Network Based Application Recognition (NBAR) (Classification, Marking, and NBAR)

NBAR is a Cisco IOS feature that can be used to perform three tasks:

■ Protocol discovery

■ Traffic statistics collection

■ Traffic classification

Because NBAR can discover which applications and protocols are running on your network and display volume and statistics about them, you can use it as a powerful yet simple tool to form the definitions of your network traffic classes (BAs). You can also use NBAR within class-based (CB) marking or other MQC-based tools to classify packets for purposes such as marking, policing, and queuing. NBAR is a powerful protocol discovery and classification tool, but the overhead it imposes is considered small or medium. The amount of CPU utilization increase that a router running NBAR experiences depends on the amount of traffic and the router CPU type and speed.

NBAR recognizes a limited number of protocols. However, you can expand the list of recognized protocols by loading new Packet Description Language Modules (PDLMs), published by Cisco systems, into your device (flash memory) and making a reference to the new PDLM in the device configuration. PDLMs are files that Cisco Systems publishes; these files contain rules that NBAR uses to recognize protocols and applications. A new PDLM can be loaded in the flash memory of the Cisco device and then referenced within its configuration without a need to perform an IOS upgrade or reload the device. Cisco Systems makes up-to-date PDLMs available to registered users on Cisco Connection Online (CCO) at

Before you can design a classification and marking scheme for your network, you need to identify and recognize the existing traffic for your network. The NBAR protocol-discovery feature provides a simple way to discover and report the applications and protocols that transit (in and out) a particular interface of a network device you choose. Protocol discovery discovers and reports on the protocols and applications that NBAR supports (plus those added by the loaded PDLMs). Key statistics are also reported on the discovered protocols and applications. Examples of the statistics that NBAR protocol discovery reports on each protocol are the total number of input and output packets and bytes and the input and output bit rates. The list of discovered protocols and applications, plus the associated statistics, which NBAR reports, are valuable when you want to define your traffic classes and their QoS policies.

NBAR can classify traffic by inspecting bytes beyond the network and transport layer headers. This is called subport classification. This means that NBAR looks into the segment (TCP or UDP) payload and classifies based on that content. For example, NBAR can classify HTTP traffic based on the URL; it can also classify based on MIME type.

NBAR has some limitations. First, it does not function on the Fast EtherChannel logical interface. Second, NBAR can only handle up to 24 concurrent URLs, hosts, or MIME types. Third, NBAR only analyzes the first 400 bytes of the packet. Fourth, it only supports CEF and does not work if another switching mode is used. It does not support multicast packets, fragmented packets, and packets that are associated with secure HTTP (URL, host, or MIME classification). NBAR does not analyze or recognize the traffic that is destined to or emanated from the router where NBAR is running.

Configuring classification without NBAR is mostly dependent on writing and maintaining access lists. Using NBAR for classification is not only simpler than using access lists, but NBAR also offers capabilities beyond those offered by access lists. NBAR can do stateful inspection of flows. This means that it can discover the dynamic TCP or UDP port numbers that are negotiated at connection establishment time by inspecting the control session packets. For example, a TFTP session is initiated using the well-known UDP port 69, but the two ends of the session negotiate other ports for the remainder of the session traffic. NBAR also supports some non-IP and non-TCP/non-UDP protocols and applications such as Internetwork Packet Exchange (IPX), IPsec, and GRE. Finally, as stated already, NBAR is able to discover and classify by deep packet inspection, too. This means that NBAR can inspect the payload of TCP and UDP segments (up to the 400th byte of the packet) and classify. HTTP sessions can be classified by URL, hostname, or MIME type.

Next post:

Previous post: