Presentation is loading. Please wait.

Presentation is loading. Please wait.

1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NETWORK BASED APPLICATION RECOGNITION Tim McSweeney Product Manager, QoS Internet Technologies.

Similar presentations


Presentation on theme: "1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NETWORK BASED APPLICATION RECOGNITION Tim McSweeney Product Manager, QoS Internet Technologies."— Presentation transcript:

1 1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NETWORK BASED APPLICATION RECOGNITION Tim McSweeney Product Manager, QoS Internet Technologies Division

2 2NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. Agenda What is Network Based Application Recognition (NBAR)? Benefits and hardware support NBAR Functionality

3 3NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 3Cisco IOS QoS Update, 11/03 © 2003 Cisco Systems, Inc. All rights reserved. My Application is too slow! Citrix25% Netshow 15% Fasttrack10% FTP30% HTTP20% Link Utilization Mark Citrix as Interactive traffic and police FTP. Guarantee bandwidth for Citrix! Intelligent classification engine used with Quality of Service (QoS) class-based features Protocol Discovery analyzes application traffic patterns in real time and identifies which traffic is running on the network NBAR

4 4NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 4Cisco IOS QoS Update, 11/03 © 2003 Cisco Systems, Inc. All rights reserved. NBAR – Intelligent Classification Capable of classifying applications that have: Statically assigned TCP and UDP port numbers Non-TCP and non-UDP IP protocols Dynamically assigned TCP and UDP port numbers during connection establishment Classification based on deep packet inspection: NBAR can look deeper into the packet to identify applications HTTP traffic by URL, host name or MIME type using regular expressions (*, ?, [ ]), Citrix ICA traffic, RTP Payload type classification Currently supports 88 protocols/applications

5 5NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NBAR Benefit Footprint and Hardware Support Enterprise Backbone Enterprise Premise Edge Service Provider Aggregation Edge Service Provider Core Application classification Precise QoS treatment Application statistics for bandwidth provisioning Top-n views Threshold settings Mapping applications to an SPs service offering Cisco Catalyst 6500 and 7600 Series MSFC Planned ASIC Cisco Catalyst 6500 and 7600 Series FlexWAN, MWAM Planned ASIC Cisco 7100, 7200, and 7500 Series Cisco 83x, 1700, XM, 3600, and 3700 Series Cisco Catalyst 6500 and 7600 Series FlexWAN, MWAM Planned ASIC Cisco 7100, 7200, and 7500 Series Cisco Catalyst 6500 and 7600 Series FlexWAN, MWAM Planned ASIC Cisco 7500 Series

6 6NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. ToSSource IP Addr Dest IP Addr IP PacketTCP/UDP Packet Src Port Data Packet Sub-Port/Deep Inspection Stateful & Dynamic Inspection Dst Port Supported protocols as of Cisco IOS Software Release 12.2(8)T: egpexchangekerberossecure-nntpsmtp grefingerl2tpnotessnmp icmpftpldapnovadigmsocks ipinipsecure-ftpsecure-ldapntpsqlnet ipsecgophernetshowpcanywheressh eigrphttppptppop3streamwork bgpsecure-httpsqlserversecure-pop3syslog cuseemeimapnetbiosprintertelnet dhcpircnfsrealaudiosecure-telent dnssecure-ircnntprcmdtftp vdolive xwindows napstercitrix Protocol NBAR

7 7NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. Packet Description Language Modules Packet Description Language Modules (PDLMs) define applications recognizable by NBAR New applications supported by adding new PDLMs No Cisco IOS Software upgrade or reboot required to add new PDLMs New Cisco IOS Software required only when enhanced NBAR infrastructure is required for new PDLM functionality New PDLMs are incorporated natively into subsequent Cisco IOS Software releases Only new/updated PDLMs are loaded Must be produced by Cisco engineers Issues: Software quality: testing and support Software security:risk of Trojan horses and worms SDK infrastructure:development environment

8 8NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. Protocol Discovery: Traffic Classification & Real-Time Statistics Automatically uses all PDLMs Run Protocol Discovery instead of specifying individual protocols Includes statistics for traffic identified with user- defined custom application classification Statistics per-interface, per-protocol bit rate (bps) packet counts and byte counts

9 9NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. ToSSource IP Addr Dest IP Addr IP PacketTCP/UDP Packet Src Port Data Packet Dst Port Protocol FFFF0000MoonbeamFFFF ip nbar custom lunar_light 8 ascii Moonbeam tcp range class-map solar_system match protocol lunar_light policy-map astronomy class solar_system set ip dscp AF21 interface <> service-policy output astronomy Name – Name the match criteria – up to 24 characters lunar_light Offset – Specify the beginning byte of string or value to be matched in the data packet, counting from zero for the first byte Skip first 8 bytes Format – Define the format of the match criteria – ASCII, hex or decimal ascii Value – The value to match in the packet – if ASCII, up to 16 characters Moonbeam [Source or destination port] – Optionally restrict the direction of packet inspection; defaults to both directions if not specified [source | destination] TCP or UDP – Indicate the protocol encapsulated in the IP packet tcp Range or selected port number(s) – range with start and end port numbers, up to 1000 – 1 to 16 individual port numbers range Example 12/ (4)T Nov 2003 NBAR User-Defined Custom Application Classification

10 10NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. Extended Inspection: NBAR looks for an HTTP-specific signature in ports beyond well-known TCP port 80 NBAR HTTP Classification router(config-cmap)#match protocol http ? host host-name-string -- Match Host Name url url-string -- Match URL String mime MIME-type -- Match MIME Type HTTP Clients Router XRouter Y HTTP Server Responses to HTTP GET HTTP GET Request match protocol http: 10/03 HTTP GET request contains Host/URL string Optionally, HTTP responses may be further classified by MIME-type 12.3(4)T Nov 2003

11 11NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NBAR: Additional Development New and updated PDLMs Citrix ICA: enhanced support for Citrix-based applications Real-Time Protocol (RTP) Real-Time Streaming Protocol (RTSP) eDonkey: peer-to-peer file sharing application KaZaA: revalidated for KaZaA v 2.5 Support for IP Services NBAR-NAT-RTSP integration: Release 12.3(3 rd )T [Q1CY04] Upcoming: NBAR-Firewall integration

12 12NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. KaZaA versions 2 and 2.5 KaZaA v2 PDLM available Classifies KaZaA v2 and v2.5 data traffic QoS policy can limit users to browse, but not share, files Covers file transfers Downloads and uploads PDLM Rev 6 April 2003

13 13NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. IP HdrUDPRTP Header Audio/Video/Data Stateful identification of real time audio and video traffic Differentiation on the basis of audio and video codecs RTP: transport protocol for Real-Time Applications – RFC 1889 RTP profile for audio and video conferences with minimal control – RFC 1890 NBAR RTP Payload Classification PDLM Rev 2 May 2003

14 14NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NBAR RTP Payload Classification Configuration match protocol rtp [audio | video | payload-type payload-string] audio: Specifies matching by payload-type values video: Specifies matching by payload-type values payload-type: Specifies matching by payload-type value, for more granular matching than audio or video provide. Example NBAR to match RTP traffic with the payload-types 0, 1, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 64 match protocol rtp payload-type "0, 1, 4 - 0x10, 10001b b, 64"

15 15NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NBAR Protocol Discovery MIB Release 12.3 Provides statistics per application, per interface via SNMP Enable or disable protocol discovery per interface Display protocol discovery statistics Configure and view multiple top-n tables listing protocols by bandwidth usage Configure thresholds: report breaches and send notifications when these thresholds are crossed Supported by Cisco QoS partners Concord Communications InfoVista: traffic monitoring; DoS attack mitigation NBAR Protocol Discovery MIB /122t/122t15/ftpdmib.htm CISCO-NBAR-PROTOCOL-DISCOVERY-MIB

16 16NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. DATDATDAT PDLMPDLMPDLM Previously: Each IP Service Processes Packets Sequentially FirewallNAT DATDATDAT IDS PDLMPDLMPDLM QoS Classifi- cation PACKET Parse PACKET + Parse QoS Uses NBAR Parsing Results for Traffic Classification Now: NBAR Provides a Shared Infrastructure for IP Traffic Identification Firewall Parse PACKET + NAT Parse PACKET + IDS Parse PACKET + QoS Classifi- cation Parse PACKET + Parse NBARs Parsing Utilized by Multiple Services New NBAR PDLMs Can be Added to Identify New Applications Without a Software Upgrade NBAR NBAR Classification for Multiple IP Services Parse

17 17NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. References QoS Classification Overview 22cgcr/fqos_c/fqcprt1/qcfclass.htm# Configuring Network-Based Application Recognition 22cgcr/fqos_c/fqcprt1/qcfnbar.htm Match Protocol Commands: Citrix, HTTP, RTP 23cgcr/qos_r/qos_m1g.htm#

18 18NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved.

19 19NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. Custom-xx NBAR Functionality Used for static TCP/UDP port based applications that NBAR does not support Add up to 10 custom applications Map 16 TCP and UDP ports each per application Statistics appear in the Protocol Discovery Router(config)#ip nbar port-map custom-01 ? tcp TCP ports udp UDP ports


Download ppt "1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NETWORK BASED APPLICATION RECOGNITION Tim McSweeney Product Manager, QoS Internet Technologies."

Similar presentations


Ads by Google