Reference. For more information about protocol discovery, see the "Enabling Protocol Discovery" module.

Note

For the Non-intrusive Protocol Discovery feature to function properly, no other "intrusive" features (for example, Flexible Packet Matching [FPM]) can be in use on the interface in either the input or output direction. An intrusive feature is one that some how manipulates the packets (such as modifying a statistic or a packet counter). If such a feature is in use, the actual traffic (and not a copy of the traffic) is redirected.

NBAR Protocol Discovery MIB


The NBAR Protocol Discovery Management Information Base (MIB) expands the capabilities of NBAR Protocol Discovery by providing the following new functionality through Simple Network Management Protocol (SNMP): Enable or disable Protocol Discovery per interface. Display Protocol Discovery statistics. Configure and view multiple top-n tables that list protocols by bandwidth usage. Configure thresholds based on traffic of particular NBAR-supported protocols or applications that report breaches and send notifications when these thresholds are crossed.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 71

NBAR Configuration Processes Where to Go Next

For more information about the NBAR Protocol Discovery MIB, see the "Network-Based Application Recognition Protocol Discovery Management Information Base" module.

NBAR Configuration Processes


Configuring NBAR consists of the following processes: Enabling Protocol Discovery (required)

When you configure NBAR, the first process is to enable Protocol Discovery. Configuring NBAR using the MQC (optional)

After you enable Protocol Discovery, you have the option to configure NBAR using the functionality of the MQC. Adding application recognition modules (also known as Packet Description Language Modules [PDLMs]) (optional)

Adding PDLMs extends the functionality of NBAR by enabling NBAR to recognize additional protocols on your network. Creating custom protocols (optional)

Custom protocols extend the capability of NBAR Protocol Discovery to classify and monitor additional static port applications and allow NBAR to classify nonsupported static port traffic.

Where to Go Next
Begin configuring NBAR by first enabling Protocol Discovery. To enable Protocol Discovery, see the "Enabling Protocol Discovery" module.

Additional References
Related Documents Related Topic Cisco IOS commands Document Title Cisco IOS Master Commands List, All Releases

QoS commands: complete command syntax, Cisco IOS Quality of Service Solutions Command command modes, command history, defaults, usage Reference guidelines, and examples QoS features and functionality "Quality of Service Overview" module

QoS features and functionality on the Catalyst 6500 "Configuring PFC QoS" module of the Catalyst series switch Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide , Release 12.2ZY Classifying network traffic if not using NBAR "Classifying Network Traffic" module

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 72

Classifying Network Traffic Using NBAR Additional References

Related Topic FWSM and its connection features

Document Title "Configuring Advanced Connection Features" module of the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide "Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Service Module Command Reference Guide "Configuring IDSM-2" module of the Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface "Configuring SPAN and RSPAN" module of the Catalyst 6500 Series Software Configuration Guide "VACL Capture for Granular Traffic Analysis with Cisco Catalyst 6000/6500 Running Cisco IOS Software" module "Configuring QoS" module of the Catalyst 6500 Series Software Configuration Guide Catalyst Supervisor Engine 32 PISA IOS Command Reference. "Flexible Packet Matching" module of the Cisco IOS Security Configuration Guide "Flexible Packet Matching XML Configuration" module "Marking Network Traffic" module "Network-Based Application Recognition Protocol Discovery Management Information Base" module "AutoQoS--VoIP" module; "AutoQos for the Enterprise" module "Network-Based Application Recognition Protocol Discovery Management Information Base" module "Enabling Protocol Discovery" module "Configuring NBAR Using the MQC" module "Adding Application Recognition Modules" module

FWSM commands

IDSM

SPAN or RSPAN VACL Capture

Catalyst 6500 series switch and QoS Commands used to enable ITR on the Catalyst 6500 series switch equipped with a Supervisor 32/ PISA FPM FPM eXtensible Markup Language (XML) Configuration Marking network traffic CISCO-NBAR-PROTOCOL-DISCOVERY MIB AutoQoS, 7 AutoQos for the Enterprise, VoIP traffic NBAR Protocol Discovery MIB Enabling Protocol Discovery Configuring NBAR using the MQC Adding application recognition modules (also known as PDLMs)

7 Cisco IOS Release 12.2(18)ZY does not support either the AutoQoS--Voice over IP (VoIP) feature or the AutoQoS for the Enterprise feature on the Catalyst 6500 series switch.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 73

Classifying Network Traffic Using NBAR Additional References

Related Topic Creating a custom protocol Configuring Flexible NetFlow for Network Based Application Recognition Standards Standard ISO 0009 ISO 0013 ISO 0033 ISO 0034 ISO 0053 ISO 0056 MIBs MIB CISCO-NBAR-PROTOCOL-DISCOVERY MIB

Document Title "Creating a Custom Protocol" module "Customizing Cisco IOS Flexible NetFlow Flow Records and Flow Monitors" module

Title File Transfer Protocol (FTP) Domain Names - Concepts and Facilities The TFTP Protocol (Revision 2) Routing Information Protocol Post Office Protocol - Version 3 RIP Version 2

MIBs Link To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs RFC RFC 742 RFC 759 RFC 768 RFC 792 RFC 793 RFC 821 RFC 827 RFC 854 RFC 888 Title NAME/FINGER Protocol Internet Message Protocol User Datagram Protocol Internet Control Message Protocol Transmission Control Protocol Simple Mail Transfer Protocol Exterior Gateway Protocol Telnet Protocol Specification "STUB" Exterior Gateway Protocol

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 74

Classifying Network Traffic Using NBAR Additional References

RFC RFC 904 RFC 951 RFC 959 RFC 977 RFC 1001 RFC 1002 RFC 1057 RFC 1094 RFC 1112 RFC 1157 RFC 1282 RFC 1288 RFC 1305 RFC 1350 RFC 1436 RFC 1459 RFC 1510 RFC 1542 RFC 1579 RFC 1583 RFC 1657 RFC 1701 RFC 1730 RFC 1771 RFC 1777

Title Exterior Gateway Protocol Formal Specification Bootstrap Protocol File Transfer Protocol Network News Transfer Protocol Protocol Standard for a NetBIOS Service on a TCP/UDP Transport: Concepts and Methods Protocol Standard for a NetBIOS Service on a TCP/UDP Transport: Detailed Specifications RPC: Remote Procedure Call NFS: Network File System Protocol Specification Host Extensions for IP Multicasting Simple Network Management Protocol BSD Rlogin The Finger User Information Protocol Network Time Protocol The TFTP Protocol (Revision 2) The Internet Gopher Protocol Internet Relay Chat Protocol The Kerberos Network Authentication Service Clarifications and Extensions for the Bootstrap Protocol Firewall-Friendly FTP OSPF Version 2 Definitions of Managed Objects for the Fourth Version of the Border Gateway Protocol Generic Routing Encapsulation Internet Message Access Protocol--Version 4 A Border Gateway Protocol 4 (BGP-4) Lightweight Directory Access Protocol

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 75

Classifying Network Traffic Using NBAR Additional References

RFC RFC 1831 RFC 1889 RFC 1890 RFC 1928 RFC 1939 RFC 1945 RFC 1964 RFC 2045 RFC 2060 RFC 2068 RFC 2131 RFC 2205 RFC 2236 RFC 2251 RFC 2252 RFC 2253 RFC 2326 RFC 2401 RFC 2406 RFC 2453 RFC 2616

Title RPC: Remote Procedure Call Protocol Specification Version 2 A Transport Protocol for Real-Time Applications RTP Profile for Audio and Video Conferences with Minimal Control SOCKS Protocol Version 5 Post Office Protocol--Version 3 Hypertext Transfer Protocol--HTTP/1.0 The Kerberos Version 5 GSS-API Mechanism Multipurpose Internet Mail Extension (MIME) Part One: Format of Internet Message Bodies Internet Message Access Protocol--Version 4 rev1 Hypertext Transfer Protocol--HTTP/1.1 Dynamic Host Configuration Protocol Resource ReSerVation Protocol (RSVP)--Version 1 Functional Specification Internet Group Management Protocol, Version 2 Lightweight Directory Access Protocol (v3) Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names Real Time Streaming Protocol (RTSP) Security Architecture for the Internet Protocol IP Encapsulating Security Payload RIP Version 2 Hypertext Transfer Protocol--HTTP/1.1
Note This RFC updates RFC 2068.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 76

Classifying Network Traffic Using NBAR Feature Information for Classifying Network Traffic Using NBAR

Technical Assistance Description The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. Link http://www.cisco.com/cisco/web/support/ index.html

Feature Information for Classifying Network Traffic Using NBAR


The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 2: Feature Information for Phrase Based on Module Title

Feature Name NBAR - Network-based Application Recognition

Releases 12.1(5)T 12.1(1)E 12.2(11)YT 12.2(18)ZY

Feature Information NBAR is a classification engine that recognizes and classifies a wide variety of protocols and applications. When NBAR recognizes and classifies a protocol or application, the network can be configured to apply the appropriate QoS for that application or traffic with that protocol. The following sections provide information about this feature: The following commands were introduced or modified: match protocol http, match protocol citrix, match protocol gnutella, match protocol fasttrack, ip nbar protocol-tagging,, show ip nbar protocol-tagging.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 77

Classifying Network Traffic Using NBAR Glossary

Feature Name Additional PDL Support for NBAR

Releases 15.1(2)T

Feature Information The Additional PDL Support for NBAR feature provides addtional PDLs as part of feature parity between Cisco IOS Release 12.2(18)ZY and Cisco IOS Release 15.1(2)T. The following section includes information about this PDL support extended to Cisco IOS Release 15.1(2)T:

Distributed Network-based Application Recognition (dNBAR)

12.2(4)T 12.2(18)SXF 12.1(6)E

dNBAR is NBAR used on the Cisco 7500 router with a VIP and on the Catalyst 6500 family of switches with a FlexWAN module or SIP. The implementation of NBAR and dNBAR is identical. The following sections provide information about this feature:

nBAR: IANA Protocol Extensions Pack1

15.1(3)T

The nBAR: IANA Protocol Extensions Pack1 feature allows NBAR to detect and classify a set of protocols and applications standardized by IANA. The following section includes information about this feature:

Glossary
encryption --Encryption is the application of a specific algorithm to data so as to alter the appearance of the data, making it incomprehensible to those who are not authorized to see the information. dNBAR --Distributed Network-Based Application Recognition. dNBAR is NBAR used on the Cisco 7500 router with a Versatile Interface Processor (VIP) and on the Catalyst 6500 family of switches with a FlexWAN module or serial interface processor (SIP). The implementation of NBAR and dNBAR is identical. HTTP --Hypertext Transfer Protocol. The protocol used by web browsers and web servers to transfer files, such as text and graphic files. IANA --Internet Assigned Numbers Authority. An organization operated under the auspices of the Internet Society (ISOC) as a part of the Internet Architecture Board (IAB). IANA delegates authority for IP address-space allocation and domain-name assignment to the InterNIC and other organizations. IANA also maintains a database of assigned protocol identifiers used in the TCP/IP stack, including autonomous system numbers. LAN --local-area network. A high-speed, low-error data network that covers a relatively small geographic area (up to a few thousand meters). LANs connect workstations, peripherals, terminals, and other devices in

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 78

Classifying Network Traffic Using NBAR Glossary

a single building or other geographically limited area. LAN standards specify cabling and signaling at the physical and data link layers of the Open System Interconnection (OSI) model. Ethernet, FDDI, and Token Ring are widely used LAN technologies. MIME --Multipurpose Internet Mail Extension. The standard for transmitting nontext data (or data that cannot be represented in plain ASCII code) in Internet mail, such as binary, foreign language text (such as Russian or Chinese), audio, and video data. MIME is defined in RFC 2045: Multipurpose Internet Mail Extension (MIME) Part One: Format of Internet Message Bodies . MPLS --Multiprotocol Label Switching. A switching method that forwards IP traffic using a label. This label instructs the routers and the switches in the network where to forward the packets based on preestablished IP routing information. MQC --Modular Quality of Service Command-Line Interface. A command-line interface that allows you to define traffic classes, create and configure traffic policies (policy maps), and then attach the policy maps to interfaces. The policy maps are used to apply the appropriate quality of service (QoS) to network traffic. NBAR --Network-Based Application Recognition. A classification engine that recognizes and classifies a wide variety of protocols and applications. When NBAR recognizes and classifies a protocol or application, the network can be configured to apply the appropriate quality of service (QoS) for that application or traffic with that protocol. PDLM --Packet Description Language Module. A file that contains Packet Description Language statements used to define the signature of one or more application protocols. Protocol Discovery --A feature included with NBAR. Protocol Discovery provides a way to discover the application protocols that are operating on an interface. QoS --quality of service. A measure of performance for a transmission system that reflects its transmission quality and service availability. RTCP --RTP Control Protocol. A protocol that monitors the QoS of an IPv6 Real-Time Transport Protocol (RTP) connection and conveys information about the ongoing session. RTSP --Real Time Streaming Protocol. A means for enabling the controlled delivery of real-time data, such as audio and video. Sources of data can include both live data feeds, such as live audio and video, and stored content, such as prerecorded events. RTSP is designed to work with established protocols, such as Real-Time Transport Protocol (RTP) and HTTP. stateful protocol --A protocol that uses TCP and UDP port numbers that are determined at connection time. static protocol --A protocol that uses well-defined (predetermined) TCP and UDP ports for communication. subport classification --The classification of network traffic by information that is contained in the packet payload; that is, information found beyond the TCP or UDP port number. TCP --Transmission Control Protocol. A connection-oriented transport layer protocol that provides reliable full-duplex data transmission. TCP is part of the TCP/IP protocol stack. tunneling --Tunneling is an architecture that is designed to provide the services necessary to implement any standard point-to-point encapsulation scheme. UDP --User Datagram Protocol. A connectionless transport layer protocol in the TCP /IP protocol stack. UDP is a simple protocol that exchanges datagrams without acknowledgments or guaranteed delivery, requiring that error processing and retransmission be handled by other protocols. UDP is defined in RFC 768: User Datagram Protocol . WAN --wide-area network. A data communications network that serves users across a broad geographic area and often uses transmission devices provided by common carriers.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 79

Classifying Network Traffic Using NBAR

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 80

Enabling Protocol Discovery


Network-Based Application Recognition (NBAR) includes a feature called Protocol Discovery. Protocol Discovery provides an easy way to discover the application protocols that are operating on an interface. When you configure NBAR, the first task is to enable Protocol Discovery. This module contains concepts and tasks for enabling the Protocol Discovery feature. Finding Feature Information, page 81 Prerequisites for Enabling Protocol Discovery, page 81 Information About Protocol Discovery, page 81 How to Configure Protocol Discovery, page 82 Configuration Examples for Enabling Protocol Discovery, page 84 Where to Go Next, page 85 Additional References, page 85 Feature Information for Enabling Protocol Discovery, page 86

Finding Feature Information


Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Enabling Protocol Discovery


Before enabling Protocol Discovery, read the information in the "Classifying Network Traffic Using NBAR" module.

Information About Protocol Discovery


Protocol Discovery Functionality, page 82

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 81

Protocol Discovery Functionality How to Configure Protocol Discovery

Protocol Discovery Functionality


NBAR determines which protocols and applications are currently running on your network. NBAR includes a feature called Protocol Discovery. Protocol Discovery provides an easy way of discovering the application protocols that are operating on an interface so that appropriate quality of service (QoS) features can be applied. With Protocol Discovery, you can discover any protocol traffic that is supported by NBAR and obtain statistics that are associated with that protocol. Protocol Discovery maintains the following per-protocol statistics for enabled interfaces: Total number of input packets and bytes Total number of output packets and bytes Input bit rates Output bit rates

The statistics can then be used when you later define classes and traffic policies (sometimes known as policy maps) for each traffic class. The traffic policies (policy maps) are used to apply specific QoS features and functionality to the traffic classes.

How to Configure Protocol Discovery


Enabling Protocol Discovery on an Interface, page 82 Reporting Protocol Discovery Statistics, page 83

Enabling Protocol Discovery on an Interface


The ip nbar protocol-discoverycommand is used to enable Protocol Discovery on an interface. With Cisco IOS Release 12.2(18)ZYA, intended for use on the Cisco 6500 series switch that is equipped with a Supervisor 32/PISA, the ip nbar protocol-discovery command is supported on both Layer 2 and Layer 3 Etherchannels. To enable Protocol Discovery on an interface, perform the following steps.

SUMMARY STEPS
1. enable 2. configure terminal 3. interface type number [name-tag] 4. ip nbar protocol-discovery 5. end

DETAILED STEPS
Command or Action Step 1 enable Purpose Enables privileged EXEC mode. Enter your password if prompted.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 82

Reporting Protocol Discovery Statistics How to Configure Protocol Discovery

Command or Action
Example:
Router> enable

Purpose

Step 2 configure terminal


Example:
Router# configure terminal

Enters global configuration mode.

Step 3 interface type number [name-tag]


Example:
Router(config)# interface ethernet 2/4

Configures an interface type and enters interface configuration mode. Enter the interface type and the interface number.

Step 4 ip nbar protocol-discovery


Example:
Router(config-if)# ip nbar protocol-discovery

Configures NBAR to discover traffic for all protocols known to NBAR on a particular interface.

Step 5 end
Example:
Router(config-if)# end

(Optional) Exits interface configuration mode.

Reporting Protocol Discovery Statistics


To display a report of the Protocol Discovery statistics per interface, perform the following steps.

SUMMARY STEPS
1. enable 2. show policy-map interface type number 3. show ip nbar protocol-discovery [interface type number] [stats {byte-count | bit-rate | packetcount| max-bit-rate}] [protocol protocol-name | top-n number] 4. exit

DETAILED STEPS
Command or Action Step 1 enable
Example:
Router> enable

Purpose Enables privileged EXEC mode. Enter your password if prompted.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 83

Example Enabling Protocol Discovery on an Interface Configuration Examples for Enabling Protocol Discovery

Command or Action Step 2 show policy-map interface type number


Example:
Router# show policy-map interface Fastethernet 6/0

Purpose (Optional) Displays the packet and class statistics for all policy maps on the specified interface. Enter the interface type and the interface number.

Step 3 show ip nbar protocol-discovery [interface type number] [stats {byte-count | bit-rate | packet-count| max-bit-rate}] [protocol protocol-name | top-n number]
Example:
Router# show ip nbar protocol-discovery interface Fastethernet 6/0

Displays the statistics gathered by the NBAR Protocol Discovery feature. (Optional) Enter keywords and arguments to fine-tune the statistics displayed.

Step 4 exit
Example:
Router# exit

(Optional) Exits privileged EXEC mode.

Configuration Examples for Enabling Protocol Discovery


Example Enabling Protocol Discovery on an Interface, page 84 Example Reporting Protocol Discovery Statistics, page 84

Example Enabling Protocol Discovery on an Interface


In the following sample configuration, Protocol Discovery is enabled on Ethernet interface 2/4.
Router> Router#

enable configure terminal interface ethernet 2/4 ip nbar protocol-discovery end

Router(config)#

Router(config-if)# Router(config-if)#

Example Reporting Protocol Discovery Statistics


The following example displays output from the show ip nbar protocol-discoverycommand for the five most active protocols on an Ethernet interface:
Router# show ip nbar protocol-discovery top-n 5 Ethernet2/0

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 84

Enabling Protocol Discovery Where to Go Next

Input Output ---------Protocol Packet Count Packet Count Byte Count Byte Count 30sec Bit Rate (bps) 30sec Bit Rate (bps) 30sec Max Bit Rate (bps) 30sec Max Bit Rate (bps) --------------------------- ------------------------ -----------------------rtp 3272685 3272685 242050604 242050604 768000 768000 2002000 2002000 gnutella 513574 513574 118779716 118779716 383000 383000 987000 987000 ftp 482183 482183 37606237 37606237 121000 121000 312000 312000 http 144709 144709 32351383 32351383 105000 105000 269000 269000 netbios 96606 96606 10627650 10627650 36000 36000 88000 88000 unknown 1724428 1724428 534038683 534038683 2754000 2754000 4405000 4405000 Total 6298724 6298724 989303872 989303872 4213000 4213000 8177000 8177000

Where to Go Next
After you enable Protocol Discovery, you have the option to configure NBAR using the Modular Quality of Service (QoS) Command-Line Interface (CLI) (MQC). To configure NBAR using the MQC, see the "Configuring NBAR Using the MQC" module.

Additional References
The following sections provide references related to enabling Protocol Discovery. Related Documents Related Topic Document Title

QoS commands: complete command syntax, Cisco IOS Quality of Service Solutions Command command modes, command history, defaults, usage Reference guidelines, and examples Concepts and information about NBAR Configuring NBAR using the MQC "Classifying Network Traffic Using NBAR" module "Configuring NBAR Using the MQC" module

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 85

Enabling Protocol Discovery Feature Information for Enabling Protocol Discovery

Related Topic Adding application recognition modules (also known as PDLMs) Creating a custom protocol Technical Assistance Description The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

Document Title "Adding Application Recognition Modules" module "Creating a Custom Protocol" module

Link http://www.cisco.com/cisco/web/support/ index.html

Feature Information for Enabling Protocol Discovery


The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 3: Feature Information for Enabling Protocol Discovery

Feature Name NBAR--Network-Based Application Recognition

Releases 12.2(18)ZYA

Feature Information Integrates NBAR and Firewall Service Module (FWSM) functionality on the Catalyst 6500 series switch that is equipped with a Supervisor 32/ programmable intelligent services accelerator (PISA). The following commands were modified: ip nbar protocoldiscovery, show ip nbar protocol-discovery.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 86

Enabling Protocol Discovery

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 87

Example Reporting Protocol Discovery Statistics

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 88

Configuring NBAR Using the MQC


After you enable Protocol Discovery, you can configure Network-Based Application Recognition (NBAR) using the functionality of the Modular Quality of Service (QoS) Command-Line Interface (CLI) (MQC). The MQC uses traffic classes and traffic policies (policy maps) to apply QoS features to classes of traffic and applications recognized by NBAR. This module contains concepts and tasks for configuring NBAR using the MQC. Finding Feature Information, page 89 Prerequisites for Configuring NBAR Using the MQC, page 89 Information About Configuring NBAR Using the MQC, page 90 How to Configure NBAR Using the MQC, page 91 Configuration Examples for Configuring NBAR Using the MQC, page 97 Where to Go Next, page 99 Additional References, page 99 Feature Information for Configuring NBAR Using the MQC, page 100

Finding Feature Information


Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Configuring NBAR Using the MQC


Before configuring NBAR using the MQC, read the information in the "Classifying Network Traffic Using NBAR" module. As applicable, enable Protocol Discovery and use it to obtain statistics about the protocols and applications that are used in your network. You will need this information when using the MQC.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 89

NBAR and the MQC Functionality Information About Configuring NBAR Using the MQC

Note

This prerequisite assumes that you do not already have this information about the protocols and applications in use in your network.

Information About Configuring NBAR Using the MQC


NBAR and the MQC Functionality, page 90 NBAR and the match protocol Commands, page 90

NBAR and the MQC Functionality


To configure NBAR using the MQC, you must define a traffic class, configure a traffic policy (policy map), and then attach that traffic policy to the appropriate interface. These three tasks can be accomplished by using the MQC. The MQC is a command-line interface that allows you to define traffic classes, create and configure traffic policies (policy maps), and then attach these traffic policies to interfaces. In the MQC, the class-map command is used to define a traffic class (which is then associated with a traffic policy). The purpose of a traffic class is to classify traffic. Using the MQC to configure NBAR consists of the following: Defining a traffic class with the class-map command. Creating a traffic policy by associating the traffic class with one or more QoS features (using the policy-map command). Attaching the traffic policy to the interface with the service-policy command.

A traffic class contains three major elements: a name, one or more match commands, and, if more than one match command exists in the traffic class, an instruction on how to evaluate these match commands (that is, match-all or match-any). The traffic class is named in the class-map command line; for example, if you enter the class-map cisco command while configuring the traffic class in the CLI, the traffic class would be named "cisco." The match commands are used to specify various criteria for classifying packets. Packets are checked to determine whether they match the criteria specified in the match commands. If a packet matches the specified criteria, that packet is considered a member of the class and is forwarded according to the QoS specifications set in the traffic policy. Packets that fail to meet any of the matching criteria are classified as members of the default traffic class.

Note

For NBAR, the match protocol commands are used to specify the match criteria, as described in the NBAR and the match protocol Commands, page 90.

NBAR and the match protocol Commands


NBAR recognizes specific network protocols and network applications that are used in your network. Once a protocol or application is recognized by NBAR, you can use the MQC to group the packets associated with those protocols or applications into classes. These classes are grouped on the basis of whether the packets conform to certain criteria.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 90

Configuring a Traffic Class How to Configure NBAR Using the MQC

For NBAR, the criterion is whether the packet matches a specific protocol or application known to NBAR. Using the MQC, network traffic with one network protocol (citrix, for example) can be placed into one traffic class, while traffic that matches a different network protocol (gnutella, for example) can be placed into another traffic class. Later, the network traffic within each class can be given the appropriate QoS treatment by using a traffic policy (policy map). You specify the criteria used to classify traffic by using a match protocolcommand. The table below lists some of the available match protocolcommands and the corresponding protocol or traffic type recognized and supported by NBAR.

Note

For a more complete list of the protocol types supported by NBAR, see the "Classifying Network Traffic Using NBAR" module.
Table 4: match protocol Commands and Corresponding Protocol or Traffic Type

match protocol Command8 match protocol (NBAR) match protocol citrix match protocol fasttrack match protocol gnutella match protocol http match protocol rtp

Protocol Type Protocol type supported by NBAR Citrix protocol FastTrack peer-to-peer traffic Gnutella peer-to-peer traffic Hypertext Transfer Protocol Real-Time Transport Protocol traffic

How to Configure NBAR Using the MQC


Configuring a Traffic Class, page 91 Configuring a Traffic Policy, page 93 Attaching a Traffic Policy to an Interface or Subinterface, page 94 Verifying NBAR Using the MCQ, page 96

Configuring a Traffic Class


Traffic classes can be used to organize packets into groups based on a user-specified criteria. For example, traffic classes can be configured to match packets on the basis of the protocol type or application recognized by NBAR. In this task, the traffic class is configured to match on the basis of the Citrix protocol type.

8 Cisco IOS match protocol commands can vary by release. For more information, see the command documentation for the Cisco IOS release that you are using.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 91

Configuring NBAR Using the MQC How to Configure NBAR Using the MQC

Note

The match protocol citrixcommand is shown in Step Configuring a Traffic Class, page 91 The match protocol citrix command is just an example of one of the match protocolcommands that can be used. For a complete list of match protocolcommands, see the command documentation for the Cisco IOS release that you are using. To configure a traffic class, perform the following steps.

Note

Typically, a single traffic class contains one or more match commands that can be used to organize packets into groups on the basis of a protocol type or application. You can create as many traffic classes as needed. However, for Cisco IOS Release 12.2(18)ZY, the following restrictions apply: > A single traffic class can be configured to match a maximum of 8 protocols or applications. Multiple traffic classes can be configured to match a cumulative maximum of 95 protocols or applications.

SUMMARY STEPS
1. enable 2. configure terminal 3. class-map [match-all | match-any] class-map-name 4. match protocol citrix 5. end

DETAILED STEPS
Command or Action Step 1 enable
Example:
Router> enable

Purpose Enables privileged EXEC mode. Enter your password if prompted.

Step 2 configure terminal


Example:
Router# configure terminal

Enters global configuration mode.

Step 3 class-map [match-all | match-any] class-mapname


Example:
Router(config)# class-map cmap1

Creates a class map to be used for matching packets to a specified class and enters class-map configuration mode. Enter the name of the class map.

Step 4 match protocol citrix

Configures NBAR to match Citrix traffic.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 92

Configuring a Traffic Policy How to Configure NBAR Using the MQC

Command or Action
Example:
Router(config-cmap)# match protocol citrix

Purpose
NoteThe match protocol citrix command is just an example of one of

Step 5 end
Example:
Router(config-cmap)# end

the match protocolcommands that can be used. For a complete list of match protocol commands, see the command documentation for the Cisco IOS release that you are using. NoteFor Cisco IOS Release 12.2(18)ZY, a maximum of 8 match protocol commands can be configured in a single traffic class. (Optional) Returns to privileged EXEC mode.

Configuring a Traffic Policy


Traffic that matches a user-specified criterion can be organized into a specific class that can, in turn, receive specific user-defined QoS treatment when that class is included in a policy map. To configure a traffic policy, perform the following steps.

Note

The bandwidth command is shown in Step Configuring a Traffic Policy, page 93 The bandwidth command configures the QoS feature class-based weighted fair queuing (CBWFQ). CBWFQ is just an example of a QoS feature that can be configured. Use the appropriate command for the QoS feature that you want to use. As of Cisco IOS Release 12.2(18)ZY, CBWFQ is not supported on the Catalyst 6500 series switch that is equipped with a Supervisor 32/programmable intelligent services accelerator (PISA).

Note

For Cisco IOS Release 12.2(18)ZY, an existing traffic policy (policy map) cannot be modified if the traffic policy is already attached to the interface. To remove the policy map from the interface, use the no form of the service-policy command. >

SUMMARY STEPS
1. enable 2. configure terminal 3. policy-map policy-map-name 4. class {class-name | class-default} 5. bandwidth {bandwidth-kbps| remaining percent percentage| percent percentage} 6. end

DETAILED STEPS
Command or Action Step 1 enable Purpose Enables privileged EXEC mode.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 93

Attaching a Traffic Policy to an Interface or Subinterface How to Configure NBAR Using the MQC

Command or Action
Example:
Router> enable

Purpose Enter your password if prompted.

Step 2 configure terminal


Example:
Router# configure terminal

Enters global configuration mode.

Step 3 policy-map policy-map-name


Example:
Router(config)# policy-map policy1

Creates or modifies a policy map that can be attached to one or more interfaces and enters policy-map configuration mode. Enter the name of the policy map.

Step 4 class {class-name | class-default}


Example:
Router(config-pmap)# class class1

Specifies the name of the class whose policy you want to create or change and enters policy-map class configuration mode. Enter the specific class name or enter the class-defaultkeyword.

Step 5 bandwidth {bandwidth-kbps| remaining percent percentage| percent percentage}


Example:
Router(config-pmap-c)# bandwidth percent 50

(Optional) Specifies or modifies the bandwidth allocated for a class belonging to a policy map. Enter the amount of bandwidth as a number of kbps, a relative percentage of bandwidth, or an absolute amount of bandwidth.

NoteThe bandwidth command configures the QoS feature class-based

Example:

Step 6 end
Example:
Router(config-pmap-c)# end

weighted fair queuing (CBWFQ). CBWFQ is just an example of a QoS feature that can be configured. Use the appropriate command for the QoS feature that you want to use. NoteAs of Cisco IOS Release 12.2(18)ZY, CBWFQ is not supported on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA. (Optional) Returns to privileged EXEC mode.

Attaching a Traffic Policy to an Interface or Subinterface


After a policy map is created, the next step is to attach the traffic policy (sometimes called a policy map) to an interface or subinterface. Traffic policies can be attached to either the input or output direction of the interface or subinterface.

Note

Depending on the needs of your network, you may need to attach the traffic policy to an ATM PVC, a Frame Relay data-link connection identifier (DLCI), or other type of interface. To attach a traffic policy (policy map) to an interface, perform the following steps.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 94

Configuring NBAR Using the MQC How to Configure NBAR Using the MQC

SUMMARY STEPS
1. enable 2. configure terminal 3. interface type number [name-tag] 4. pvc [name] vpi / vci [ilmi| qsaal| smds| l2transport] 5. exit 6. service-policy {input | output} policy-map-name 7. end

DETAILED STEPS
Command or Action Step 1 enable
Example:
Router> enable

Purpose Enables privileged EXEC mode. Enter your password if prompted.

Step 2 configure terminal


Example:
Router# configure terminal

Enters global configuration mode.

Step 3 interface type number [name-tag]


Example:
Router(config)# interface ethernet 2/4

Configures an interface type and enters interface configuration mode. Enter the interface type and the interface number.

Step 4 pvc [name] vpi / vci [ilmi| qsaal| smds| l2transport]


Example:
Router(config-if)# pvc cisco 0/16

(Optional) Creates or assigns a name to an ATM permanent virtual circuit (PVC), specifies the encapsulation type on an ATM PVC, and enters ATM virtual circuit configuration mode. Enter the PVC name, the ATM network virtual path identifier, and the network virtual channel identifier.

NoteThis step is required only if you are attaching the policy map to an ATM PVC.

Step 5 exit
Example:
Router(config-atm-vc)# exit

If you are not attaching the policy map to an ATM PVC, advance to Attaching a Traffic Policy to an Interface or Subinterface, page 94. (Optional) Returns to interface configuration mode.
NoteThis step is required only if you are attaching the policy map to an ATM PVC

Step 6 service-policy {input | output} policy-map-name

and you completed Attaching a Traffic Policy to an Interface or Subinterface, page 94. If you are not attaching the policy map to an ATM PVC, advance to Attaching a Traffic Policy to an Interface or Subinterface, page 94. Attaches a policy map (traffic policy) to an input or output interface. Specify either the input or output keyword, and enter the policy map name.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 95

Verifying NBAR Using the MCQ How to Configure NBAR Using the MQC

Command or Action
Example:
Router(config-if)# servicepolicy input policy1

Purpose
NotePolicy maps can be configured on ingress or egress routers. They can also be

attached in the input or output direction of an interface. The direction (input or output) and the router (ingress or egress) to which the policy map should be attached vary according your network configuration. When using the servicepolicy command to attach the policy map to an interface, be sure to choose the router and the interface direction that are appropriate for your network configuration. NoteAfter you use the service-policy command, you may see two messages similar to the following:
%PISA-6-NBAR_ENABLED: feature accelerated on input direction of: [interface name and type ] %PISA-6-NBAR_ENABLED: feature accelerated on output direction of: [interface name and type

Step 7 end
Example:
Router(config-if)# end

While both of these messages appear, NBAR is enabled in the direction specified by the input or output keyword only. (Optional) Returns to privileged EXEC mode.

Verifying NBAR Using the MCQ


After you create the traffic classes and traffic policies (policy maps), you may want to verify that the end result is the one you intended. That is, you may want to verify whether your traffic is being classified correctly and whether it is receiving the QoS treatment as intended. You may also want to verify that the protocol-to-port mappings are correct. To verify the NBAR traffic classes, traffic policies, and protocol-to-port mappings, perform the following steps.

SUMMARY STEPS
1. enable 2. show class-map [class-map-name] 3. show policy-map [policy-map] 4. show policy-map interface type number 5. show ip nbar port-map [protocol-name] 6. exit

DETAILED STEPS
Command or Action Step 1 enable Purpose Enables privileged EXEC mode. Enter your password if prompted.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 96

Example Configuring a Traffic Class Configuration Examples for Configuring NBAR Using the MQC

Command or Action
Example:
Router> enable

Purpose

Step 2 show class-map [class-map-name]


Example:
Router# show class-map

(Optional) Displays all class maps and their matching criteria. (Optional) Enter the name of a specific class map.

Step 3 show policy-map [policy-map]


Example:
Router# show policy-map

(Optional) Displays the configuration of all classes for a specified service policy map or all classes for all existing policy maps. (Optional) Enter the name of a specific policy map.

Example:

Step 4 show policy-map interface type number


Example:
Router# show policy-map interface Fastethernet 6/0

(Optional) Displays the packet and class statistics for all policy maps on the specified interface. Enter the interface type and the interface number.

Step 5 show ip nbar port-map [protocol-name]


Example:
Router# show ip nbar port-map

(Optional) Displays the current protocol-to-port mappings in use by NBAR. (Optional) Enter a specific protocol name.

Step 6 exit
Example:
Router# exit

(Optional) Exits privileged EXEC mode.

Configuration Examples for Configuring NBAR Using the MQC


Example Configuring a Traffic Class, page 97 Example Configuring a Traffic Policy, page 98 Example Attaching a Traffic Policy to an Interface or Subinterface, page 98 Example Verifying the NBAR Protocol-to-Port Mappings, page 99

Example Configuring a Traffic Class

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 97

Example Configuring a Traffic Policy Configuration Examples for Configuring NBAR Using the MQC

In the following example, a class called cmap1 has been configured. All traffic that matches the citrix protocol will be placed in the cmap1 class.
Router> Router#

enable configure terminal class-map cmap1 match protocol citrix end

Router(config)#

Router(config-cmap)# Router(config-cmap)#

Example Configuring a Traffic Policy


In the following example, a traffic policy (policy map) called policy1 has been configured. Policy1 contains a class called class1, within which CBWFQ has been enabled.
Router> Router#

enable configure terminal policy-map policy1 class class1 bandwidth percent 50 end

Router(config)#

Router(config-pmap)#

Router(config-pmap-c)# Router(config-pmap-c)#

Note

In the above example, the bandwidth command is used to enable Class-Based Weighted Fair Queuing (CBWFQ). CBWFQ is only an example of one QoS feature that can be applied in a policy map. Use the appropriate command for the QoS feature that you want to use. As of Cisco IOS Release 12.2(18)ZY, CBWFQ is not supported on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA.

Example Attaching a Traffic Policy to an Interface or Subinterface


In the following example, the traffic policy (policy map) called policy1 has been attached to Ethernet interface 2/4 in the input direction of the interface.
Router> Router#

enable configure terminal interface ethernet 2/4 service-policy input policy1 end

Router(config)#

Router(config-if)# Router(config-if)#

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 98

Example Verifying the NBAR Protocol-to-Port Mappings Where to Go Next

Example Verifying the NBAR Protocol-to-Port Mappings


The following is sample output of the show ip nbar port-map command. This command displays the current protocol-to-port mappings in use by NBAR. Use the display to verify that these mappings are correct.
Router# show ip nbar port-map port-map bgp udp 179 port-map bgp tcp 179 port-map cuseeme udp 7648 7649 port-map cuseeme tcp 7648 7649 port-map dhcp udp 67 68 port-map dhcp tcp 67 68

If the ip nbar port-map command has been used, the show ip nbar port-map command displays the ports assigned to the protocol. If the no ip nbar port-mapcommand has been used, the show ip nbar port-map command displays the default ports. To limit the display to a specific protocol, use the protocol-name argument of the show ip nbar port-map command.

Where to Go Next
To add application recognition modules (also known as Packet Description Language Modules or PDLMs) to your network, see the "Adding Application Recognition Modules" module. To classify network traffic on the basis of a custom protocol, see the "Creating a Custom Protocol" module.

Additional References
The following sections provide references related to configuring NBAR using the MQC. Related Documents Related Topic Document Title

QoS commands: complete command syntax, Cisco IOS Quality of Service Solutions Command command modes, command history, defaults, usage Reference guidelines, and examples QoS features and functionality on the Catalyst 6500 "Configuring PFC QoS" chapter of the Catalyst series switch Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide , Release 12.2ZY MQC, traffic policies (policy maps), and traffic classes CBWFQ Concepts and information about NBAR "Applying QoS Features Using the MQC" module "Configuring Weighted Fair Queueing" module "Classifying Network Traffic Using NBAR" module

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 99

Configuring NBAR Using the MQC Feature Information for Configuring NBAR Using the MQC

Related Topic Information about enabling Protocol Discovery Information about adding application recognition modules (also known as PDLMs) Creating a custom protocol Technical Assistance Description The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

Document Title "Enabling Protocol Discovery" module "Adding Application Recognition Modules" module "Creating a Custom Protocol" module

Link http://www.cisco.com/techsupport

Feature Information for Configuring NBAR Using the MQC


The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 5: Feature Information for Configuring NBAR Using the MQC

Feature Name QoS: DirectConnect PDLM

Releases 12.4(4)T

Feature Information Provides support for the DirectConnect protocol and Packet Description Language Module (PDLM). The DirectConnect protocol can now be recognized when using the MQC to classify traffic.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 100

Configuring NBAR Using the MQC Feature Information for Configuring NBAR Using the MQC

Feature Name

Releases

Feature Information The following sections provide information about the QoS: DirectConnect PDLM feature:

QoS: Skype Classification

12.4(4)T

Provides support for the Skype protocol. The Skype protocol can now be recognized when using the MQC to classify traffic.
Note Cisco currently supports

Skype Version 1 only. The following sections provide information about the QoS: Skype Classification feature: NBAR--BitTorrent PDLM 12.4(2)T Provides support for the BitTorrent PDLM and protocol. The BitTorrent protocol can now be recognized when using the MQC to classify traffic. The following sections provide information about the NBARBitTorrent PDLM feature: NBAR--Citrix ICA Published Applications 12.4(2)T Enables NBAR to classify traffic on the basis of the Citrix Independent Computing Architecture (ICA) published application name and tag number. The following sections provide information about the NBARCitrix ICA Published Applications feature: NBAR--Multiple Matches Per Port 12.4(2)T Provides the ability for NBAR to distinguish between values of an attribute within the traffic stream of a particular application on a TCP or UDP port. The following sections provide information about the NBARMultiple Matches Per Port feature: NBAR Extended Inspection for HTTP Traffic 12.3(4)T Allows NBAR to scan TCP ports that are not well known and identify HTTP traffic that traverses these ports. The following sections provide information about the NBAR

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 101

Configuring NBAR Using the MQC

Feature Name

Releases

Feature Information Extended Inspection for HTTP Traffic feature:

NBAR Real-Time Transport Protocol Payload Classification

12.2(15)T

Enables stateful identification of real-time audio and video traffic. The following section provides information about the NBAR Real-Time Transport Protocol Payload Classification feature:

NBAR--Network-Based Application Recognition

12.2(18)ZYA

Integrates NBAR and Firewall Service Module (FWSM) functionality on the Catalyst 6500 series switch that is equipped with a Supervisor 32/ programmable intelligent services accelerator (PISA). Additional protocols are now recognized by NBAR. The following sections provide information about the NBAR feature: The following command was modified: match protocol (NBAR).

NBAR--Network-Based Application Recognition (Hardware Accelerated NBAR)

12.2(18)ZY

Enables NBAR functionality on the Catalyst 6500 series switch that is equipped with a Supervisor 32/programmable intelligent services accelerator (PISA). The following section provides information about the NBAR-Network-Based Application Recognition (Hardware Accelerated NBAR) feature:

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams,

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 102

Configuring NBAR Using the MQC

and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 103

Example Verifying the NBAR Protocol-to-Port Mappings

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 104

Adding Application Recognition Modules


Adding application recognition modules (also known as Packet Description Language Modules [PDLMs]) is an optional process. However, adding PDLMs extends the functionality of Network-Based Application Recognition (NBAR) by enabling NBAR to recognize additional protocols on your network. This module contains concepts and tasks for adding application recognition modules (or PDLMs) to your network. Finding Feature Information, page 105 Prerequisites for Adding Application Recognition Modules, page 105 Information About Adding Application Recognition Modules, page 105 How to Add Application Recognition Modules, page 107 Configuration Examples for Adding Application Recognition Modules, page 109 Where to Go Next, page 111 Additional References, page 111 Feature Information for Adding Application Recognition Modules, page 112

Finding Feature Information


Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Adding Application Recognition Modules


Before adding application recognition modules (or PDLMs), read the information in the "Classifying Network Traffic Using NBAR" module.

Information About Adding Application Recognition Modules


Before adding application recognition modules (or PDLMs), you should understand the following concepts: PDLM Functionality, page 106

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 105

PDLM Functionality Information About Adding Application Recognition Modules

PDLM Versioning, page 106

PDLM Functionality
A PDLM is a separate file available on Cisco.com. A PDLM is used to add support for a protocol that is currently not available as part of the Cisco IOS software. A PDLM extends the list of protocols that NBAR can recognize. PDLMs also allow NBAR to recognize new protocols without requiring you to install a new Cisco IOS image or reconfigure your router. New PDLMs are released by Cisco only and can be loaded from flash memory. Contact your local Cisco representative to request additions or changes to the set of protocols classified by NBAR. To view a list of currently available PDLMs, go to the following URL: http://www.cisco.com/cgi-bin/tablebuild.pl/pdlm

PDLM Versioning
A PDLM adds new protocols to the list of protocols that NBAR supports. Before you download a new PDLM, you need to be aware of the following concepts. Native and Nonnative PDLMs A native PDLM is a PDLM that is embedded within the Cisco IOS software. You receive it automatically along with the Cisco IOS software. A nonnative PDLM is not embedded within the Cisco IOS software. You can download it individually from Cisco.com. Separate Version Numbers There are separate version numbers associated with the NBAR software and the Cisco IOS software. These version numbers are used together to maintain the PDLM version. PDLM version--This is the version of the PDLM (either native or nonnative). Cisco IOS NBAR software version--This is the version of NBAR that resides with the Cisco IOS software.

Note

Each nonnative PDLM also contains the Cisco IOS NBAR software version in which the PDLM was created.

Internal Module Names Both the native and nonnative PDLMs contain internal module names. These internal module names are unique and independent. They are used to indicate the protocol that the PDLM module represents (for example, BitTorrent or DirectConnect), and they are used to control the module version number (for example, module version 3). Required Conditions In order for a PDLM (either native or nonnative) to be downloaded or overridden, both of the following conditions much be met:

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 106

Downloading a PDLM How to Add Application Recognition Modules

The module version of the PDLM being downloaded must be higher than the module version currently installed.

For example, if a PDLM called BitTorrent.pdlm (with the internal module name "bittorrent") is currently at version 3, the resident PDLM (either native or nonnative) with the same internal module name ("bittorrent) is overridden as long as the module version is either 1 or 2. The Cisco IOS NBAR software version of the PDLM must be less than or equal to the Cisco IOS NBAR software version of the Cisco IOS image.

Note

To display the Cisco IOS NBAR software version (of the Cisco IOS image), use the show ip nbar version command. For more information about the show ip nbar version command, see the Cisco IOS Quality of Service Solutions Command Reference.

How to Add Application Recognition Modules


Downloading a PDLM, page 107 Verifying the Downloaded PDLMs, page 108

Downloading a PDLM
A PDLM is used to add support for a protocol that is currently not available as part of the Cisco IOS software. A PDLM extends the functionality of NBAR by enabling NBAR to recognize additional protocols on the network. To download (install) a PDLM, perform the following steps. Each PDLM has specific Cisco IOS release requirements and specific restrictions that you need to consider before you download a PDLM. These requirements and restrictions, and other helpful information for installing a particular PDLM, are described in a series of PDLM readme files. To view a list of currently available PDLMs, or to view the readme files for each PDLM, go to the following URL (Cisco login required): http://www.cisco.com/cgi-bin/tablebuild.pl/pdlm

Note

Use the PDLM readme files in conjunction with the information included in this module. Protocols introduced when you download a PDLM are commonly added to subsequent Cisco IOS releases. Support for the protocol that you would like to add via a PDLM may already be in your Cisco IOS release. Therefore, before you load a PDLM, review the list of NBAR protocols currently supported by the Cisco IOS release that you are using. To check the list of NBAR protocols supported in your Cisco IOS release, enter the match protocol ? command and view the options that appear. The options correspond to the NBAR supported protocols.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 107

Verifying the Downloaded PDLMs How to Add Application Recognition Modules

SUMMARY STEPS
1. enable 2. configure terminal 3. ip nbar pdlm pdlm-name 4. end

DETAILED STEPS
Command or Action Step 1 enable
Example:
Router> enable

Purpose Enables privileged EXEC mode. Enter your password if prompted.

Step 2 configure terminal


Example:
Router# configure terminal

Enters global configuration mode.

Step 3 ip nbar pdlm pdlm-name


Example:
Router(config)# ip nbar pdlm flash:// citrix.pdlm

Extends or enhances the list of protocols recognized by NBAR through a Cisco-provided PDLM. For the pdlm-name argument, enter the URL at which the PDLM can be found on the flash card.

Step 4 end
Example:
Router(config)# end

(Optional) Exits global configuration mode.

Verifying the Downloaded PDLMs


After you download the PDLM, you may want to verify that the PDLM is now on your network. You may also want to check if there are earlier versions of the PDLM already on your network. To display information about the downloaded PDLMs, perform the following steps.

SUMMARY STEPS
1. enable 2. show ip nbar pdlm 3. show ip nbar version [pdlm-name] 4. exit

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 108

Example Downloading a PDLM Configuration Examples for Adding Application Recognition Modules

DETAILED STEPS
Command or Action Step 1 enable
Example:
Router> enable

Purpose Enables privileged EXEC mode. Enter your password if prompted.

Step 2 show ip nbar pdlm


Example:
Router# show ip nbar pdlm

Displays the PDLM in use by NBAR.

Step 3 show ip nbar version [pdlm-name] Displays information about the version of the NBAR software in your Cisco IOS release or the version of an NBAR PDLM on your Cisco IOS router.
Example:
Router# show ip nbar version

(Optional) Enter the name of the PDLM.

Step 4 exit
Example:
Router# exit

(Optional) Exits privileged EXEC mode.

Configuration Examples for Adding Application Recognition Modules


Example Downloading a PDLM, page 109 Example Verifying the Downloaded PDLMs, page 109

Example Downloading a PDLM


In the following example. the Citrix PDLM is downloaded to the router from flash memory:
Router> Router#

enable configure terminal ip nbar pdlm flash://citrix.pdlm end

Router(config)# Router(config)#

Example Verifying the Downloaded PDLMs

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 109

Adding Application Recognition Modules Configuration Examples for Adding Application Recognition Modules

You can use the output of the show ip nbar pdlm command and the show ip nbar versioncommand to verify information about the downloaded PDLMs on your network. Sample show ip nbar pdlm Command Output In this example of the show ip nbar pdlm command, the Citrix PDLM has been loaded from flash memory:
Router# show ip nbar pdlm The following PDLMs have been loaded: flash://citrix.pdlm

Sample show ip nbar version Command Output The following is sample output from the show ip nbar versioncommand:
Router# show ip nbar version NBAR software version: 3 1 base Mv: 2 ftp Mv: 3 http Mv: 4 static-port Mv: 5 tftp Mv: 6 exchange Mv: 7 vdolive Mv: 8 sqlnet Mv: 9 rcmd Mv: 10 netshow Mv: 11 sunrpc Mv: 12 streamwork Mv: 13 citrix Mv: 14 napster Mv: 15 fasttrack Mv: 16 gnutella Mv: 17 kazaa Mv: 18 custom-protocols Mv: 19 rtsp Mv: 20 rtp Mv: 21 mgcp Mv: 22 skinny Mv: 23 h323 Mv: 24 sip Mv: 25 rtcp Mv:

2 2 7, Nv: 3; slot1:http_vers.pdlm 6 1 1 1 1 1 1 2 1 5 2 2 1 6, Nv: 3; slot1:kazaa2_vers.pdlm 1 1 2 1 1 1 1 1

The table below describes the fields shown in the display.


Table 6: show ip nbar version Field Descriptions

Field NBAR software version

Description NBAR software version that is running in the current Cisco IOS software. In this particular example, version 3 is shown. Resident Module Version. The Resident Module Version is the version of the NBAR-supported PDLM protocol and, therefore, varies by protocol. The Resident Module Version of TFTP, for example, is 1.

Mv

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 110

Adding Application Recognition Modules Where to Go Next

Field Nv

Description Minimum version of the NBAR software that is required to load a nonnative PDLM. This number is available only for nonnative PDLMs that were loaded onto the router, such as the Kazaa PDLM (protocol 17); in that case, the Nv version is 3.

Where to Go Next
To classify network traffic on the basis of a custom protocol, see the "Creating a Custom Protocol" module.

Additional References
The following sections provide references related to adding application recognition modules. Related Documents Related Topic Document Title

QoS commands: complete command syntax, Cisco IOS Quality of Service Solutions Command command modes, command history, defaults, usage Reference guidelines, and examples Concepts and information about NBAR Information about enabling Protocol Discovery Configuring NBAR using the MQC Creating a custom protocol Technical Assistance Description The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Link http://www.cisco.com/techsupport "Classifying Network Traffic Using NBAR" module "Enabling Protocol Discovery" module "Configuring NBAR Using the MQC" module "Creating a Custom Protocol" module

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 111

Adding Application Recognition Modules Feature Information for Adding Application Recognition Modules

Description Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

Link

Feature Information for Adding Application Recognition Modules


The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 7: Feature Information for Adding Application Recognition Modules

Feature Name QoS: DirectConnect PDLM

Releases 12.4(4)T

Feature Information Provides support for the DirectConnect protocol and PDLM. The DirectConnect protocol can now be recognized when using the Modular Quality of Service (QoS) Command-Line Interface (CLI) (MQC) to classify traffic. The following sections provide information about the QoS: DirectConnect PDLM feature:

NBAR - BitTorrent PDLM

12.4(2)T

Provides support for the BitTorrent PDLM and protocol. The BitTorrent protocol can now be recognized when using the MQC to classify traffic. The following sections provide information about the NBAR BitTorrent PDLM feature:

NBAR PDLM Versioning

12.3(4)T

Enables the ability to verify the Cisco IOS and NBAR PDLM versions for ensuring software compatibility. The following sections provide information about the NBAR PDLM Versioning feature:

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 112

Adding Application Recognition Modules

Feature Name

Releases

Feature Information Information About Adding Application Recognition Modules How to Add Application Recognition Modules.

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 113

Example Verifying the Downloaded PDLMs

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 114

Creating a Custom Protocol


Network-Based Application Recognition (NBAR) recognizes and classifies network traffic on the basis of a set of protocols and application types. You can add to the set of protocols and application types that NBAR recognizes by creating custom protocols. Creating custom protocols is an optional process. However, custom protocols extend the capability of NBAR Protocol Discovery to classify and monitor additional static port applications and allow NBAR to classify nonsupported static port traffic. This module contains concepts and tasks for creating a custom protocol. Finding Feature Information, page 115 Prerequisites for Creating a Custom Protocol, page 115 Information About Creating a Custom Protocol, page 115 How to Create a Custom Protocol, page 117 Configuration Examples for Creating a Custom Protocol, page 124 Additional References, page 126 Feature Information for Creating a Custom Protocol, page 127

Finding Feature Information


Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Creating a Custom Protocol


Before enabling Protocol Discovery, read the information in the "Classifying Network Traffic Using NBAR" module.

Information About Creating a Custom Protocol

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 115

NBAR and Custom Protocols Information About Creating a Custom Protocol

NBAR and Custom Protocols, page 116 MQC and NBAR Custom Protocols, page 116

NBAR and Custom Protocols


NBAR supports the use of custom protocols to identify custom applications. Custom protocols support static port-based protocols and applications that NBAR does not currently support.

Note

For a list of NBAR-supported protocols, see the "Classifying Network Traffic Using NBAR" module. With NBAR supporting the use of custom protocols, NBAR can map static TCP and UDP port numbers to the custom protocols. Initially, NBAR included the following features related to custom protocols and applications: Custom protocols had to be named custom-xx, with xx being a number. Ten custom applications can be assigned using NBAR, and each custom application can have up to 16 TCP and 16 UDP ports each mapped to the individual custom protocol. The real-time statistics of each custom protocol can be monitored using Protocol Discovery.

In Cisco IOS Release 12.3(4)T, the following enhancements to custom protocols were introduced: The ability to inspect the payload for certain matching string patterns at a specific offset. The ability to allow users to define the names of their custom protocol applications. The user-named protocol can then be used by Protocol Discovery, the Protocol Discovery MIB, the match protocolcommand, and the ip nbar port-map command as an NBAR-supported protocol. The ability for NBAR to inspect custom protocols specified by traffic direction (that is, traffic heading toward a source or destination rather than traffic in both directions) if desired by the user. CLI support that allows a user who is configuring a custom application to specify a range of ports rather specifying each port individually.

In Cisco IOS Release 12.4(1)T, the following enhancements to custom protocols were introduced: The variablekeyword, the field-name argument,and the field-length argument were added to the ip nbar customcommand.

This additional keyword and two additional arguments allow for creation of more than one custom protocol based on the same port numbers. After creating a variable when creating a custom protocol, you can use the match protocol commandto classify traffic on the basis of a specific value in the custom protocol.

Note

For more information about these quality of service (QoS) commands, see the Cisco IOS Quality of Service Solutions Command Reference.

MQC and NBAR Custom Protocols


NBAR recognizes and classifies network traffic by protocol or application. You can extend the set of protocols and applications that NBAR recognizes by creating a custom protocol. Custom protocols extend the capability of NBAR Protocol Discovery to classify and monitor additional static port applications and

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 116

Defining a Custom Protocol How to Create a Custom Protocol

allow NBAR to classify nonsupported static port traffic. You define a custom protocol by using the keywords and arguments of the ip nbar custom command. However, after you define the custom protocol, you must create a traffic class and configure a traffic policy (policy map) to use the custom protocol when NBAR classifies traffic. To create traffic classes and configure traffic polices, use the functionality of the Modular Quality of Service (QoS) Command-Line Interface (CLI) (MQC). The MQC is a command-line interface that allows you to define traffic classes, create and configure traffic policies (policy maps), and then attach these traffic policies to interfaces. For more information about NBAR and the functionality of the MQC, see the "Configuring NBAR Using the MQC" module.

How to Create a Custom Protocol


Defining a Custom Protocol, page 117 Configuring a Traffic Class to Use the Custom Protocol, page 119 Configuring a Traffic Policy, page 120 Attaching the Traffic Policy to an Interface, page 122 Displaying Custom Protocol Information, page 123

Defining a Custom Protocol


Custom protocols extend the capability of NBAR Protocol Discovery to classify and monitor additional static port applications and allow NBAR to classify nonsupported static port traffic. To define a custom protocol, perform the following steps.

SUMMARY STEPS
1. enable 2. configure terminal 3. ip nbar custom name [offset [format value]] [variable field-name field-length] [source | destination] [tcp | udp] [range start end | port-number] 4. end

DETAILED STEPS
Command or Action Step 1 enable
Example:
Router> enable

Purpose Enables privileged EXEC mode. Enter your password if prompted.

Step 2 configure terminal


Example:
Router# configure terminal

Enters global configuration mode.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 117

Creating a Custom Protocol Examples

Command or Action Step 3 ip nbar custom name [offset [format value]] [variable fieldname field-length] [source | destination] [tcp | udp] [range start end | port-number]
Example:
Router(config)# ip nbar custom app_sales1 5 ascii SALES source tcp 4567

Purpose Extends the capability of NBAR Protocol Discovery to classify and monitor additional static port applications or allows NBAR to classify nonsupported static port traffic. Enter the custom protocol name and any other optional keywords and arguments.

Step 4 end
Example:
Router(config)# end

(Optional) Exits global configuration mode.

Examples, page 118

Examples
Custom Application Examples for Cisco IOS Releases Prior to 12.3(4)T In the following example, a gaming application that runs on TCP port 8877 needs to be classified using NBAR. You can use custom-01 to map TCP port 8877 by entering the following command:
Router(config)# ip nbar custom-01 tcp 8877

Note

The configuration shown in this example is supported in subsequent Cisco IOS releases but is required in all prior releases.

Custom Application Examples for Cisco IOS Release 12.3(4)T and Later Releases In the following example, the custom protocol app_sales1 will identify TCP packets that have a source port of 4567 and that contain the term "SALES" in the fifth byte of the payload:
Router(config)# ip nbar custom app_sales1 5 ascii SALES source tcp 4567

In the following example, the custom protocol virus_home will identify UDP packets that have a destination port of 3000 and that contain "0x56" in the seventh byte of the payload:
Router(config)# ip nbar custom virus_home 7 hex 0x56 destination udp 3000

In the following example, the custom protocol media_new will identify TCP packets that have a destination or source port of 4500 and that have a value of 90 at the sixth byte of the payload:
Router(config)# ip nbar custom media_new 6 decimal 90 tcp 4500

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 118

Configuring a Traffic Class to Use the Custom Protocol Examples

In the following example, the custom protocol msn1 will look for TCP packets that have a destination or source port of 6700:
Router(config)# ip nbar custom msn1 tcp 6700

In the following example, the custom protocol mail_x will look for UDP packets that have a destination port of 8202:
Router(config)# ip nbar custom mail_x destination udp 8202

In the following example, the custom protocol mail_y will look for UDP packets that have destination ports between 3000 and 4000 inclusive:
Router(config)# ip nbar custom mail_y destination udp range 3000 4000

Configuring a Traffic Class to Use the Custom Protocol


Traffic classes can be used to organize packets into groups on the basis of a user-specified criterion. For example, traffic classes can be configured to match packets on the basis of the protocol type or application recognized by NBAR. In this case, the traffic class is configured to match on the basis of the custom protocol. To configure a traffic class to use the custom protocol, perform the following steps.

Note

The match protocolcommand is shown at Step 4. For the protocol-name argument, enter the protocol name used as the match criteria. For a custom protocol, use the protocol specified by the name argument of the ip nbar customcommand. (See Step 3 of the Defining a Custom Protocol task.)

SUMMARY STEPS
1. enable 2. configure terminal 3. class-map [match-all | match-any] class-map-name 4. match protocol protocol-name 5. end

DETAILED STEPS
Command or Action Step 1 enable
Example:
Router> enable

Purpose Enables privileged EXEC mode. Enter your password if prompted.

Step 2 configure terminal

Enters global configuration mode.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 119

Configuring a Traffic Policy Examples

Command or Action
Example:
Router# configure terminal

Purpose

Step 3 class-map [match-all | match-any] classmap-name


Example:
Router(config)# class-map cmap1

Creates a class map to be used for matching packets to a specified class and enters class-map configuration mode. Enter the name of the class map.

Step 4 match protocol protocol-name


Example:
Router(config-cmap)# match protocol app_sales1

Configures NBAR to match traffic on the basis of the specified protocol. For the protocol-name argument, enter the protocol name used as the match criterion. For a custom protocol, use the protocol specified by the name argument of the ip nbar customcommand. (See Step 3 of the "Defining a Custom Protocol" task.)

Step 5 end
Example:
Router(config-cmap)# end

(Optional) Exits class-map configuration mode.

Examples In the following example, the variable keyword is used while creating a custom protocol, and class maps are configured to classify different values within the variable field into different traffic classes. Specifically, in the example below, variable scid values 0x15, 0x21, and 0x27 will be classified into class map active-craft, while scid values 0x11, 0x22, and 0x25 will be classified into class map passive-craft.
Router(config)# ip nbar custom ftdd 23 variable scid 1 tcp range 5001 5005 Router(config)# class-map active-craft Router(config-cmap)# match protocol ftdd scid 0x15 Router(config-cmap)# match protocol ftdd scid 0x21 Router(config-cmap)# match protocol ftdd scid 0x27 Router(config)# class-map passive-craft Router(config-cmap)# match protocol ftdd scid 0x11 Router(config-cmap)# match protocol ftdd scid 0x22 Router(config-cmap)# match protocol ftdd scid 0x25

Configuring a Traffic Policy


Traffic that matches a user-specified criterion can be organized into specific classes. The traffic in those classes can, in turn, receive specific QoS treatment when that class is included in a policy map. To configure a traffic policy, perform the following steps.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 120

Creating a Custom Protocol Examples

Note

The bandwidth command is shown at Step 5. The bandwidth command configures the QoS feature classbased weighted fair queuing (CBWFQ). CBWFQ is just an example of a QoS feature that can be configured. Use the appropriate command for the QoS feature that you want to use.

SUMMARY STEPS
1. enable 2. configure terminal 3. policy-map policy-map-name 4. class {class-name | class-default} 5. bandwidth {bandwidth-kbps| remaining percent percentage| percent percentage} 6. end

DETAILED STEPS
Command or Action Step 1 enable
Example:
Router> enable

Purpose Enables privileged EXEC mode. Enter your password if prompted.

Step 2 configure terminal


Example:
Router# configure terminal

Enters global configuration mode.

Step 3 policy-map policy-map-name


Example:
Router(config)# policy-map policy1

Creates or modifies a policy map that can be attached to one or more interfaces and enters policy-map configuration mode. Enter the name of the policy map.

Step 4 class {class-name | class-default}


Example:
Router(config-pmap)# class class1

Specifies the name of the class whose policy you want to create or change and enters policy-map class configuration mode. Enter the specific class name or enter the class-defaultkeyword.

Step 5 bandwidth {bandwidth-kbps| remaining percent percentage| percent percentage}


Example:
Router(config-pmap-c)# bandwidth percent 50

(Optional) Specifies or modifies the bandwidth allocated for a class belonging to a policy map. Enter the amount of bandwidth as a number of kbps, a relative percentage of bandwidth, or an absolute amount of bandwidth.

NoteThe bandwidth command configures the QoS feature class-based

Step 6 end

weighted fair queuing (CBWFQ). CBWFQ is just an example of a QoS feature that can be configured. Use the appropriate command for the QoS feature that you want to use. (Optional) Exits policy-map class configuration mode.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 121

Attaching the Traffic Policy to an Interface Examples

Command or Action
Example:
Router(config-pmap-c)# end

Purpose

Attaching the Traffic Policy to an Interface


After a traffic policy (policy map) is created, the next step is to attach the policy map to an interface. Policy maps can be attached to either the input or output direction of the interface.

Note

Depending on the needs of your network, you may need to attach the policy map to a subinterface, an ATM PVC, a Frame Relay DLCI, or other type of interface. To attach the traffic policy to an interface, perform the following steps.

SUMMARY STEPS
1. enable 2. configure terminal 3. interface type number [name-tag] 4. pvc [name] vpi / vci [ilmi| qsaal| smds| l2transport] 5. exit 6. service-policy {input | output} policy-map-name 7. end

DETAILED STEPS
Command or Action Step 1 enable
Example:
Router> enable

Purpose Enables privileged EXEC mode. Enter your password if prompted.

Step 2 configure terminal


Example:
Router# configure terminal

Enters global configuration mode.

Step 3 interface type number [name-tag]


Example:
Router(config)# interface ethernet 2/4

Configures an interface type and enters interface configuration mode. Enter the interface type and the interface number.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 122

Displaying Custom Protocol Information Examples

Command or Action Step 4 pvc [name] vpi / vci [ilmi| qsaal| smds| l2transport]
Example:
Router(config-if)# pvc cisco 0/16

Purpose (Optional) Creates or assigns a name to an ATM permanent virtual circuit (PVC), specifies the encapsulation type on an ATM PVC, and enters ATM virtual circuit configuration mode. Enter the PVC name, the ATM network virtual path identifier, and the network virtual channel identifier.

NoteThis step is required only if you are attaching the policy map to an ATM

Step 5 exit
Example:
Router(config-atm-vc)# exit

PVC. If you are not attaching the policy map to an ATM PVC, advance to Attaching the Traffic Policy to an Interface, page 122. (Optional) Returns to interface configuration mode.
NoteThis step is required only if you are attaching the policy map to an ATM

Step 6 service-policy {input | output} policymap-name


Example:
Router(config-if)# service-policy input policy1

PVC and you completed Attaching the Traffic Policy to an Interface, page 122. If you are not attaching the policy map to an ATM PVC, advance to Attaching the Traffic Policy to an Interface, page 122. Attaches a policy map to an input or output interface. Enter the name of the policy map.

NotePolicy maps can be configured on ingress or egress routers. They can also be

Step 7 end
Example:
Router(config-if)# end

attached in the input or output direction of an interface. The direction (input or output) and the router (ingress or egress) to which the policy map should be attached vary according to your network configuration. When using the service-policy command to attach the policy map to an interface, be sure to choose the router and the interface direction that are appropriate for your network configuration. (Optional) Returns to privileged EXEC mode.

Displaying Custom Protocol Information


After you create a custom protocol and match traffic on the basis of that custom protocol, you can use the show ip nbar port-map command to display information about that custom protocol. To display custom protocol information, complete the following steps.

SUMMARY STEPS
1. enable 2. show ip nbar port-map [protocol-name] 3. exit

DETAILED STEPS
Command or Action Step 1 enable Purpose Enables privileged EXEC mode.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 123

Example Creating a Custom Protocol Configuration Examples for Creating a Custom Protocol

Command or Action
Example:
Router> enable

Purpose Enter your password if prompted.

Step 2 show ip nbar port-map [protocol-name]


Example:
Router# show ip nbar port-map

Displays the current protocol-to-port mappings in use by NBAR. (Optional) Enter a specific protocol name.

Step 3 exit
Example:
Router# exit

(Optional) Exits privileged EXEC mode.

Configuration Examples for Creating a Custom Protocol


Example Creating a Custom Protocol, page 124 Example Configuring a Traffic Class to Use the Custom Protocol, page 124 Example Configuring a Traffic Policy, page 125 Example Attaching the Traffic Policy to an Interface, page 125 Example Displaying Custom Protocol Information, page 126

Example Creating a Custom Protocol


In the following example, the custom protocol called app_sales1 identifies TCP packets that have a source port of 4567 and that contain the term SALES in the fifth byte of the payload.
Router> Router#

enable configure terminal ip nbar custom app_sales1 5 ascii SALES source tcp 4567 end

Router(config)# Router(config)#

Example Configuring a Traffic Class to Use the Custom Protocol

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 124

Example Configuring a Traffic Policy Configuration Examples for Creating a Custom Protocol

In the following example, a class called cmap1 has been configured. All traffic that matches the custom app_sales1 protocol will be placed in the cmap1 class.
Router> Router#

enable configure terminal class-map cmap1 match protocol app_sales1 end

Router(config)#

Router(config-cmap)# Router(config-cmap)#

Example Configuring a Traffic Policy


In the following example, a traffic policy (policy map) called policy1 has been configured. Policy1 contains a class called class1, within which CBWFQ has been enabled.
Router> Router#

enable configure terminal policy-map policy1 class class1 bandwidth percent 50 end

Router(config)#

Router(config-pmap)#

Router(config-pmap-c)# Router(config-pmap-c)#

Note

In the above example, the bandwidth command is used to enable Class-Based Weighted Fair Queuing (CBWFQ). CBWFQ is only an example of one QoS feature that can be applied in a traffic policy (policy map). Use the appropriate command for the QoS feature that you want to use.

Example Attaching the Traffic Policy to an Interface


In the following example, the traffic policy (policy map) called policy1 has been attached to ethernet interface 2/4 in the input direction of the interface.
Router> Router#

enable configure terminal interface ethernet 2/4 service-policy input policy1 end

Router(config)#

Router(config-if)# Router(config-if)#

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 125

Example Displaying Custom Protocol Information Additional References

Example Displaying Custom Protocol Information


The following is sample output of the show ip nbar port-map command. This command displays the current protocol-to-port mappings in use by NBAR. Use the display to verify that these mappings are correct.
Router# show ip nbar port-map port-map bgp udp 179 port-map bgp tcp 179 port-map cuseeme udp 7648 7649 port-map cuseeme tcp 7648 7649 port-map dhcp udp 67 68 port-map dhcp tcp 67 68

If the ip nbar port-map command has been used, the show ip nbar port-map command displays the ports assigned to the protocol. If the no ip nbar port-mapcommand has been used, the show ip nbar port-map command displays the default ports. To limit the display to a specific protocol, use the protocol-name argument of the show ip nbar port-map command.

Additional References
The following sections provide references related to creating a custom protocol. Related Documents Related Topic Document Title

QoS commands: complete command syntax, Cisco IOS Quality of Service Solutions Command command modes, command history, defaults, usage Reference guidelines, and examples MQC, traffic policies (policy maps), and traffic classes Concepts and information about NBAR Information about enabling Protocol Discovery Configuring NBAR using the MQC Adding application recognition modules (also known as PDLMs) Technical Assistance Description The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these Link http://www.cisco.com/cisco/web/support/ index.html "Applying QoS Features Using the MQC" module "Classifying Network Traffic Using NBAR" module "Enabling Protocol Discovery" module "Configuring NBAR Using the MQC" module "Adding Application Recognition Modules" module

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 126

Creating a Custom Protocol Feature Information for Creating a Custom Protocol

Description resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

Link

Feature Information for Creating a Custom Protocol


The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 8: Feature Information for Creating a Custom Protocol

Feature Name NBAR - Multiple Matches Per Port

Releases 12.4(2)T

Feature Information Provides the ability for NBAR to distinguish between values of an attribute within the traffic stream of a particular application on a TCP or UDP port. The following sections provide information about the NBAR Multiple Matches Per Port feature:

NBAR User-Defined Custom Application Classification

12.3(4)T

Provides ability to identify TCPor UDP-based applications by using a character string or value. The character string or value is used to match traffic within the packet payload. The following sections provide information about the NBAR User-Defined Custom Application Classification feature:

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 127

Creating a Custom Protocol

trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

QoS: NBAR Configuration Guide Cisco IOS Release 15.1MT 128