Although the majority of applications can be identified using Layer 3 or Layer 4 criteria (such as discrete IP addresses or well-known TCP/UDP ports), there are applications that cannot be identified by such criteria alone. This might be due to legacy limitations but more likely is due to deliberate design. For example, peer-to-peer media-sharing applications deliberately negotiate ports dynamically with the objective of penetrating firewalls.
When Layer 3 or Layer 4 parameters are insufficient to positively identify an application, NBAR might be a viable alternative solution. NBAR is the most sophisticated classifier in the IOS tool suite. NBAR can recognize packets on a complex combination of fields and attributes; however, you need to recognize that NBAR is merely a classifier, nothing more. NBAR can identify flows by performing deep-packet inspection, but it is the job of the policy map to determine what needs to be done with these flows when identified (that is, whether they should be marked, policed, dropped, and so on).
The NBAR deep-packet classification engine examines the data payload of stateless protocols and identifies application-layer protocols by matching them against a Protocol Description Language Module (PDLM), which is essentially an application signature. There are more than 80 PDLMs embedded into Cisco IOS; furthermore, because PDLMs are modular, they can be downloaded from http://www.cisco.com/pcgi-bin/tablebuild.pl/pdlm and added to a system without requiring an IOS upgrade.
NBAR is dependent on Cisco Express Forwarding (CEF) and performs deep-packet classification only on the first packet of a flow. The remainder of the packets belonging to the flow is then CEF-switched.
The NBAR classifier is triggered by the match protocol command within a class map definition and is a more CPU-intensive classifier than classifiers that match traffic by DSCPs or access control lists (ACL).
NBAR can classify packets based on Layer 4 through Layer 7 protocols, which dynamically assign TCP/UDP ports. By looking beyond the TCP/UDP port numbers of a packet (known as subport classification), NBAR examines the packet payload and classifies packets on the payload content, such as transaction identifiers, message types, or other similar data. For example, HTTP traffic can be classified by Universal Resource Locators (URL) or Multipurpose Internet Mail Extension (MIME) types using regular expressions within the CLI. NBAR uses the UNIX filename specification as the basis for the URL specification format, which it converts into a regular expression.
Example 1 demonstrates classifying traffic by L2, L3, L4, and L7 parameters.
Example 1: Classifying Traffic by Layer 2, 3, 4, and 7 Parameters
Router(config)# class-map match-all L2-CLASSIFIER Router(config-cmap)# match cos 3 Router(config-cmap)#! Router(config-cmap)# class-map match-all L3-CLASSIFIER Router(config-cmap)# match access-group name STANDARD-ACL Router(config-cmap)# ! Router(config-cmap)# class-map match-all L4-CLASSIFIER Router(config-cmap)# match access-group name EXTENDED-ACL Router(config-cmap)# ! Router(config-cmap)# class-map match-any L7-CLASSIFIER Router(config-cmap)# match protocol exchange Router(config-cmap)# match protocol citrix Router(config-cmap)# ! Router(config-cmap)# Router(config-cmap)# ip access-list standard STANDARD-ACL Router(config-std-nacl)# permit 10.200.200.0 0.0.0.255 Router(config-std-nacl)# Router(config-std-nacl)# ip access-list extended EXTENDED-ACL Router(config-ext-nacl)# permit tcp any any eq ftp Router(config-ext-nacl)# permit tcp any any eq ftp-data
In this example, the class maps classify traffic as follows:
- class-map match-all L2-CLASSIFIER: Traffic is classified by matching on (Layer 2) 802.1p class of service (CoS) values (discussed in more detail in the next section).
- class-map match-all L3-CLASSIFIER: Traffic is classified, through a standard ACL, by (Layer 3) source IP address.
- class-map match-any L7-CLASSIFIER: Traffic is classified, with the match-any operator, by NBAR PDLMs that identify SQLNET or Citrix traffic types.